Bugzilla – Bug 1162501
VUL-0: CVE-2019-20446: librsvg: a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing
Last modified: 2024-05-10 13:34:04 UTC
CVE-2019-20446 In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20446 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20446 https://gitlab.gnome.org/GNOME/librsvg/issues/515
I'm looking at how much needs to be backported to SLE's versions of librsvg.
Submitted librsvg-2.40.21 to SUSE:SLE-12-SP2:Update with id 212989 Submitted librsvg-2.42.8 to SUSE:SLE-15:Update with id 213246
Does this also need to be updated in SUSE:SLE-11-SP1:Update, for Teradata?
SUSE-SU-2020:0604-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1162501 CVE References: CVE-2019-20446 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): librsvg-2.40.21-5.9.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): librsvg-2.40.21-5.9.1 SUSE Linux Enterprise Server 12-SP5 (src): librsvg-2.40.21-5.9.1 SUSE Linux Enterprise Server 12-SP4 (src): librsvg-2.40.21-5.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Submitted librsvg-2.40.16 with updates to .20 and .21 to SUSE:SLE-11-SP1:Update with id 213384.
SUSE-SU-2020:0629-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1162501 CVE References: CVE-2019-20446 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): librsvg-2.42.8-3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP1 (src): librsvg-2.42.8-3.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): librsvg-2.42.8-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0343-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1162501 CVE References: CVE-2019-20446 Sources used: openSUSE Leap 15.1 (src): librsvg-2.42.8-lp151.3.3.1
SUSE-SU-2020:0629-2: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1162501 CVE References: CVE-2019-20446 Sources used: SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP2 (src): librsvg-2.42.8-3.3.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP1 (src): librsvg-2.42.8-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Cleaning up GNOME CVE backlog. The fix has been submitted and accepted. Assign back to security team.