Bug 924414 (CVE-2013-1881)

Summary: CVE-2013-1881 librsvg2: local resource access vulnerability due to XML External Entity enablement
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akrherz, botsch, bugreports2005, dag, fhaddad, ilmis, jonathan.underwood, kuja53, mclasen, nrm, rdtennent, security-response-team, sergio.pasra, skito, stephan.wiesand, yohmura
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: librsvg2 2.39.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-03 19:14:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1008830, 1049155, 1049156, 1049158    
Bug Blocks: 924416    

Description Vincent Danen 2013-03-21 18:07:04 UTC 
It was reported [1] that librsvg2, via gnome-vfs, is vulnerable to a local resource access vulnerability via XML External Entity expansion.  If a user were to view a folder containing a malicious SVG file, or open the file, GVFS would send the local resource's contents to the attacker's server.  A patch [2] is attached to the bug report which restricts what is permitted to be loaded.

[1] https://bugzilla.gnome.org/show_bug.cgi?id=691708
[2] https://bug691708.bugzilla-attachments.gnome.org/attachment.cgi?id=238516&t=9sD7BFBKk1
Comment 6 Vincent Danen 2013-08-16 15:14:45 UTC 
This is fixed in git:

https://git.gnome.org/browse/librsvg/commit/?id=d83e426fff3f6d0fa6042d0930fb70357db24125
https://git.gnome.org/browse/librsvg/commit/?id=f01aded72c38f0e18bc7ff67dee800e380251c8e
Comment 7 Vincent Danen 2013-08-19 20:16:54 UTC 
These changes caused a regression with gtk+ symbolic icons; the below patch fixes the regression (in gtk+)

https://git.gnome.org/browse/gtk+/commit/?id=7b4f82ccc6c180b809cd3b7b6582394ce741a14e
Comment 8 Vincent Danen 2013-09-17 07:12:00 UTC 
Created librsvg2 tracking bugs for this issue:

Affects: fedora-all [bug 1008830]
Comment 11 Huzaifa S. Sidhpurwala 2014-01-07 06:26:07 UTC 
This issue does NOT affect the version of librsvg2 as shipped with Red Hat Enterprise Linux 5.

This issue affects the version of librsvg2 as shipped with Red Hat Enterprise Linux 6.
Comment 15 Huzaifa S. Sidhpurwala 2014-01-07 14:01:57 UTC 
Statement:

This issue did not affect the versions of librsvg2 as shipped with Red Hat Enterprise Linux 5.
Comment 17 errata-xmlrpc 2014-02-03 18:51:35 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0127 https://rhn.redhat.com/errata/RHSA-2014-0127.html
Comment 18 daryl herzmann 2014-02-03 22:01:57 UTC 
This update appears to be causing great pain on fully updated RHEL6

$ rpm -q librsvg2
librsvg2-2.26.0-6.el6_5.2.x86_64

$ eog /usr/share/icons/gnome/scalable/emblems/emblem-photos.svg 
Segmentation fault (core dumped)

$ nautilus
Initializing nautilus-gdu extension
Initializing nautilus-open-terminal extension
Segmentation fault (core dumped)

myself and another users are reproducing at the moment, shrug
Comment 19 Freddie Haddad 2014-02-04 07:32:00 UTC 
I can confirm the same problem after installing this update. File Browser continuously opens in an endless cycle filling the running programs panel with icons. I had to downgrade this update.
Comment 20 bugreports2005 2014-02-04 07:48:05 UTC 
Confirming the described grief with librsvg2-2.26.0-6.el6_5.2.x86_64 on fully updated RHEL6.

Had to do downgrade back to librsvg2-2.26.0-5.el6_1.1 for a usable desktop.
Comment 22 Jonathan Underwood 2014-02-04 11:10:10 UTC 
Yes, confirmed, with this update I see nautilus opening endlessly and the system becomes unusable. Fixed by downgrade to -5. Redhat really need to improve their QA wrt updates.
Comment 23 Jonathan Underwood 2014-02-04 11:51:56 UTC 
Bug opened for the nautilus/gnome death-by-libsrvg2 problem:

https://bugzilla.redhat.com/show_bug.cgi?id=1061085
Comment 24 Jakub Kuzelka 2014-02-04 18:06:22 UTC 
I also had problem with gnome-panel at first. After few clicks in context menus gnome-panel crashes. And after restart I had same problem as peoples above. Infinite loop of nautilus openings.
Comment 25 Tomas Hoger 2014-02-04 20:48:00 UTC 
RHSA-2014:0127 erratum was updated with a new build of librsvg2 that fixes the reported crash:

https://rhn.redhat.com/errata/RHSA-2014-0127.html

This problem was caused by mistake made when backporting fix for this issue, and it failed to be detected during testing.  We apologize for the breakage.
Comment 26 Bob Tennent 2014-02-04 21:11:00 UTC 
"We have updated the packages to correct this bug"  without increasing the version?  So how can we tell whether a package available from a repo has been fixed or not?
Comment 27 Dave Botsch 2014-02-04 21:32:05 UTC 
I, too, have experienced the nautlius of death.

It would appear that either the problem was not fixed or the wrong package was pushed out. I am downgrading my systems.
Comment 28 Tomas Hoger 2014-02-04 21:51:42 UTC 
(In reply to Bob Tennent from comment #26)
> "We have updated the packages to correct this bug"  without increasing the
> version?  So how can we tell whether a package available from a repo has
> been fixed or not?

The version that was previously used in RHSA-2014:0127 was librsvg2-2.26.0-6.el6_5.2.  You can see the mail that was sent to e.g. rhsa-announce list yesterday:

https://www.redhat.com/archives/rhsa-announce/2014-February/msg00001.html

The new build is librsvg2-2.26.0-6.el6_5.3, which is the one linked from the errata page:

https://rhn.redhat.com/errata/RHSA-2014-0127.html

Errata page no longer links old build.