Bug 924414 (CVE-2013-1881)
Summary: | CVE-2013-1881 librsvg2: local resource access vulnerability due to XML External Entity enablement | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | akrherz, botsch, bugreports2005, dag, fhaddad, ilmis, jonathan.underwood, kuja53, mclasen, nrm, rdtennent, security-response-team, sergio.pasra, skito, stephan.wiesand, yohmura |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | librsvg2 2.39.0 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-02-03 19:14:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1008830, 1049155, 1049156, 1049158 | ||
Bug Blocks: | 924416 |
Description
Vincent Danen
2013-03-21 18:07:04 UTC
This is fixed in git: https://git.gnome.org/browse/librsvg/commit/?id=d83e426fff3f6d0fa6042d0930fb70357db24125 https://git.gnome.org/browse/librsvg/commit/?id=f01aded72c38f0e18bc7ff67dee800e380251c8e These changes caused a regression with gtk+ symbolic icons; the below patch fixes the regression (in gtk+) https://git.gnome.org/browse/gtk+/commit/?id=7b4f82ccc6c180b809cd3b7b6582394ce741a14e Created librsvg2 tracking bugs for this issue: Affects: fedora-all [bug 1008830] This issue does NOT affect the version of librsvg2 as shipped with Red Hat Enterprise Linux 5. This issue affects the version of librsvg2 as shipped with Red Hat Enterprise Linux 6. Statement: This issue did not affect the versions of librsvg2 as shipped with Red Hat Enterprise Linux 5. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2014:0127 https://rhn.redhat.com/errata/RHSA-2014-0127.html This update appears to be causing great pain on fully updated RHEL6 $ rpm -q librsvg2 librsvg2-2.26.0-6.el6_5.2.x86_64 $ eog /usr/share/icons/gnome/scalable/emblems/emblem-photos.svg Segmentation fault (core dumped) $ nautilus Initializing nautilus-gdu extension Initializing nautilus-open-terminal extension Segmentation fault (core dumped) myself and another users are reproducing at the moment, shrug I can confirm the same problem after installing this update. File Browser continuously opens in an endless cycle filling the running programs panel with icons. I had to downgrade this update. Confirming the described grief with librsvg2-2.26.0-6.el6_5.2.x86_64 on fully updated RHEL6. Had to do downgrade back to librsvg2-2.26.0-5.el6_1.1 for a usable desktop. Yes, confirmed, with this update I see nautilus opening endlessly and the system becomes unusable. Fixed by downgrade to -5. Redhat really need to improve their QA wrt updates. Bug opened for the nautilus/gnome death-by-libsrvg2 problem: https://bugzilla.redhat.com/show_bug.cgi?id=1061085 I also had problem with gnome-panel at first. After few clicks in context menus gnome-panel crashes. And after restart I had same problem as peoples above. Infinite loop of nautilus openings. RHSA-2014:0127 erratum was updated with a new build of librsvg2 that fixes the reported crash: https://rhn.redhat.com/errata/RHSA-2014-0127.html This problem was caused by mistake made when backporting fix for this issue, and it failed to be detected during testing. We apologize for the breakage. "We have updated the packages to correct this bug" without increasing the version? So how can we tell whether a package available from a repo has been fixed or not? I, too, have experienced the nautlius of death. It would appear that either the problem was not fixed or the wrong package was pushed out. I am downgrading my systems. (In reply to Bob Tennent from comment #26) > "We have updated the packages to correct this bug" without increasing the > version? So how can we tell whether a package available from a repo has > been fixed or not? The version that was previously used in RHSA-2014:0127 was librsvg2-2.26.0-6.el6_5.2. You can see the mail that was sent to e.g. rhsa-announce list yesterday: https://www.redhat.com/archives/rhsa-announce/2014-February/msg00001.html The new build is librsvg2-2.26.0-6.el6_5.3, which is the one linked from the errata page: https://rhn.redhat.com/errata/RHSA-2014-0127.html Errata page no longer links old build. |