GHSA-hq37-853p-g5cf

Source

https://github.com/advisories/GHSA-hq37-853p-g5cf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/01/GHSA-hq37-853p-g5cf/GHSA-hq37-853p-g5cf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hq37-853p-g5cf

Aliases

Related

CVE-2021-21236

Published

2021-01-06T16:57:50Z

Modified

2024-09-13T17:48:46.258401Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
7.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

Regular Expression Denial of Service in CairoSVG

Details

Doyensec Vulnerability Advisory

Regular Expression Denial of Service (REDoS) in cairosvg
Affected Product: CairoSVG v2.0.0+
Vendor: https://github.com/Kozea
Severity: Medium
Vulnerability Class: Denial of Service
Author(s): Ben Caller (Doyensec)

Summary

When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS). If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time.

Technical description

The vulnerable regular expressions are

https://github.com/Kozea/CairoSVG/blob/9c4a982b9a021280ad90e89707eacc1d114e4ac4/cairosvg/colors.py#L190-L191

The section between 'rgb(' and the final ')' contains multiple overlapping groups.

Since all three infinitely repeating groups accept spaces, a long string of spaces causes catastrophic backtracking when it is not followed by a closing parenthesis.

The complexity is cubic, so doubling the length of the malicious string of spaces makes processing take 8 times as long.

Reproduction steps

Create a malicious SVG of the form:

<svg width="1" height="1"><rect fill="rgb(                     ;"/></svg>

with the following code:

'<svg width="1" height="1"><rect fill="rgb(' + (' ' * 3456) + ';"/></svg>'

Note that there is no closing parenthesis before the semi-colon.

Run cairosvg e.g.:

cairosvg cairo-redos.svg -o x.png

and notice that it hangs at 100% CPU. Increasing the number of spaces increases the processing time with cubic complexity.

Remediation

Fix the regexes to avoid overlapping parts. Perhaps remove the [ \n\r\t]* groups from the regex, and use .strip() on the returned capture group.

Disclosure timeline

2020-12-30: Vulnerability disclosed via email to CourtBouillon

Database specific

{
    "nvd_published_at": "2021-01-06T17:15:00Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-01-06T16:57:38Z"
}

References

Affected packages

PyPI / cairosvg

Package

Name: cairosvg; View open source insights on deps.dev
Purl: pkg:pypi/cairosvg

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.5.1

Affected versions

0.*

0.1

0.1.1

0.1.2

0.2

0.3

0.3.1

0.4

0.4.1

0.4.2

0.4.3

0.4.4

0.5

1.*

1.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

1.0.20

1.0.21

1.0.22

2.*

2.0.0rc1

2.0.0rc2

2.0.0rc3

2.0.0rc4

2.0.0rc5

2.0.0rc6

2.0.0

2.0.1

2.0.2

2.0.3

2.1.0

2.1.1

2.1.2

2.1.3

2.2.0

2.2.1

2.3.0

2.3.1

2.4.0

2.4.1

2.4.2

2.5.0