Operating System:

[SUSE]

Published:

18 March 2020

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2020.0941 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0941
             SUSE-SU-2020:14323-1 Security update for librsvg
                               18 March 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           librsvg
Publisher:         SUSE
Operating System:  SUSE
Impact/Access:     Denial of Service        -- Remote/Unauthenticated      
                   Access Confidential Data -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-20446 CVE-2018-1000041 CVE-2016-6163
                   CVE-2016-4348 CVE-2015-7558 

Reference:         ESB-2020.0864
                   ESB-2020.0840
                   ESB-2018.0439
                   ESB-2016.1268

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2020/suse-su-202014323-1.html

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for librsvg

______________________________________________________________________________

Announcement ID:   SUSE-SU-2020:14323-1
Rating:            moderate
References:        #1083232 #1094213 #1162501 #977985 #977986 #987877
Cross-References:  CVE-2015-7558 CVE-2016-4348 CVE-2016-6163 CVE-2018-1000041
                   CVE-2019-20446
Affected Products:
                   SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________

An update that solves 5 vulnerabilities and has one errata is now available.

Description:


This update for librsvg fixes the following issues:

  o CVE-2019-20446: Fixed an issue where a crafted SVG file with nested
    patterns can cause denial of service (bsc#1162501). NOTE: Librsvg now has
    limits on the number of loaded XML elements, and the number of referenced
    elements within an SVG document.
  o CVE-2015-7558: librsvg allowed context-dependent attackers to cause a
    denial of service (infinite loop, stack consumption, and application crash)
    via cyclic references in an SVG document (bsc#977985).
  o CVE-2016-6163: svg pattern linking to non-pattern fallback leads to invalid
    memory access, allowing to cause DoS (bsc#987877).
  o CVE-2018-1000041: Fixed leaking credentials via SVG files that reference
    UNC paths (bsc#1083232)
  o CVE-2016-4348: Fixed a denial of service parsing SVGs with circular
    definitions _rsvg_css_normalize_font_size() function (bsc#977986)
  o Fixed a stack exhaustion with circular references in elements.
  o Fixed a denial-of-service condition from exponential explosion of rendered
    elements, through nested use of SVG "use" elements in malicious SVGs.


This updated also removes the the Mozilla plugin package. Firefox can render
SVG on its own and the plugin interface is obsolete.
This update for libcroco fixes the following issue:

  o Fixed an issue where librsvg was throwing a segmentation fault (bsc#
    1094213).

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o SUSE Linux Enterprise Debuginfo 11-SP4:
    zypper in -t patch dbgsp4-librsvg-14323=1

Package List:

  o SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64):
       libcroco-debuginfo-0.6.1-122.6.1
       libcroco-debugsource-0.6.1-122.6.1
       librsvg-debuginfo-2.26.0-2.6.8.3
       librsvg-debugsource-2.26.0-2.6.8.3
  o SUSE Linux Enterprise Debuginfo 11-SP4 (ppc64 s390x x86_64):
       librsvg-debuginfo-32bit-2.26.0-2.6.8.3


References:

  o https://www.suse.com/security/cve/CVE-2015-7558.html
  o https://www.suse.com/security/cve/CVE-2016-4348.html
  o https://www.suse.com/security/cve/CVE-2016-6163.html
  o https://www.suse.com/security/cve/CVE-2018-1000041.html
  o https://www.suse.com/security/cve/CVE-2019-20446.html
  o https://bugzilla.suse.com/1083232
  o https://bugzilla.suse.com/1094213
  o https://bugzilla.suse.com/1162501
  o https://bugzilla.suse.com/977985
  o https://bugzilla.suse.com/977986
  o https://bugzilla.suse.com/987877

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXnF5KmaOgq3Tt24GAQhEQBAAwpVQRD7MQ1rPi+noj77XM4md0w+QHHst
M3BpLueYmzDQ4up5t9J2gODdJEF6+520fHPgxuvcCyrYrvQPVRNL9X08hSsQxiBp
Jq5mvvsWO7XRQTZOB0VHimfOuqoYqjN2IHxLFLGSodKlu0y4+p9T8+/RbSq8QQdY
Hm+EGG/kXjuzjaUpTuiaTUMiBmXX5/nXdRQb2DBqe2wQYVvngr9wgasFBoJJV4tX
qPEr0USQ+lnF2PmdKYvz4P/ZLmvlDWukmRr0R5Aytx/tlYox6B0U0x4jOXz4eaGU
a9ByOjMyJbwRfOjxKnrtfCzNw2EwcnkIZqTLF8N/F6rN6NKkCornTuMQWcLRI6ei
HJd6siFK1U++6OARNEzHP+oc3nxs0/clJ2EgdOGq3HrGe5XO6KQ8I3HRIo/+y7YJ
ZW1+DfhMqjIyPivlkmdxV9igx3PuWSHlEInKn8Z09b4jOXtlZFeYJUFFMyrZ9t1i
5F3qfKHEpLpKTOTL6bVpBL8/BCdt5D8U871gdDF0ue+lMAnLF3G6Bg7JZdrCi7Sv
hkgdswWhVNLJkUkgUJBd+k4/DF16veLBRh12exrznAhfvvWj98/oB2PAuQ8F3EV2
m3rvVKHycXTTXHU1suRPl2Mixfh1664uE6FMwHB+NYNvQSwXL3CtIMiGGjtyf4v3
RKxOGt2Pv/8=
=WVBH
-----END PGP SIGNATURE-----