Bug#731357: opu: package librsvg/2.26.3-2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: opu
Hi,
Raphaël has prepared an oldstable update for librsvg in order to fix
CVE-2013-1881.
Thanks for considering.
--
.''`. Josselin Mouette
: :' :
`. `'
`-
Index: debian/changelog
===================================================================
--- debian/changelog (révision 40310)
+++ debian/changelog (copie de travail)
@@ -1,3 +1,11 @@
+librsvg (2.26.3-2) oldstable; urgency=low
+
+ [ Raphaël Geissert ]
+ * Fix CVE-2013-1881: disable loading of external entities.
+ Closes: #724741.
+
+ -- Josselin Mouette <joss@debian.org> Wed, 04 Dec 2013 15:35:15 +0100
+
librsvg (2.26.3-1) unstable; urgency=low
* New upstream bugfix release.
Index: debian/patches/CVE-2013-1881.policy.patch
===================================================================
--- debian/patches/CVE-2013-1881.policy.patch (révision 0)
+++ debian/patches/CVE-2013-1881.policy.patch (copie de travail)
@@ -0,0 +1,90 @@
+Index: librsvg-2.26.3/rsvg-image.c
+===================================================================
+--- librsvg-2.26.3.orig/rsvg-image.c 2013-11-28 12:01:22.865236793 +0100
++++ librsvg-2.26.3/rsvg-image.c 2013-11-28 12:17:25.242370794 +0100
+@@ -356,6 +356,51 @@ rsvg_acquire_vfs_resource (const char *f
+ }
+ #endif
+
++/* Partial origin-based policy, based on the one implemented in f01aded72c38f0e1 */
++gboolean
++_rsvg_acquire_xlink_allow_load (const char *href, const char *base_uri, GError ** err)
++{
++ char *base_scheme = NULL, *href_scheme = NULL;
++
++ if (base_uri)
++ base_scheme = g_uri_parse_scheme (base_uri);
++ if (href)
++ href_scheme = g_uri_parse_scheme (href);
++
++ /* Not a valid URI */
++ if (href_scheme == NULL)
++ goto deny;
++
++ /* Allow loads of data: from any location */
++ if (g_str_equal (href_scheme, "data"))
++ return TRUE;
++
++ /* no valid base URI */
++ if (base_scheme == NULL)
++ goto deny;
++
++ /* Deny loads from differing URI schemes */
++ if (href_scheme == NULL || !g_str_equal (href_scheme, base_scheme))
++ goto deny;
++
++ /* resource: is allowed to load anything from other resources */
++ if (g_str_equal (href_scheme, "resource"))
++ return TRUE;
++
++ /* Non-file: isn't allowed to load anything */
++ if (!g_str_equal (href_scheme, "file"))
++ goto deny;
++
++ /* no local-file policy is applied here */
++
++ return TRUE;
++
++deny:
++ g_set_error (err, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED,
++ "File may not link to URI \"%s\"", href);
++ return FALSE;
++}
++
+ GByteArray *
+ _rsvg_acquire_xlink_href_resource (const char *href, const char *base_uri, GError ** err)
+ {
+@@ -367,6 +412,9 @@ _rsvg_acquire_xlink_href_resource (const
+ if (!strncmp (href, "data:", 5))
+ arr = rsvg_acquire_base64_resource (href, NULL);
+
++ if (!_rsvg_acquire_xlink_allow_load(href, base_uri, err))
++ return NULL;
++
+ if (!arr)
+ arr = rsvg_acquire_file_resource (href, base_uri, NULL);
+
+Index: librsvg-2.26.3/rsvg-base.c
+===================================================================
+--- librsvg-2.26.3.orig/rsvg-base.c 2013-11-28 12:01:22.865236793 +0100
++++ librsvg-2.26.3/rsvg-base.c 2013-11-28 12:13:54.913248784 +0100
+@@ -1049,12 +1049,13 @@ rsvg_handle_set_base_uri (RsvgHandle * h
+ else
+ uri = rsvg_get_base_uri_from_filename (base_uri);
+
+- if (uri) {
+- if (handle->priv->base_uri)
+- g_free (handle->priv->base_uri);
+- handle->priv->base_uri = uri;
+- rsvg_defs_set_base_uri (handle->priv->defs, handle->priv->base_uri);
+- }
++ if (!uri)
++ uri = g_strdup("data:");
++
++ if (handle->priv->base_uri)
++ g_free (handle->priv->base_uri);
++ handle->priv->base_uri = uri;
++ rsvg_defs_set_base_uri (handle->priv->defs, handle->priv->base_uri);
+ }
+
+ /**
Index: debian/patches/CVE-2013-1881.xmlentities.patch
===================================================================
--- debian/patches/CVE-2013-1881.xmlentities.patch (révision 0)
+++ debian/patches/CVE-2013-1881.xmlentities.patch (copie de travail)
@@ -0,0 +1,20 @@
+Index: librsvg-2.26.3/rsvg-base.c
+===================================================================
+--- librsvg-2.26.3.orig/rsvg-base.c 2010-05-01 01:10:51.000000000 +0200
++++ librsvg-2.26.3/rsvg-base.c 2013-11-26 16:24:02.903472891 +0100
+@@ -602,6 +602,7 @@ rsvg_start_xinclude (RsvgHandle * ctx, R
+ int result;
+
+ xml_parser = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, ctx, NULL, 0, NULL);
++ xml_parser->options |= XML_PARSE_NONET;
+ result = xmlParseChunk (xml_parser, (char *) data->data, data->len, 0);
+ result = xmlParseChunk (xml_parser, "", 0, TRUE);
+
+@@ -1118,6 +1119,7 @@ rsvg_handle_write_impl (RsvgHandle * han
+ if (handle->priv->ctxt == NULL) {
+ handle->priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0,
+ rsvg_handle_get_base_uri (handle));
++ handle->priv->ctxt->options |= XML_PARSE_NONET;
+
+ /* if false, external entities work, but internal ones don't. if true, internal entities
+ work, but external ones don't. favor internal entities, in order to not cause a
Reply to: