Bug#731351: pu: package librsvg/2.36.1-2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#731351: pu: package librsvg/2.36.1-2
From: Josselin Mouette <joss@debian.org>
Date: Wed, 4 Dec 2013 15:12:50 +0100
Message-id: <[🔎] 20131204141250.GA21151@malsain.org>
Reply-to: Josselin Mouette <joss@debian.org>, 731351@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

Raphaël has prepared a stable update for librsvg in order to fix 
CVE-2013-1881.

Thanks for considering.
-- 
 .''`.        Josselin Mouette
: :' :
`. `'
  `-

Index: debian/changelog
===================================================================
--- debian/changelog	(révision 40303)
+++ debian/changelog	(copie de travail)
@@ -1,3 +1,11 @@
+librsvg (2.36.1-2) stable; urgency=low
+
+  [ Raphaël Geissert ]
+  * Fix CVE-2013-1881: disable loading of external entities.
+    Closes: #724741.
+
+ -- Josselin Mouette <joss@debian.org>  Wed, 04 Dec 2013 15:06:01 +0100
+
 librsvg (2.36.1-1) unstable; urgency=low
 
   * New upstream release.
Index: debian/patches/01_CVE-2013-1881_policy.patch
===================================================================
--- debian/patches/01_CVE-2013-1881_policy.patch	(révision 0)
+++ debian/patches/01_CVE-2013-1881_policy.patch	(copie de travail)
@@ -0,0 +1,165 @@
+From f01aded72c38f0e18bc7ff67dee800e380251c8e Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@gnome.org>
+Date: Mon, 11 Feb 2013 21:36:58 +0000
+Subject: io: Implement strict load policy
+
+Allow any file to load from data:, and any resource to load from other
+resources. Only allow file: to load other file: URIs from below the path
+of the base file. Any other loads are denied.
+
+Bug #691708.
+---
+Index: librsvg-2.36.1/rsvg-base.c
+===================================================================
+--- librsvg-2.36.1.orig/rsvg-base.c	2012-03-26 14:25:08.000000000 +0200
++++ librsvg-2.36.1/rsvg-base.c	2013-11-26 16:07:42.481471848 +0100
+@@ -25,6 +25,7 @@
+ */
+ 
+ #include "config.h"
++#define _GNU_SOURCE 1
+ 
+ #include "rsvg.h"
+ #include "rsvg-private.h"
+@@ -1001,6 +1002,7 @@ void
+ rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri)
+ {
+     gchar *uri;
++    GFile *file;
+ 
+     g_return_if_fail (handle != NULL);
+ 
+@@ -1012,11 +1014,10 @@ rsvg_handle_set_base_uri (RsvgHandle * h
+     else
+         uri = rsvg_get_base_uri_from_filename (base_uri);
+ 
+-    if (uri) {
+-        if (handle->priv->base_uri)
+-            g_free (handle->priv->base_uri);
+-        handle->priv->base_uri = uri;
+-    }
++    file = g_file_new_for_uri (uri ? uri : "data:");
++    rsvg_handle_set_base_gfile (handle, file);
++    g_object_unref (file);
++    g_free (uri);
+ }
+ 
+ /**
+@@ -2146,12 +2147,84 @@ _rsvg_handle_allow_load (RsvgHandle *han
+                          const char *uri,
+                          GError **error)
+ {
+-    RsvgLoadPolicy policy = handle->priv->load_policy;
++    RsvgHandlePrivate *priv = handle->priv;
++    GFile *base;
++    char *path, *dir;
++    char *scheme = NULL, *cpath = NULL, *cdir = NULL;
+ 
+-    if (policy == RSVG_LOAD_POLICY_ALL_PERMISSIVE)
+-        return TRUE;
++    g_assert (handle->priv->load_policy == RSVG_LOAD_POLICY_STRICT);
++
++    scheme = g_uri_parse_scheme (uri);
++
++    /* Not a valid URI */
++    if (scheme == NULL)
++        goto deny;
++
++    /* Allow loads of data: from any location */
++    if (g_str_equal (scheme, "data"))
++        goto allow;
++
++    /* No base to compare to? */
++    if (priv->base_gfile == NULL)
++        goto deny;
++
++    /* Deny loads from differing URI schemes */
++    if (!g_file_has_uri_scheme (priv->base_gfile, scheme))
++        goto deny;
++
++    /* resource: is allowed to load anything from other resources */
++    if (g_str_equal (scheme, "resource"))
++        goto allow;
+ 
++    /* Non-file: isn't allowed to load anything */
++    if (!g_str_equal (scheme, "file"))
++        goto deny;
++
++    base = g_file_get_parent (priv->base_gfile);
++    if (base == NULL)
++        goto deny;
++
++    dir = g_file_get_path (base);
++    g_object_unref (base);
++
++    /* FIXME portability */
++    cdir = canonicalize_file_name (dir);
++    g_free (dir);
++    if (cdir == NULL)
++        goto deny;
++
++    path = g_filename_from_uri (uri, NULL, NULL);
++    if (path == NULL)
++        goto deny;
++
++    /* FIXME portability */
++    cpath = canonicalize_file_name (path);
++    g_free (path);
++
++    if (cpath == NULL)
++        goto deny;
++
++    /* Now check that @cpath is below @cdir */
++    if (!g_str_has_prefix (cpath, cdir) ||
++        cpath[strlen (cdir)] != G_DIR_SEPARATOR)
++        goto deny;
++
++    /* Allow load! */
++
++ allow:
++    g_free (scheme);
++    free (cpath);
++    free (cdir);
+     return TRUE;
++
++ deny:
++    g_free (scheme);
++    free (cpath);
++    free (cdir);
++
++    g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED,
++                 "File may not link to URI \"%s\"", uri);
++    return FALSE;
+ }
+ 
+ guint8* 
+Index: librsvg-2.36.1/rsvg-io.c
+===================================================================
+--- librsvg-2.36.1.orig/rsvg-io.c	2012-03-26 14:25:08.000000000 +0200
++++ librsvg-2.36.1/rsvg-io.c	2013-11-26 16:07:25.021364586 +0100
+@@ -79,7 +79,7 @@ rsvg_acquire_data_data (const char *uri,
+     gboolean base64 = FALSE;
+ 
+     g_assert (out_len != NULL);
+-    g_assert (g_str_has_prefix (uri, "data:"));
++    g_assert (strncmp (uri, "data:", 5) == 0);
+ 
+     mime_type = NULL;
+     start = uri + 5;
+Index: librsvg-2.36.1/rsvg-private.h
+===================================================================
+--- librsvg-2.36.1.orig/rsvg-private.h	2012-02-07 17:38:41.000000000 +0100
++++ librsvg-2.36.1/rsvg-private.h	2013-11-26 16:07:25.025364611 +0100
+@@ -123,10 +123,10 @@ struct RsvgSaxHandler {
+ };
+ 
+ typedef enum {
+-    RSVG_LOAD_POLICY_ALL_PERMISSIVE
++    RSVG_LOAD_POLICY_STRICT
+ } RsvgLoadPolicy;
+ 
+-#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_ALL_PERMISSIVE)
++#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_STRICT)
+ 
+ struct RsvgHandlePrivate {
+     RsvgHandleFlags flags;
Index: debian/patches/02_CVE-2013-1881_xmlentities.patch
===================================================================
--- debian/patches/02_CVE-2013-1881_xmlentities.patch	(révision 0)
+++ debian/patches/02_CVE-2013-1881_xmlentities.patch	(copie de travail)
@@ -0,0 +1,50 @@
+From d83e426fff3f6d0fa6042d0930fb70357db24125 Mon Sep 17 00:00:00 2001
+From: Christian Persch <chpe@gnome.org>
+Date: Mon, 11 Feb 2013 21:36:30 +0000
+Subject: io: Use XML_PARSE_NONET
+
+We don't want to load resources off the net.
+
+Bug #691708.
+---
+Index: librsvg-2.36.1/rsvg-base.c
+===================================================================
+--- librsvg-2.36.1.orig/rsvg-base.c	2013-11-26 16:07:25.021364586 +0100
++++ librsvg-2.36.1/rsvg-base.c	2013-11-26 16:07:25.037364682 +0100
+@@ -573,6 +573,7 @@ rsvg_start_xinclude (RsvgHandle * ctx, R
+             goto fallback;
+ 
+         xml_parser = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, ctx, NULL, 0, NULL);
++        xml_parser->options |= XML_PARSE_NONET;
+ 
+         buffer = _rsvg_xml_input_buffer_new_from_stream (stream, NULL /* cancellable */, XML_CHAR_ENCODING_NONE, &err);
+         g_object_unref (stream);
+@@ -1112,6 +1113,7 @@ rsvg_handle_write_impl (RsvgHandle * han
+     if (handle->priv->ctxt == NULL) {
+         handle->priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0,
+                                                       rsvg_handle_get_base_uri (handle));
++        handle->priv->ctxt->options |= XML_PARSE_NONET;
+ 
+         /* if false, external entities work, but internal ones don't. if true, internal entities
+            work, but external ones don't. favor internal entities, in order to not cause a
+@@ -1768,6 +1770,7 @@ rsvg_handle_read_stream_sync (RsvgHandle
+     if (priv->ctxt == NULL) {
+         priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0,
+                                               rsvg_handle_get_base_uri (handle));
++        priv->ctxt->options |= XML_PARSE_NONET;
+ 
+         /* if false, external entities work, but internal ones don't. if true, internal entities
+            work, but external ones don't. favor internal entities, in order to not cause a
+Index: librsvg-2.36.1/rsvg-css.c
+===================================================================
+--- librsvg-2.36.1.orig/rsvg-css.c	2012-03-26 14:25:11.000000000 +0200
++++ librsvg-2.36.1/rsvg-css.c	2013-11-26 16:07:25.041364707 +0100
+@@ -830,6 +830,8 @@ rsvg_css_parse_xml_attribute_string (con
+     xmlSAX2InitDefaultSAXHandler (&handler, 0);
+     handler.serror = rsvg_xml_noerror;
+     parser = xmlCreatePushParserCtxt (&handler, NULL, tag, strlen (tag) + 1, NULL);
++    parser->options |= XML_PARSE_NONET;
++
+     if (xmlParseDocument (parser) != 0)
+         goto done;
+ 
Index: debian/patches/series
===================================================================
--- debian/patches/series	(révision 40303)
+++ debian/patches/series	(copie de travail)
@@ -1,3 +1,5 @@
+01_CVE-2013-1881_policy.patch
+02_CVE-2013-1881_xmlentities.patch
 10_rsvg-gz.patch
 20_rsvg_compat.patch
 99_ltmain_as-needed.patch

Reply to:

Follow-Ups:
- Bug#731351: pu: package librsvg/2.36.1-2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#731351: pu: package librsvg/2.36.1-2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#731343: pu: package gtk+3.0/3.4.2-7
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#706286: marked as done (pu: libpng/1.2.49-1+deb7u1)
Next by Date: Bug#729747: pu: package apt-listbugs/0.1.8
Previous by thread: Bug#706286: marked as done (pu: libpng/1.2.49-1+deb7u1)
Next by thread: Bug#731351: pu: package librsvg/2.36.1-2
Index(es):
- Date
- Thread