CVE-2019-20446

Priority
Description
In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested
patterns can cause denial of service when passed to the library for
processing. The attacker constructs pattern elements so that the number of
final rendered objects grows exponentially.
Notes
mdeslauralso affects older versions written in C
The fixes added to 2.40.21 cause a regression, and upstream will
not be fixing them.
Package
Upstream:released (2.46.4-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 20.04 LTS (Focal Fossa):not-affected (2.48.7-1ubuntu0.20.04.1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (2.46.4-1ubuntu1)
Patches:
Upstream:https://gitlab.gnome.org/GNOME/librsvg/commit/572f95f739529b865e2717664d6fefcef9493135
Upstream:https://gitlab.gnome.org/GNOME/librsvg/commit/27f1f35557515747c423ab780d7b1a2d7a711fa1 (2.40)
More Information

Updated: 2020-07-29 17:14:24 UTC (commit 1c683a4276ecf1e1dbcd3c4cd7f1897e007ff106)