CVE-2019-20446

Publication date 2 February 2020

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

6.5 · Medium

Score breakdown

In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.

Read the notes from the security team

Status

Package Ubuntu Release Status
librsvg 22.10 kinetic
Not affected
22.04 LTS jammy
Not affected
21.10 impish
Not affected
21.04 hirsute
Not affected
20.10 groovy
Not affected
20.04 LTS focal
Not affected
19.10 eoan Ignored end of life
18.04 LTS bionic Ignored see notes
16.04 LTS xenial Ignored see notes
14.04 LTS trusty Not in release

Notes


mdeslaur

also affects older versions written in C The fixes added to 2.40.21 cause a regression, and upstream will not be fixing them.


rodrigo-zaiden

backporting the missing part of the fix from the 2.46 version (in Rust) to 2.40 (in C) is not trivial and requires an effort for someone involved in the project. as of 2022-11-25, there is no new commits in 2.40 branch.


ccdm94

upstream has released a fix for this issue, and also a new version containing said fix (2.40.21). Applying the patch recovered from version 2.40.21 caused a regression, as per launchpad bug 1889206, and there have been no additional commits in branch 2.40 in the last 2 years (last commit in 2020-02-26). In issue 612, upstream mentions that they will no longer provide fixes to branch 2.40. They also mention the fix to the regression, available for later versions of the code, but backporting it is not viable, as the code has been refactored and is now in an entirely different programming language. This mean there are no possible commits provided that would allow a fix for the regression in releases containing the C version of the code. Therefore, this issue will be marked as ignored for bionic and earlier.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
librsvg

Severity score breakdown

Parameter Value
Base score 6.5 · Medium
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

Related Ubuntu Security Notices (USN)

Other references