Red Hat Bugzilla – Bug 924414
CVE-2013-1881 librsvg2: local resource access vulnerability due to XML External Entity enablement
Last modified: 2015-10-15 13:52:10 EDT
It was reported  that librsvg2, via gnome-vfs, is vulnerable to a local resource access vulnerability via XML External Entity expansion. If a user were to view a folder containing a malicious SVG file, or open the file, GVFS would send the local resource's contents to the attacker's server. A patch  is attached to the bug report which restricts what is permitted to be loaded.
This is fixed in git:
These changes caused a regression with gtk+ symbolic icons; the below patch fixes the regression (in gtk+)
Created librsvg2 tracking bugs for this issue:
Affects: fedora-all [bug 1008830]
This issue does NOT affect the version of librsvg2 as shipped with Red Hat Enterprise Linux 5.
This issue affects the version of librsvg2 as shipped with Red Hat Enterprise Linux 6.
This issue did not affect the versions of librsvg2 as shipped with Red Hat Enterprise Linux 5.
This issue has been addressed in following products:
Red Hat Enterprise Linux 6
Via RHSA-2014:0127 https://rhn.redhat.com/errata/RHSA-2014-0127.html
This update appears to be causing great pain on fully updated RHEL6
$ rpm -q librsvg2
$ eog /usr/share/icons/gnome/scalable/emblems/emblem-photos.svg
Segmentation fault (core dumped)
Initializing nautilus-gdu extension
Initializing nautilus-open-terminal extension
Segmentation fault (core dumped)
myself and another users are reproducing at the moment, shrug
I can confirm the same problem after installing this update. File Browser continuously opens in an endless cycle filling the running programs panel with icons. I had to downgrade this update.
Confirming the described grief with librsvg2-2.26.0-6.el6_5.2.x86_64 on fully updated RHEL6.
Had to do downgrade back to librsvg2-2.26.0-5.el6_1.1 for a usable desktop.
Yes, confirmed, with this update I see nautilus opening endlessly and the system becomes unusable. Fixed by downgrade to -5. Redhat really need to improve their QA wrt updates.
Bug opened for the nautilus/gnome death-by-libsrvg2 problem:
I also had problem with gnome-panel at first. After few clicks in context menus gnome-panel crashes. And after restart I had same problem as peoples above. Infinite loop of nautilus openings.
RHSA-2014:0127 erratum was updated with a new build of librsvg2 that fixes the reported crash:
This problem was caused by mistake made when backporting fix for this issue, and it failed to be detected during testing. We apologize for the breakage.
"We have updated the packages to correct this bug" without increasing the version? So how can we tell whether a package available from a repo has been fixed or not?
I, too, have experienced the nautlius of death.
It would appear that either the problem was not fixed or the wrong package was pushed out. I am downgrading my systems.
(In reply to Bob Tennent from comment #26)
> "We have updated the packages to correct this bug" without increasing the
> version? So how can we tell whether a package available from a repo has
> been fixed or not?
The version that was previously used in RHSA-2014:0127 was librsvg2-2.26.0-6.el6_5.2. You can see the mail that was sent to e.g. rhsa-announce list yesterday:
The new build is librsvg2-2.26.0-6.el6_5.3, which is the one linked from the errata page:
Errata page no longer links old build.