CVE-2012-5656

Published: 18 January 2013

The rasterization process in Inkscape before 0.48.4 allows local users to read arbitrary files via an external entity in a SVG file, aka an XML external entity (XXE) injection attack.

Priority

Status

Package	Release	Status
inkscape Launchpad, Ubuntu, Debian	hardy	Ignored (end of life)
	lucid	Released (0.47.0-2ubuntu2.1)
	oneiric	Released (0.48.2-0ubuntu1.1)
	precise	Released (0.48.3.1-1ubuntu1.1)
	quantal	Released (0.48.3.1-1ubuntu6.1)
	upstream	Released (0.48.4)
	Patches: vendor: http://patch-tracker.debian.org/patch/series/view/inkscape/0.48.3.1-1.3/03-CVE-2012-5656.diff upstream: http://bazaar.launchpad.net/~inkscape.dev/inkscape/RELEASE_0_48_BRANCH/revision/9932

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5656
http://www.openwall.com/lists/oss-security/2012/12/19
https://bugs.launchpad.net/inkscape/+bug/1025185/comments/14
http://wiki.inkscape.org/wiki/index.php/Release_notes/0.48.4
https://ubuntu.com/security/notices/USN-1712-1
NVD
Launchpad
Debian

Bugs

https://bugs.launchpad.net/inkscape/+bug/1025185

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›