Security update for librsvg SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:0629-2 Final 1 1 2020-07-07T11:45:30Z current 2020-07-07T11:45:30Z 2020-07-07T11:45:30Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for librsvg This update for librsvg to version 2.42.8 fixes the following issues: librsvg was updated to version 2.42.8 fixing the following issues: - CVE-2019-20446: Fixed an issue where a crafted SVG file with nested patterns can cause denial of service (bsc#1162501). NOTE: Librsvg now has limits on the number of loaded XML elements, and the number of referenced elements within an SVG document. - Fixed a stack exhaustion with circular references in <use> elements. - Fixed a denial-of-service condition from exponential explosion of rendered elements, through nested use of SVG 'use' elements in malicious SVGs. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-SAP-Azure-LI-BYOS-Production-2020-629,Image SLES15-SAP-Azure-VLI-BYOS-Production-2020-629,Image SLES15-SP1-SAP-Azure-LI-BYOS-Production-2020-629,Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production-2020-629,SUSE-2020-629,SUSE-SLE-Module-Packagehub-Subpackages-15-SP1-2020-629,SUSE-SLE-Module-Packagehub-Subpackages-15-SP2-2020-629 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20200629-2/ Link for SUSE-SU-2020:0629-2 https://lists.suse.com/pipermail/sle-security-updates/2020-July/007091.html E-Mail link for SUSE-SU-2020:0629-2 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1162501 SUSE Bug 1162501 https://www.suse.com/security/cve/CVE-2019-20446/ SUSE CVE CVE-2019-20446 page Image SLES15-SAP-Azure-LI-BYOS-Production Image SLES15-SAP-Azure-VLI-BYOS-Production Image SLES15-SP1-SAP-Azure-LI-BYOS-Production Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production SUSE Linux Enterprise Module for Package Hub 15 SP1 SUSE Linux Enterprise Module for Package Hub 15 SP2 gdk-pixbuf-loader-rsvg-2.42.8-3.3.1 librsvg-2-2-2.42.8-3.3.1 gdk-pixbuf-loader-rsvg-32bit-2.42.8-3.3.1 gdk-pixbuf-loader-rsvg-64bit-2.42.8-3.3.1 librsvg-2-2-32bit-2.42.8-3.3.1 librsvg-2-2-64bit-2.42.8-3.3.1 librsvg-devel-2.42.8-3.3.1 rsvg-thumbnailer-2.42.8-3.3.1 rsvg-view-2.42.8-3.3.1 typelib-1_0-Rsvg-2_0-2.42.8-3.3.1 gdk-pixbuf-loader-rsvg-2.42.8-3.3.1 as a component of Image SLES15-SAP-Azure-LI-BYOS-Production librsvg-2-2-2.42.8-3.3.1 as a component of Image SLES15-SAP-Azure-LI-BYOS-Production gdk-pixbuf-loader-rsvg-2.42.8-3.3.1 as a component of Image SLES15-SAP-Azure-VLI-BYOS-Production librsvg-2-2-2.42.8-3.3.1 as a component of Image SLES15-SAP-Azure-VLI-BYOS-Production gdk-pixbuf-loader-rsvg-2.42.8-3.3.1 as a component of Image SLES15-SP1-SAP-Azure-LI-BYOS-Production librsvg-2-2-2.42.8-3.3.1 as a component of Image SLES15-SP1-SAP-Azure-LI-BYOS-Production gdk-pixbuf-loader-rsvg-2.42.8-3.3.1 as a component of Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production librsvg-2-2-2.42.8-3.3.1 as a component of Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production rsvg-view-2.42.8-3.3.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP1 rsvg-view-2.42.8-3.3.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP2 In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially. CVE-2019-20446 Image SLES15-SAP-Azure-LI-BYOS-Production:gdk-pixbuf-loader-rsvg-2.42.8-3.3.1 Image SLES15-SAP-Azure-LI-BYOS-Production:librsvg-2-2-2.42.8-3.3.1 Image SLES15-SAP-Azure-VLI-BYOS-Production:gdk-pixbuf-loader-rsvg-2.42.8-3.3.1 Image SLES15-SAP-Azure-VLI-BYOS-Production:librsvg-2-2-2.42.8-3.3.1 Image SLES15-SP1-SAP-Azure-LI-BYOS-Production:gdk-pixbuf-loader-rsvg-2.42.8-3.3.1 Image SLES15-SP1-SAP-Azure-LI-BYOS-Production:librsvg-2-2-2.42.8-3.3.1 Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production:gdk-pixbuf-loader-rsvg-2.42.8-3.3.1 Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production:librsvg-2-2-2.42.8-3.3.1 SUSE Linux Enterprise Module for Package Hub 15 SP1:rsvg-view-2.42.8-3.3.1 SUSE Linux Enterprise Module for Package Hub 15 SP2:rsvg-view-2.42.8-3.3.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20200629-2/ https://www.suse.com/security/cve/CVE-2019-20446.html CVE-2019-20446 https://bugzilla.suse.com/1162501 SUSE Bug 1162501