Security update for librsvg SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0343-1 Final 1 1 2020-03-15T17:11:46Z current 2020-03-15T17:11:46Z 2020-03-15T17:11:46Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for librsvg This update for librsvg to version 2.42.8 fixes the following issues: librsvg was updated to version 2.42.8 fixing the following issues: - CVE-2019-20446: Fixed an issue where a crafted SVG file with nested patterns can cause denial of service (bsc#1162501). NOTE: Librsvg now has limits on the number of loaded XML elements, and the number of referenced elements within an SVG document. - Fixed a stack exhaustion with circular references in <use> elements. - Fixed a denial-of-service condition from exponential explosion of rendered elements, through nested use of SVG 'use' elements in malicious SVGs. This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-343 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3CV6E2IAKNCNDVO5MXFKSTGO3PMWDL65/ E-Mail link for openSUSE-SU-2020:0343-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1162501 SUSE Bug 1162501 https://www.suse.com/security/cve/CVE-2019-20446/ SUSE CVE CVE-2019-20446 page openSUSE Leap 15.1 gdk-pixbuf-loader-rsvg-2.42.8-lp151.3.3.1 gdk-pixbuf-loader-rsvg-32bit-2.42.8-lp151.3.3.1 librsvg-2-2-2.42.8-lp151.3.3.1 librsvg-2-2-32bit-2.42.8-lp151.3.3.1 librsvg-devel-2.42.8-lp151.3.3.1 rsvg-thumbnailer-2.42.8-lp151.3.3.1 rsvg-view-2.42.8-lp151.3.3.1 typelib-1_0-Rsvg-2_0-2.42.8-lp151.3.3.1 gdk-pixbuf-loader-rsvg-2.42.8-lp151.3.3.1 as a component of openSUSE Leap 15.1 gdk-pixbuf-loader-rsvg-32bit-2.42.8-lp151.3.3.1 as a component of openSUSE Leap 15.1 librsvg-2-2-2.42.8-lp151.3.3.1 as a component of openSUSE Leap 15.1 librsvg-2-2-32bit-2.42.8-lp151.3.3.1 as a component of openSUSE Leap 15.1 librsvg-devel-2.42.8-lp151.3.3.1 as a component of openSUSE Leap 15.1 rsvg-thumbnailer-2.42.8-lp151.3.3.1 as a component of openSUSE Leap 15.1 rsvg-view-2.42.8-lp151.3.3.1 as a component of openSUSE Leap 15.1 typelib-1_0-Rsvg-2_0-2.42.8-lp151.3.3.1 as a component of openSUSE Leap 15.1 In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially. CVE-2019-20446 openSUSE Leap 15.1:gdk-pixbuf-loader-rsvg-2.42.8-lp151.3.3.1 openSUSE Leap 15.1:gdk-pixbuf-loader-rsvg-32bit-2.42.8-lp151.3.3.1 openSUSE Leap 15.1:librsvg-2-2-2.42.8-lp151.3.3.1 openSUSE Leap 15.1:librsvg-2-2-32bit-2.42.8-lp151.3.3.1 openSUSE Leap 15.1:librsvg-devel-2.42.8-lp151.3.3.1 openSUSE Leap 15.1:rsvg-thumbnailer-2.42.8-lp151.3.3.1 openSUSE Leap 15.1:rsvg-view-2.42.8-lp151.3.3.1 openSUSE Leap 15.1:typelib-1_0-Rsvg-2_0-2.42.8-lp151.3.3.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3CV6E2IAKNCNDVO5MXFKSTGO3PMWDL65/ https://www.suse.com/security/cve/CVE-2019-20446.html CVE-2019-20446 https://bugzilla.suse.com/1162501 SUSE Bug 1162501