Inkscape: A Vector Drawing Tool

XXE vulnerability during rasterization of SVG images

Reported by Nicolas Grégoire on 2012-07-16
292
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Inkscape
Critical
Johan Engelen
inkscape (Debian)
Fix Released
Unknown

Bug Description

Inkscape is vulnerable to XXE attacks during rasterization/export of SVG images.

Impact:
The impact of this vulnerability range form denial of service to file disclosure. Under Windows, it can also be used to steal LM/NTLM hashes.

PoC:
During rasterization, entities declared in the DTD are dereferenced and the content of the target file is included in the output. Command-line used: "inkscape -e xxe-inkscape.png xxe.svg"

Attached files:
- xxe.svg: malicious SVG file to convert
- xxe-inkscape.png: result of the rasterization of xxe.svg

References:
CWE-827: Improper Control of Document Type Definition
http://cwe.mitre.org/data/definitions/827.html

Regards,
Nicolas Grégoire

Related branches

CVE References

ScislaC (scislac) on 2012-08-21
Changed in inkscape:
importance: Undecided → Critical
ScislaC (scislac) on 2012-08-21
Changed in inkscape:
status: New → Confirmed
milestone: none → 0.48.4
Johan Engelen (johanengelen) wrote :

would simply disabling the DTD dereferencing be good enough of a fix?

Yes.

In libxml2 (which is the XML parser used by Inkscape), the xmlParserOption should used :
http://xmlsoft.org/html/libxml-parser.html

Johan Engelen (johanengelen) wrote :

http://wiki.laptop.org/go/Making_Sugar_icons has a "normal" usage of this feature

Johan Engelen (johanengelen) wrote :

possible fix:
src/xml/repr-io.cpp line 297:
                                /*XML_PARSE_NOENT |*/ XML_PARSE_HUGE);

This disables reading of a file on Windows (quick test), but it still allows
  <!ENTITY stroke_color "#666666">
so that's nice.

Also, read: https://issues.apache.org/bugzilla/show_bug.cgi?id=53603

Johan Engelen (johanengelen) wrote :

note that FileImportFromOCALDialog::searchTagEntryChangedCallback is the other place where xml is read and parsed.

Johan Engelen (johanengelen) wrote :

here a file that tries to construct an URL from a local file. (so it could potentially send the contents of that file to a webserver, similar to "http://www.google.com/search?q=1234567890")

it also shows nice usage with color substitution, that still works when calling xmlReadIO with options
  /*XML_PARSE_NOENT |*/ XML_PARSE_NONET | XML_PARSE_HUGE
(so *without* the XML_PARSE_NOENT option

Johan Engelen (johanengelen) wrote :

right now, I feel we should disable this functionality per default, and perhaps provide an option/preference to enable local file access and web access.

@johanengelen: "here a file that tries to construct an URL from a local file"

This behavior is forbidden by the XML spec. You can't use an entity inside the URL of an external entity.

Johan Engelen (johanengelen) wrote :

ok perfect, good to know.

regardless of the validity of the thread: i am not so happy with inkscape accessing internet because an SVG requests it. I think that should be optional, possibly on a per file or per access basis.

Johan Engelen (johanengelen) wrote :

If anyone knows, please comment on what is wrong with the fix proposed in #6

The best way to configure the parser (but this would need some functional testing) would imho be:
- without XML_PARSE_NOENT ("Substitute entities")
- without XML_PARSE_XINCLUDE ("Implement XInclude substitution")
- without XML_PARSE_DTDLOAD ("load the external subset")
- with XML_PARSE_NONET ("Forbid network access")

For your information, here's the patch that XML::Atom applied regarding CVE-2012-1102:
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libxml-atom-perl.git;a=commitdiff;h=4f68e738c6f298e2bda0bad456fc97a3122c0a17

ScislaC (scislac) on 2012-12-04
tags: added: blocker
Johan Engelen (johanengelen) wrote :

fixed in r11931. removed the _NOENT option, and made network access optional through preferences.xml (/options/externalresources/xml/allow_net_access)

backported to 0.48.x, r9932

Changed in inkscape:
assignee: nobody → Johan Engelen (johanengelen)
status: Confirmed → Fix Committed
~suv (suv-lp) on 2012-12-05
tags: removed: blocker
Ted Gould (ted) on 2012-12-17
Changed in inkscape:
status: Fix Committed → Fix Released
Ted Gould (ted) on 2012-12-17
information type: Private Security → Public Security

Please note CVE-2012-1102 has already been assigned to a similar XXE issue in Perl-Atom, as per:
http://seclists.org/oss-sec/2012/q1/549

This flaw needs to be a assigned a different CVE.

Details at:
http://www.openwall.com/lists/oss-security/2012/12/19/2

Changed in inkscape (Debian):
status: Unknown → New
Changed in inkscape (Debian):
status: New → Confirmed
Changed in inkscape (Debian):
status: Confirmed → Fix Released
Alex Valavanis (valavanisalex) wrote :

Adding patch for backporting to Linux distros

~suv (suv-lp) wrote :

Follow-up report:
- Bug #1093433 “XML Entities used for namespace declarations prevent file loading in trunk and 0.48.4”
  <https://bugs.launchpad.net/inkscape/+bug/1093433>

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.