Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

librsvg: CVE-2017-11464

Related Vulnerabilities: CVE-2017-11464  

Source

Debian Bug report logs - #869129
librsvg: CVE-2017-11464

version graph

Package: src:librsvg; Maintainer for src:librsvg is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 20 Jul 2017 18:39:04 UTC

Severity: important

Tags: fixed-upstream, patch, security, upstream

Found in version librsvg/2.40.16-1

Fixed in version librsvg/2.40.18-1

Done: Emilio Pozuelo Monfort <pochu@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://bugzilla.gnome.org/show_bug.cgi?id=783835

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#869129; Package src:librsvg. (Thu, 20 Jul 2017 18:39:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Thu, 20 Jul 2017 18:39:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: librsvg: CVE-2017-11464
Date: Thu, 20 Jul 2017 20:37:30 +0200
Source: librsvg
Version: 2.40.16-1
Severity: grave
Tags: security
Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=783835

Hi,

the following vulnerability was published for librsvg.

CVE-2017-11464[0]:
| A SIGFPE is raised in the function box_blur_line of rsvg-filter.c in
| GNOME librsvg 2.40.17 during an attempted parse of a crafted SVG file,
| because of incorrect protection against division by zero.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-11464
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11464
[1] https://bugzilla.gnome.org/show_bug.cgi?id=783835

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Severity set to 'important' from 'grave' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 20 Jul 2017 18:45:04 GMT) (full text, mbox, link).

Added tag(s) patch, fixed-upstream, and upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 20 Jul 2017 18:45:05 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#869129; Package src:librsvg. (Thu, 20 Jul 2017 18:51:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Thu, 20 Jul 2017 18:51:05 GMT) (full text, mbox, link).

Message #14 received at 869129@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 869129@bugs.debian.org
Subject: Re: Bug#869129: librsvg: CVE-2017-11464
Date: Thu, 20 Jul 2017 20:47:09 +0200
On Thu, Jul 20, 2017 at 08:37:30PM +0200, Salvatore Bonaccorso wrote:
> Please adjust the affected versions in the BTS as needed.

AFAICT, the problematic code has been introduced while "This replaces
the blurring machinery with a real gaussian blur for small radiuses,
and fixes box blurs for large radiuses." with upstream commit  and
included in 2.40.9. So jessie is not affected.

Please double-check.

Regards,
Salvatore

p.s.: adjusted severity, grave is not warranted here IMHO, and was an
      error on my side while filling the bug. OTOH I have no access to
      the upstream bug which might contain more relevant information.

Added tag(s) pending. Request was from Emilio Pozuelo Monfort <pochu@debian.org> to control@bugs.debian.org. (Thu, 20 Jul 2017 20:39:02 GMT) (full text, mbox, link).

Reply sent to Emilio Pozuelo Monfort <pochu@debian.org>:
You have taken responsibility. (Fri, 21 Jul 2017 09:09:10 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 21 Jul 2017 09:09:10 GMT) (full text, mbox, link).

Message #21 received at 869129-close@bugs.debian.org (full text, mbox, reply):

From: Emilio Pozuelo Monfort <pochu@debian.org>
To: 869129-close@bugs.debian.org
Subject: Bug#869129: fixed in librsvg 2.40.18-1
Date: Fri, 21 Jul 2017 09:05:36 +0000
Source: librsvg
Source-Version: 2.40.18-1

We believe that the bug you reported is fixed in the latest version of
librsvg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 869129@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@debian.org> (supplier of updated librsvg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 21 Jul 2017 10:18:29 +0200
Source: librsvg
Binary: librsvg2-dev librsvg2-2 librsvg2-common librsvg2-doc librsvg2-bin gir1.2-rsvg-2.0
Architecture: source
Version: 2.40.18-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@debian.org>
Description:
 gir1.2-rsvg-2.0 - gir files for renderer library for SVG files
 librsvg2-2 - SAX-based renderer library for SVG files (runtime)
 librsvg2-bin - command-line and graphical viewers for SVG files
 librsvg2-common - SAX-based renderer library for SVG files (extra runtime)
 librsvg2-dev - SAX-based renderer library for SVG files (development)
 librsvg2-doc - SAX-based renderer library for SVG files (documentation)
Closes: 869129
Changes:
 librsvg (2.40.18-1) unstable; urgency=medium
 .
   * New upstream release.
     + Fixes CVE-2017-11464: division by zero caused when parsing especially
       crafted SVG files. Closes: #869129.
   * librsvg2-common.install: install the thumbnailer spec file. It goes in
     the pixbuf loader package (-common) as it can't be used without it.
Checksums-Sha1:
 f7844df281e8cd5caabacb42f43f269e1f13d76d 2795 librsvg_2.40.18-1.dsc
 7b2ef7dd55daae92a0b8fcb0a8b42aeb5246afa9 574384 librsvg_2.40.18.orig.tar.xz
 e2d05147490465f6c73c17f2e5f2ee278b7e7d8e 14464 librsvg_2.40.18-1.debian.tar.xz
 ddcf85a5cc0e9d70c921530841781176c02088b9 12948 librsvg_2.40.18-1_source.buildinfo
Checksums-Sha256:
 7667f59db269b54ddb44e435a6e4b69139f62ea59c0e32dd81a18139eddd9d19 2795 librsvg_2.40.18-1.dsc
 bfc8c488c89c1e7212c478beb95c41b44701636125a3e6dab41187f1485b564c 574384 librsvg_2.40.18.orig.tar.xz
 29b5747a7208268ceed3ccd5432b2379ee5937ba3fce4fbb1d41ffbf7de3f792 14464 librsvg_2.40.18-1.debian.tar.xz
 34550622dc87e0701f7e5410f9e3ec59ad86e5b3dfbd939a9b25d89e99e971d1 12948 librsvg_2.40.18-1_source.buildinfo
Files:
 30818a519ab31aacc09ca231880e4056 2795 libs optional librsvg_2.40.18-1.dsc
 eaa5c8a8bbe2600ab5194c0d3b1b621b 574384 libs optional librsvg_2.40.18.orig.tar.xz
 2e93141fbd087bf30470cbd733b29576 14464 libs optional librsvg_2.40.18-1.debian.tar.xz
 aef911d53564ac8be0a0b54651aa2d2e 12948 libs optional librsvg_2.40.18-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAllxvMQACgkQnUbEiOQ2
gwKzdxAAzS1Cjsk88rjXoPJ7BPKQAnexFe/n/BgEpEh6z6aZPd9kim/Kt28yjRgN
QlYABUG9Uqy3cG8HuYmcl84yVIpgEXgJUTqx30GpoNalCqB8X4Mi+tS6frs7qZj0
CMirDnlRrcOee7R23GGeFz39Ajcr5FdjVSkT2Zbor6EiS4zDfuLcaRwYxm8hHA7Y
uQ031Ck9vk0RZ2+4JNsCEnuzJ9xbyxxwK1b+ZjiixYmMeoOEfyjgfSCChHGXvNtI
ZUy9XC+bCQkXEJvAl6q85cdsj9/pJDg/6b2gC0naHJa0iUnoa03qPBeeouADkhI0
cS1ZwfAJshPvCfnU/m22r/BRJGWOZKYkrzFum+UQkvIBrcdcSvQ6fj6S+ZKo/omn
Kegmm2C5qYBltn1BhLE32cqssyqHHciVPfUNNVmU3ofaziT0VvNdUCqQIb5kJNxx
j5Lq5PF2ai6FWSzmiFx1g5BUI5tGNqo4w+VEJxKtnU90BFI8MKDid6Ks/c9HfoUU
uc6DzAxyx6sb6ek+CSESS51QCJM8ytba6Pst0Nkd6IJ7nQKHygwR5QJAUuBh5FBT
LS1Sk4mEnPDddsI08KIjefaM/N6bEEyCI5Gwoo7FgG74pHKYdaTjE1ea9JeJVjdB
l0irnsMjsCHcoKvjQfWGywyG7Am54J5p5wlck3tRKE2Akdi8iS4=
=YlDJ
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 23 Aug 2017 07:27:56 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:19:46 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started