Bug 1588840 (CVE-2018-1000041)

Summary: CVE-2018-1000041 librsvg: Improper input validation vulnerability in rsvg-io.c
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: alexl, ignatenko, john.j5live, mclasen, otte, rhughes, rstrode, sandmann
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-24 16:21:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1588841, 1588842, 1588843    
Bug Blocks: 1588844    

Description Pedro Sampaio 2018-06-07 23:39:41 UTC 
GNOME librsvg version before commit c6ddf2ed4d768fd88adbea2b63f575cd523022ea contains a Improper input validation vulnerability in rsvg-io.c that can result in the victim's Windows username and NTLM password hash being leaked to remote attackers through SMB. This attack appear to be exploitable via The victim must process a specially crafted SVG file containing an UNC path on Windows.

Upstream patch:

https://github.com/GNOME/librsvg/commit/c6ddf2ed4d768fd88adbea2b63f575cd523022ea
https://github.com/ImageMagick/librsvg/commit/f9d69eadd2b16b00d1a1f9f286122123f8e547dd

References:

https://lists.debian.org/debian-lts-announce/2018/02/msg00013.html
Comment 1 Pedro Sampaio 2018-06-07 23:41:20 UTC 
Created librsvg2 tracking bugs for this issue:

Affects: fedora-all [bug 1588843]


Created mingw-librsvg2 tracking bugs for this issue:

Affects: fedora-all [bug 1588841]
Comment 3 Doran Moppert 2018-07-27 01:21:41 UTC 
The described vulnerability only affects librsvg on Windows, where UNC path references can lead to the NTLM hash being leaked.
Comment 4 Doran Moppert 2019-11-26 00:09:54 UTC 
Statement:

The described vulnerability only affects librsvg on Windows, where UNC path references can lead to the NTLM hash being leaked.