Bugzilla – Bug 840753
VUL-0: CVE-2013-1881: librsvg: local resource access vulnerability due to XML External Entity enablement
Last modified: 2017-01-11 02:01:26 UTC
Public via Red Hat. https://bugzilla.redhat.com/show_bug.cgi?id=924414 It was reported [1] that librsvg2, via gnome-vfs, is vulnerable to a local resource access vulnerability via XML External Entity expansion. If a user were to view a folder containing a malicious SVG file, or open the file, GVFS would send the local resource's contents to the attacker's server. A patch [2] is attached to the bug report which restricts what is permitted to be loaded. [1] https://bugzilla.gnome.org/show_bug.cgi?id=691708 [2] https://bug691708.bugzilla-attachments.gnome.org/attachment.cgi?id=238516&t=9sD7BFBKk1 CVE-2013-1881 was assigned for this issue. Fixes: https://git.gnome.org/browse/librsvg/commit/?id=d83e426fff3f6d0fa6042d0930fb70357db24125 https://git.gnome.org/browse/librsvg/commit/?id=f01aded72c38f0e18bc7ff67dee800e380251c8e Regression fix in gtk+: https://git.gnome.org/browse/gtk+/commit/?id=7b4f82ccc6c180b809cd3b7b6582394ce741a14e
bugbot adjusting priority
I have fixes ready for 12.2 and 12.3. Note that the regression fix in gtk+ listed above was not sufficient and required an update committed last week (3d602f5). We might want to wait a little longer for upstream testing to continue before releasing... Back porting these fixes for our SLE code base is proving quite involved. Still working on this...
I have not been able to duplicate this vulnerability so it's hard to test if the fixes work. In my constructed svg file I can not get the parsing libraries to send the contents of a local network resource to my "evil" server. I get parameter references forbidden in internal subset errors which it seems like is the supposed hole this bug tries to exploit. I tried with the setup detailed in the upstream bug and also found a (I presume affiliated with the reporters of this bug) blackhat 2013 presentation - http://www.slideshare.net/qqlan/bh-ready-v4. Federico - can you help look into this. I will send you my setup so far (and my fixes for 12.2 and 12.3 are in my home:sreeves1:branch)
I'm on this.
Scott is right; backporting all the changes done to librsvg to sanitize the "load data" path is quite complicated. First they abstracted out I/O, then a lot of changes resulted because of that. I don't feel comfortable backporting all of this and not having all the intermediate fixes to the rest of the code. It sounds like for SLE11-SP2 it's only reasonable to have the changes to use XML_PARSE_NONET. I'll submit the patches tomorrow morning.
Submitted on the IBS for SLE11-SP2 with request id 29283.
Created attachment 566950 [details] Patch for SLE11-SP1
I meant SLE11-SP1; that's where librsvg lives in SLE11.
Submitted to openSUSE_12.2_Update with id 206571. Submitted to openSUSE_12.3_Update with id 206572.
Reassigning to security-team for release.
This is an autogenerated message for OBS integration: This bug (840753) was mentioned in https://build.opensuse.org/request/show/206571 12.2 / librsvg https://build.opensuse.org/request/show/206572 12.3 / librsvg
13.1 and factory?
openSUSE-SU-2013:1786-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 840753 CVE References: CVE-2013-1881 Sources used: openSUSE 12.3 (src): librsvg-2.36.4-2.4.1 openSUSE 12.2 (src): librsvg-2.36.1-2.4.1
These patches breaks my icons in the Gnome upper right menu bar for changing volume, handling bluetooth and wlan, logout/switchoff. openSUSE 12.3 x86-64
I also lost icons in the upper right menu bar, as well as other Gnome icons, such as the up/down arrows in Gedit's find dialog. I retreated to the version of the package in the OSS repository. This happened on two openSUSE 12.3 systems, one x86-64 and one i586.
The same happened to me as well. Icons in the upper right and "show applications" icon all went missing. Not only did this happen with the GNOME desktop but they were missing from the top right in GDM as well. I'm on 12.3 x86_64.
Same on my computer with OpenSUSE 12.3 64bit. After applying patch to librsvg-2-2 2.36.4-2.4.1 I am missing some icons in GNOME theme (some nautilus icons, sound icon, network manager icon,...). Buttons work but there's no graphics on them. After downgrading to librsvg-2-2 2.36.4-2.1.1 and rebooting all icons appear. Was: 2.36.4-2.4.1 (x86_64) Downgraded to: 2.36.4-2.1.1 (x86_64)
This also needs a patch in gtk+; I'll take care of it. This is why the icons are not showing up.
Created attachment 569888 [details] gtk+ patch for openSUSE 12.3
Created attachment 569891 [details] gtk+ patch for openSUSE 12.2
can you submit fixed gtk packages for opensuse 12.2 and 12.3?
This is an autogenerated message for OBS integration: This bug (840753) was mentioned in https://build.opensuse.org/request/show/209345 12.2 / gtk3 https://build.opensuse.org/request/show/209346 12.3 / gtk3
Submitted gtk3 for openSUSE 12.2 with id 209345. Submitted gtk3 for openSUSE 12.3 with id 209346. I'll reassign this to security-team for the release.
Aaargh, we also need commit 3d602f5 from gtk+. I'll redo the patch.
any news? We did not retrtact the update in hope of a quick solution, but this did not come :( Now it would be better to push an update with revert unless we get fixes today :/
I'm adding a me too for the missing icon issue. Downgrading resolved it. Was: 2.36.4-2.4.1 (x86_64) Downgraded to: 2.36.4-2.1.1 (x86_64)
Federico?
It turns out that gtk+ 3.10.4, which we have in openSUSE 13.1, already has that commit. Previous versions don't need it, as far as I can tell. I'm terribly sorry; I forgot to reassign this to security-team.
Me too -- as far as the symptoms -- I have not been able to apply the fix.
Hi, I can confirm that the Federico's gtk3 patch fixes the icon problem. Everything is running smoothly here now ;-) I think you can release the fixes altogether.
was released on dec 19th
Affected packages: SLE-11-SP3: librsvg SLE-11-SP2: librsvg SLE-9-SP3-TERADATA: librsvg SLE-9-SP4: librsvg
SUSE-SU-2015:1785-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 840753 CVE References: CVE-2013-1881 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): librsvg-2.26.0-2.5.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): librsvg-2.26.0-2.5.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): librsvg-2.26.0-2.5.1 SUSE Linux Enterprise Server 11-SP4 (src): librsvg-2.26.0-2.5.1 SUSE Linux Enterprise Server 11-SP3 (src): librsvg-2.26.0-2.5.1 SUSE Linux Enterprise Desktop 11-SP4 (src): librsvg-2.26.0-2.5.1 SUSE Linux Enterprise Desktop 11-SP3 (src): librsvg-2.26.0-2.5.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): librsvg-2.26.0-2.5.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): librsvg-2.26.0-2.5.1