openSUSE-SU-2020:0343-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2020:0343-1.json
JSON Data
https://api.osv.dev/v1/vulns/openSUSE-SU-2020:0343-1
Related
Published
2020-03-15T17:11:46Z
Modified
2020-03-15T17:11:46Z
Summary
Security update for librsvg
Details

This update for librsvg to version 2.42.8 fixes the following issues:

librsvg was updated to version 2.42.8 fixing the following issues:

  • CVE-2019-20446: Fixed an issue where a crafted SVG file with nested patterns can cause denial of service (bsc#1162501). NOTE: Librsvg now has limits on the number of loaded XML elements, and the number of referenced elements within an SVG document.
  • Fixed a stack exhaustion with circular references in <use> elements.
  • Fixed a denial-of-service condition from exponential explosion of rendered elements, through nested use of SVG 'use' elements in malicious SVGs.

This update was imported from the SUSE:SLE-15:Update update project.

References

Affected packages

openSUSE:Leap 15.1 / librsvg

Package

Name
librsvg
Purl
pkg:rpm/opensuse/librsvg&distro=openSUSE%20Leap%2015.1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.42.8-lp151.3.3.1

Ecosystem specific

{
    "binaries": [
        {
            "librsvg-2-2-32bit": "2.42.8-lp151.3.3.1",
            "gdk-pixbuf-loader-rsvg": "2.42.8-lp151.3.3.1",
            "gdk-pixbuf-loader-rsvg-32bit": "2.42.8-lp151.3.3.1",
            "librsvg-devel": "2.42.8-lp151.3.3.1",
            "typelib-1_0-Rsvg-2_0": "2.42.8-lp151.3.3.1",
            "rsvg-thumbnailer": "2.42.8-lp151.3.3.1",
            "librsvg-2-2": "2.42.8-lp151.3.3.1",
            "rsvg-view": "2.42.8-lp151.3.3.1"
        }
    ]
}