Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2019-20446

Published: 2 February 2020

In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.

Notes

AuthorNote
mdeslaur
also affects older versions written in C
The fixes added to 2.40.21 cause a regression, and upstream will
not be fixing them.
rodrigo-zaiden
backporting the missing part of the fix from the 2.46
version (in Rust) to 2.40 (in C) is not trivial and
requires an effort for someone involved in the project.
as of 2022-11-25, there is no new commits in 2.40 branch.
ccdm94
upstream has released a fix for this issue, and also a new version
containing said fix (2.40.21). Applying the patch recovered from
version 2.40.21 caused a regression, as per launchpad bug 1889206,
and there have been no additional commits in branch 2.40 in the
last 2 years (last commit in 2020-02-26). In issue 612, upstream
mentions that they will no longer provide fixes to branch 2.40.
They also mention the fix to the regression, available for later
versions of the code, but backporting it is not viable, as the
code has been refactored and is now in an entirely different
programming language. This mean there are no possible commits
provided that would allow a fix for the regression in releases
containing the C version of the code. Therefore, this issue will
be marked as ignored for bionic and earlier.

Priority

Low

Cvss 3 Severity Score

6.5

Score breakdown

Status

Package Release Status
librsvg
Launchpad, Ubuntu, Debian
bionic Ignored
(see notes)
eoan Ignored
(end of life)
trusty Does not exist

upstream
Released (2.46.4-1, 2.40.21)
focal Not vulnerable
(2.48.7-1ubuntu0.20.04.1)
groovy Not vulnerable
(2.46.4-1ubuntu1)
hirsute Not vulnerable
(2.46.4-1ubuntu1)
impish Not vulnerable
(2.46.4-1ubuntu1)
jammy Not vulnerable
(2.46.4-1ubuntu1)
kinetic Not vulnerable
(2.46.4-1ubuntu1)
xenial Ignored
(see notes)
Patches:
upstream: https://gitlab.gnome.org/GNOME/librsvg/commit/572f95f739529b865e2717664d6fefcef9493135
upstream: https://gitlab.gnome.org/GNOME/librsvg/commit/27f1f35557515747c423ab780d7b1a2d7a711fa1 (2.40)

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H