Bug 888249 (CVE-2012-5656)

Summary: CVE-2012-5656 inkscape: XXE via SVG rasterization
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aca21, ddumas, duffy, jspaleta, limburgher, lkundrak
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20121217,reported=20121217,source=oss-security,cvss2=5.0/AV:N/AC:L/Au:N/C:P/I:N/A:N,rhel-6/inkscape=defer,fedora-all/inkscape=affected,epel-5/inkscape=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 888252, 888253    
Bug Blocks: 888299    
Attachments:
Description Flags
Local copy of the reproducer image none

Description Jan Lieskovsky 2012-12-18 06:58:45 EST
An XML eXternal Entity (XXE) flaw was found in the way Inkscape, a vector-based drawing program using SVG as its native file format performed rasterization of certain SVG images. A remote attacker could provide a specially-crafted SVG image that, when opened in inkscape would lead to arbitrary local file disclosure or denial of service.

References:
[1] https://bugs.launchpad.net/inkscape/+bug/1025185
[2] http://www.openwall.com/lists/oss-security/2012/12/17/6
[3] https://bugzilla.novell.com/show_bug.cgi?id=794958

Reproducer:
[4] https://bugs.launchpad.net/inkscape/+bug/1025185/comments/1
Comment 1 Jan Lieskovsky 2012-12-18 07:00:20 EST
Created attachment 665463 [details]
Local copy of the reproducer image

(from https://bugs.launchpad.net/inkscape/+bug/1025185/comments/1)
Comment 2 Jan Lieskovsky 2012-12-18 07:02:01 EST
This issue affects the version of the inkscape package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the inkscape package, as shipped with Fedora release of 16 and 17. Please schedule an update (once there is final upstream patch available).

--

This issue affects the version of the inkscape package, as shipped with Fedora EPEL 5. Please schedule an update (once there is final upstream patch available).
Comment 3 Jan Lieskovsky 2012-12-18 07:03:13 EST
Created inkscape tracking bugs for this issue

Affects: fedora-all [bug 888252]
Affects: epel-5 [bug 888253]
Comment 4 Huzaifa S. Sidhpurwala 2012-12-18 22:57:39 EST
Statement:

This issue affects the version of inkscape as shipped with Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw.
Comment 5 Jan Lieskovsky 2012-12-19 05:29:40 EST
Upstream patch:
[5] http://bazaar.launchpad.net/~inkscape.dev/inkscape/trunk/revision/11931
Comment 6 Huzaifa S. Sidhpurwala 2012-12-20 00:58:27 EST
This issue has been assigned CVE-2012-5656 via:
http://seclists.org/oss-sec/2012/q4/497
Comment 7 Fedora Update System 2012-12-22 23:36:54 EST
inkscape-0.48.4-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-01-05 01:48:35 EST
inkscape-0.48.4-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-01-05 01:54:42 EST
inkscape-0.48.4-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.