CVE-2019-20446
Published: 02 February 2020
In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.
Priority
Low
CVSS 3 base score: 6.5
Status
| Package | Release | Status |
|---|---|---|
|
librsvg Launchpad, Ubuntu, Debian |
Upstream |
Released
(2.46.4-1)
|
| Ubuntu 21.04 (Hirsute Hippo) |
Not vulnerable
(2.46.4-1ubuntu1)
|
|
| Ubuntu 20.10 (Groovy Gorilla) |
Not vulnerable
(2.46.4-1ubuntu1)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(2.48.7-1ubuntu0.20.04.1)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Needed
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Needed
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
|
|
Patches: Upstream: https://gitlab.gnome.org/GNOME/librsvg/commit/572f95f739529b865e2717664d6fefcef9493135 Upstream: https://gitlab.gnome.org/GNOME/librsvg/commit/27f1f35557515747c423ab780d7b1a2d7a711fa1 (2.40) |
||
Notes
| Author | Note |
|---|---|
| mdeslaur | also affects older versions written in C The fixes added to 2.40.21 cause a regression, and upstream will not be fixing them. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20446
- https://ubuntu.com/security/notices/USN-4436-1
- https://ubuntu.com/security/notices/USN-4436-2
- NVD
- Launchpad
- Debian