Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2013-1881 librsvg2: local resource access vulnerability due to XML External Entity enablement|
|Product:||[Other] Security Response||Reporter:||Vincent Danen <vdanen>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||akrherz, botsch, bugreports2005, dag, fhaddad, ilmis, jonathan.underwood, kuja53, mclasen, nrm, rdtennent, security-response-team, sergio.pasra, skito, stephan.wiesand, yohmura|
|Fixed In Version:||librsvg2 2.39.0||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2014-02-03 14:14:42 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||1008830, 1049155, 1049156, 1049158|
Description Vincent Danen 2013-03-21 14:07:04 EDT
It was reported  that librsvg2, via gnome-vfs, is vulnerable to a local resource access vulnerability via XML External Entity expansion. If a user were to view a folder containing a malicious SVG file, or open the file, GVFS would send the local resource's contents to the attacker's server. A patch  is attached to the bug report which restricts what is permitted to be loaded.  https://bugzilla.gnome.org/show_bug.cgi?id=691708  https://bug691708.bugzilla-attachments.gnome.org/attachment.cgi?id=238516&t=9sD7BFBKk1
Comment 6 Vincent Danen 2013-08-16 11:14:45 EDT
Comment 7 Vincent Danen 2013-08-19 16:16:54 EDT
These changes caused a regression with gtk+ symbolic icons; the below patch fixes the regression (in gtk+) https://git.gnome.org/browse/gtk+/commit/?id=7b4f82ccc6c180b809cd3b7b6582394ce741a14e
Comment 8 Vincent Danen 2013-09-17 03:12:00 EDT
Created librsvg2 tracking bugs for this issue: Affects: fedora-all [bug 1008830]
Comment 11 Huzaifa S. Sidhpurwala 2014-01-07 01:26:07 EST
This issue does NOT affect the version of librsvg2 as shipped with Red Hat Enterprise Linux 5. This issue affects the version of librsvg2 as shipped with Red Hat Enterprise Linux 6.
Comment 15 Huzaifa S. Sidhpurwala 2014-01-07 09:01:57 EST
Statement: This issue did not affect the versions of librsvg2 as shipped with Red Hat Enterprise Linux 5.
Comment 17 errata-xmlrpc 2014-02-03 13:51:35 EST
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0127 https://rhn.redhat.com/errata/RHSA-2014-0127.html
Comment 18 daryl herzmann 2014-02-03 17:01:57 EST
This update appears to be causing great pain on fully updated RHEL6 $ rpm -q librsvg2 librsvg2-2.26.0-6.el6_5.2.x86_64 $ eog /usr/share/icons/gnome/scalable/emblems/emblem-photos.svg Segmentation fault (core dumped) $ nautilus Initializing nautilus-gdu extension Initializing nautilus-open-terminal extension Segmentation fault (core dumped) myself and another users are reproducing at the moment, shrug
Comment 19 Freddie Haddad 2014-02-04 02:32:00 EST
I can confirm the same problem after installing this update. File Browser continuously opens in an endless cycle filling the running programs panel with icons. I had to downgrade this update.
Comment 20 bugreports2005 2014-02-04 02:48:05 EST
Confirming the described grief with librsvg2-2.26.0-6.el6_5.2.x86_64 on fully updated RHEL6. Had to do downgrade back to librsvg2-2.26.0-5.el6_1.1 for a usable desktop.
Comment 22 Jonathan Underwood 2014-02-04 06:10:10 EST
Yes, confirmed, with this update I see nautilus opening endlessly and the system becomes unusable. Fixed by downgrade to -5. Redhat really need to improve their QA wrt updates.
Comment 23 Jonathan Underwood 2014-02-04 06:51:56 EST
Bug opened for the nautilus/gnome death-by-libsrvg2 problem: https://bugzilla.redhat.com/show_bug.cgi?id=1061085
Comment 24 Jakub Kuzelka 2014-02-04 13:06:22 EST
I also had problem with gnome-panel at first. After few clicks in context menus gnome-panel crashes. And after restart I had same problem as peoples above. Infinite loop of nautilus openings.
Comment 25 Tomas Hoger 2014-02-04 15:48:00 EST
RHSA-2014:0127 erratum was updated with a new build of librsvg2 that fixes the reported crash: https://rhn.redhat.com/errata/RHSA-2014-0127.html This problem was caused by mistake made when backporting fix for this issue, and it failed to be detected during testing. We apologize for the breakage.
Comment 26 Bob Tennent 2014-02-04 16:11:00 EST
"We have updated the packages to correct this bug" without increasing the version? So how can we tell whether a package available from a repo has been fixed or not?
Comment 27 Dave Botsch 2014-02-04 16:32:05 EST
I, too, have experienced the nautlius of death. It would appear that either the problem was not fixed or the wrong package was pushed out. I am downgrading my systems.
Comment 28 Tomas Hoger 2014-02-04 16:51:42 EST
(In reply to Bob Tennent from comment #26) > "We have updated the packages to correct this bug" without increasing the > version? So how can we tell whether a package available from a repo has > been fixed or not? The version that was previously used in RHSA-2014:0127 was librsvg2-2.26.0-6.el6_5.2. You can see the mail that was sent to e.g. rhsa-announce list yesterday: https://www.redhat.com/archives/rhsa-announce/2014-February/msg00001.html The new build is librsvg2-2.26.0-6.el6_5.3, which is the one linked from the errata page: https://rhn.redhat.com/errata/RHSA-2014-0127.html Errata page no longer links old build.