Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0941 SUSE-SU-2020:14323-1 Security update for librsvg 18 March 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: librsvg Publisher: SUSE Operating System: SUSE Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-20446 CVE-2018-1000041 CVE-2016-6163 CVE-2016-4348 CVE-2015-7558 Reference: ESB-2020.0864 ESB-2020.0840 ESB-2018.0439 ESB-2016.1268 Original Bulletin: https://www.suse.com/support/update/announcement/2020/suse-su-202014323-1.html - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for librsvg ______________________________________________________________________________ Announcement ID: SUSE-SU-2020:14323-1 Rating: moderate References: #1083232 #1094213 #1162501 #977985 #977986 #987877 Cross-References: CVE-2015-7558 CVE-2016-4348 CVE-2016-6163 CVE-2018-1000041 CVE-2019-20446 Affected Products: SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has one errata is now available. Description: This update for librsvg fixes the following issues: o CVE-2019-20446: Fixed an issue where a crafted SVG file with nested patterns can cause denial of service (bsc#1162501). NOTE: Librsvg now has limits on the number of loaded XML elements, and the number of referenced elements within an SVG document. o CVE-2015-7558: librsvg allowed context-dependent attackers to cause a denial of service (infinite loop, stack consumption, and application crash) via cyclic references in an SVG document (bsc#977985). o CVE-2016-6163: svg pattern linking to non-pattern fallback leads to invalid memory access, allowing to cause DoS (bsc#987877). o CVE-2018-1000041: Fixed leaking credentials via SVG files that reference UNC paths (bsc#1083232) o CVE-2016-4348: Fixed a denial of service parsing SVGs with circular definitions _rsvg_css_normalize_font_size() function (bsc#977986) o Fixed a stack exhaustion with circular references in elements. o Fixed a denial-of-service condition from exponential explosion of rendered elements, through nested use of SVG "use" elements in malicious SVGs. This updated also removes the the Mozilla plugin package. Firefox can render SVG on its own and the plugin interface is obsolete. This update for libcroco fixes the following issue: o Fixed an issue where librsvg was throwing a segmentation fault (bsc# 1094213). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-librsvg-14323=1 Package List: o SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64): libcroco-debuginfo-0.6.1-122.6.1 libcroco-debugsource-0.6.1-122.6.1 librsvg-debuginfo-2.26.0-2.6.8.3 librsvg-debugsource-2.26.0-2.6.8.3 o SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64): librsvg-debuginfo-32bit-2.26.0-2.6.8.3 References: o https://www.suse.com/security/cve/CVE-2015-7558.html o https://www.suse.com/security/cve/CVE-2016-4348.html o https://www.suse.com/security/cve/CVE-2016-6163.html o https://www.suse.com/security/cve/CVE-2018-1000041.html o https://www.suse.com/security/cve/CVE-2019-20446.html o https://bugzilla.suse.com/1083232 o https://bugzilla.suse.com/1094213 o https://bugzilla.suse.com/1162501 o https://bugzilla.suse.com/977985 o https://bugzilla.suse.com/977986 o https://bugzilla.suse.com/987877 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXnF5KmaOgq3Tt24GAQhEQBAAwpVQRD7MQ1rPi+noj77XM4md0w+QHHst M3BpLueYmzDQ4up5t9J2gODdJEF6+520fHPgxuvcCyrYrvQPVRNL9X08hSsQxiBp Jq5mvvsWO7XRQTZOB0VHimfOuqoYqjN2IHxLFLGSodKlu0y4+p9T8+/RbSq8QQdY Hm+EGG/kXjuzjaUpTuiaTUMiBmXX5/nXdRQb2DBqe2wQYVvngr9wgasFBoJJV4tX qPEr0USQ+lnF2PmdKYvz4P/ZLmvlDWukmRr0R5Aytx/tlYox6B0U0x4jOXz4eaGU a9ByOjMyJbwRfOjxKnrtfCzNw2EwcnkIZqTLF8N/F6rN6NKkCornTuMQWcLRI6ei HJd6siFK1U++6OARNEzHP+oc3nxs0/clJ2EgdOGq3HrGe5XO6KQ8I3HRIo/+y7YJ ZW1+DfhMqjIyPivlkmdxV9igx3PuWSHlEInKn8Z09b4jOXtlZFeYJUFFMyrZ9t1i 5F3qfKHEpLpKTOTL6bVpBL8/BCdt5D8U871gdDF0ue+lMAnLF3G6Bg7JZdrCi7Sv hkgdswWhVNLJkUkgUJBd+k4/DF16veLBRh12exrznAhfvvWj98/oB2PAuQ8F3EV2 m3rvVKHycXTTXHU1suRPl2Mixfh1664uE6FMwHB+NYNvQSwXL3CtIMiGGjtyf4v3 RKxOGt2Pv/8= =WVBH -----END PGP SIGNATURE-----