CVE-2019-20446

Published: 02 February 2020

In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.

Priority

Low

CVSS 3 base score: 6.5

Status

Package Release Status
librsvg
Launchpad, Ubuntu, Debian
Upstream
Released (2.46.4-1)
Ubuntu 21.10 (Impish Indri) Not vulnerable
(2.46.4-1ubuntu1)
Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(2.46.4-1ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.48.7-1ubuntu0.20.04.1)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://gitlab.gnome.org/GNOME/librsvg/commit/572f95f739529b865e2717664d6fefcef9493135
Upstream: https://gitlab.gnome.org/GNOME/librsvg/commit/27f1f35557515747c423ab780d7b1a2d7a711fa1 (2.40)