Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 710978 (CVE-2019-20446) - <gnome-base/librsvg-2.40.21: Resource exhaustion via crafted SVG file with nested patterns (CVE-2019-20446)
Summary: <gnome-base/librsvg-2.40.21: Resource exhaustion via crafted SVG file with ne...
Status: RESOLVED FIXED
Alias: CVE-2019-20446
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://gitlab.gnome.org/GNOME/librsv...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-27 18:19 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-25 20:10 UTC (History)
1 user (show)

See Also:
Package list:
gnome-base/librsvg-2.40.21
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-02-27 18:19:38 UTC
CVE-2019-20446 (https://nvd.nist.gov/vuln/detail/CVE-2019-20446):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.
Comment 1 Thomas Deutschmann gentoo-dev Security 2020-02-27 18:20:40 UTC
In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.
Comment 2 Agostino Sarubbo gentoo-dev 2020-02-28 14:12:57 UTC
amd64 stable
Comment 3 Agostino Sarubbo gentoo-dev 2020-02-28 17:51:40 UTC
x86 stable
Comment 4 Rolf Eike Beer archtester 2020-02-29 12:04:08 UTC
sparc stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-03-02 12:34:29 UTC
s390 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-03-02 12:38:27 UTC
ia64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-02 12:39:49 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-02 15:23:23 UTC
ppc stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2020-03-02 20:22:47 UTC
hppa stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-03-05 12:49:54 UTC
arm stable
Comment 11 Mart Raudsepp gentoo-dev 2020-03-17 08:36:47 UTC
arm64 stable, cleanup done
Comment 12 Thomas Deutschmann gentoo-dev Security 2020-03-25 20:10:49 UTC
GLSA Vote: No

Repository is clean, all done!