Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 650902 (CVE-2018-1000041) - <gnome-base/librsvg-2.40.21: Information disclosure vulnerability in rsvg-io.c (CVE-2018-1000041)
Summary: <gnome-base/librsvg-2.40.21: Information disclosure vulnerability in rsvg-io....
Status: RESOLVED FIXED
Alias: CVE-2018-1000041
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-19 15:03 UTC by GLSAMaker/CVETool Bot
Modified: 2020-04-16 06:59 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-03-19 15:03:41 UTC
CVE-2018-1000041 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000041):
  GNOME librsvg version before commit c6ddf2ed4d768fd88adbea2b63f575cd523022ea
  contains a Improper input validation vulnerability in rsvg-io.c that can
  result in the victim's Windows username and NTLM password hash being leaked
  to remote attackers through SMB. This attack appear to be exploitable via
  The victim must process a specially crafted SVG file containing an UNC path
  on Windows.


@Maintainers please let us know the best way to handle this.

Thank you
Comment 1 Sam James archtester gentoo-dev Security 2020-03-18 17:46:06 UTC
Patch: https://github.com/GNOME/librsvg/commit/c6ddf2ed4d768fd88adbea2b63f575cd523022ea

This is included in 2.41.2.

@maintainer(s), please create an appropriate ebuild, and call for stabilization when ready.
Comment 2 Mart Raudsepp gentoo-dev 2020-03-28 08:26:49 UTC
Is 2.40.21 vulnerable or not? It included some important fixes for the non-rust version.
Anything 2.41 and above can't ever go stable on arches without dev-lang/rust available upstream (some need arch work to get it going with upstream rust supporting the architecture).
Comment 3 Sam James archtester gentoo-dev Security 2020-03-30 15:46:18 UTC
(In reply to Mart Raudsepp from comment #2)
> Is 2.40.21 vulnerable or not? It included some important fixes for the
> non-rust version.
> Anything 2.41 and above can't ever go stable on arches without dev-lang/rust
> available upstream (some need arch work to get it going with upstream rust
> supporting the architecture).

This doesn't reference it: https://github.com/GNOME/librsvg/blob/13fbcd136977f3e765e22181404aafa59f8d8fb3/NEWS#L1

But yes, the patched code is in there!

https://github.com/GNOME/librsvg/blob/13fbcd136977f3e765e22181404aafa59f8d8fb3/rsvg-base-file-util.c#L95

and so on in various commits like:
https://github.com/GNOME/librsvg/commit/e9fef9c950e456b0535418f947a2d833a574414f

So yes, we're fine. Thank you!
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2020-04-16 06:59:39 UTC
GLSA Vote: No
Thank you all for you work. 
Closing as [noglsa].