Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close


Published: 2 February 2020

In in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.


also affects older versions written in C
The fixes added to 2.40.21 cause a regression, and upstream will
not be fixing them.
backporting the missing part of the fix from the 2.46
version (in Rust) to 2.40 (in C) is not trivial and
requires an effort for someone involved in the project.
as of 2022-11-25, there is no new commits in 2.40 branch.
upstream has released a fix for this issue, and also a new version
containing said fix (2.40.21). Applying the patch recovered from
version 2.40.21 caused a regression, as per launchpad bug 1889206,
and there have been no additional commits in branch 2.40 in the
last 2 years (last commit in 2020-02-26). In issue 612, upstream
mentions that they will no longer provide fixes to branch 2.40.
They also mention the fix to the regression, available for later
versions of the code, but backporting it is not viable, as the
code has been refactored and is now in an entirely different
programming language. This mean there are no possible commits
provided that would allow a fix for the regression in releases
containing the C version of the code. Therefore, this issue will
be marked as ignored for bionic and earlier.



Cvss 3 Severity Score


Score breakdown


Package Release Status
Launchpad, Ubuntu, Debian
bionic Ignored
(see notes)
eoan Ignored
(end of life)
focal Not vulnerable
groovy Not vulnerable
hirsute Not vulnerable
impish Not vulnerable
jammy Not vulnerable
kinetic Not vulnerable
trusty Does not exist

Released (2.46.4-1, 2.40.21)
xenial Ignored
(see notes)

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H