764173 – (CVE-2021-21236) <media-gfx/cairosvg-2.5.1: regex DoS vulnerability (CVE-2021-21236)

Bug 764173 (CVE-2021-21236) - <media-gfx/cairosvg-2.5.1: regex DoS vulnerability (CVE-2021-21236)

Summary: <media-gfx/cairosvg-2.5.1: regex DoS vulnerability (CVE-2021-21236)

Status:	RESOLVED FIXED

Alias:	CVE-2021-21236

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/Kozea/CairoSVG/sec...
Whiteboard:	B3 [noglsa]
Keywords:

Depends on:	764209
Blocks:
	Show dependency tree

Reported:	2021-01-06 20:23 UTC by John Helmert III
Modified:	2021-04-09 14:14 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-01-06 20:23:24 UTC

CVE-2021-21236 (https://github.com/Kozea/CairoSVG/commit/cfc9175e590531d90384aa88845052de53d94bf3):

CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter based on Cairo. In CairoSVG before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. See Referenced GitHub advisory for more information.


Please bump, thanks!

Comment 1 Michał Górny archtester

2021-01-06 20:28:52 UTC

I was about to bump it anyway, so let's fire the stablereq when it goes n ;-).

Comment 2 NATTkA bot gentoo-dev

2021-01-06 20:32:53 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: media-gfx/cairosvg-2.5.1

Comment 3 NATTkA bot gentoo-dev

2021-01-06 21:25:01 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 4 NATTkA bot gentoo-dev

2021-01-06 23:24:53 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: media-gfx/cairosvg-2.5.1

Comment 5 NATTkA bot gentoo-dev

2021-01-06 23:36:57 UTC

All sanity-check issues have been resolved

Comment 6 Agostino Sarubbo gentoo-dev

2021-01-21 07:41:21 UTC

amd64 stable

Comment 7 Agostino Sarubbo gentoo-dev

2021-01-24 12:11:13 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 8 Michał Górny archtester

2021-04-09 07:32:05 UTC

(it's been cleaned up back in January)

Comment 9 John Helmert III archtester

2021-04-09 14:14:59 UTC

(In reply to Michał Górny from comment #8)
> (it's been cleaned up back in January)

Thank you! All done.