XXE vulnerability during rasterization of SVG images
Bug #1025185 reported by
Nicolas Grégoire
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Inkscape |
Fix Released
|
Critical
|
Johan Engelen | ||
inkscape (Debian) |
Fix Released
|
Unknown
|
Bug Description
Inkscape is vulnerable to XXE attacks during rasterization/
Impact:
The impact of this vulnerability range form denial of service to file disclosure. Under Windows, it can also be used to steal LM/NTLM hashes.
PoC:
During rasterization, entities declared in the DTD are dereferenced and the content of the target file is included in the output. Command-line used: "inkscape -e xxe-inkscape.png xxe.svg"
Attached files:
- xxe.svg: malicious SVG file to convert
- xxe-inkscape.png: result of the rasterization of xxe.svg
References:
CWE-827: Improper Control of Document Type Definition
http://
Regards,
Nicolas Grégoire
CVE References
Changed in inkscape: | |
importance: | Undecided → Critical |
Changed in inkscape: | |
status: | New → Confirmed |
milestone: | none → 0.48.4 |
tags: | added: blocker |
tags: | removed: blocker |
Changed in inkscape: | |
status: | Fix Committed → Fix Released |
information type: | Private Security → Public Security |
Changed in inkscape (Debian): | |
status: | Unknown → New |
Changed in inkscape (Debian): | |
status: | New → Confirmed |
Changed in inkscape (Debian): | |
status: | Confirmed → Fix Released |
To post a comment you must log in.
would simply disabling the DTD dereferencing be good enough of a fix?