[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#731357: opu: package librsvg/2.26.3-2

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: opu

Hi,

Raphaël has prepared an oldstable update for librsvg in order to fix 
CVE-2013-1881.

Thanks for considering.
-- 
 .''`.        Josselin Mouette
: :' :
`. `'
  `-

Index: debian/changelog
===================================================================
--- debian/changelog	(révision 40310)
+++ debian/changelog	(copie de travail)
@@ -1,3 +1,11 @@
+librsvg (2.26.3-2) oldstable; urgency=low
+
+  [ Raphaël Geissert ]
+  * Fix CVE-2013-1881: disable loading of external entities.
+    Closes: #724741.
+
+ -- Josselin Mouette <joss@debian.org>  Wed, 04 Dec 2013 15:35:15 +0100
+
 librsvg (2.26.3-1) unstable; urgency=low
 
   * New upstream bugfix release.
Index: debian/patches/CVE-2013-1881.policy.patch
===================================================================
--- debian/patches/CVE-2013-1881.policy.patch	(révision 0)
+++ debian/patches/CVE-2013-1881.policy.patch	(copie de travail)
@@ -0,0 +1,90 @@
+Index: librsvg-2.26.3/rsvg-image.c
+===================================================================
+--- librsvg-2.26.3.orig/rsvg-image.c	2013-11-28 12:01:22.865236793 +0100
++++ librsvg-2.26.3/rsvg-image.c	2013-11-28 12:17:25.242370794 +0100
+@@ -356,6 +356,51 @@ rsvg_acquire_vfs_resource (const char *f
+ }
+ #endif
+ 
++/* Partial origin-based policy, based on the one implemented in f01aded72c38f0e1  */
++gboolean
++_rsvg_acquire_xlink_allow_load (const char *href, const char *base_uri, GError ** err)
++{
++    char *base_scheme = NULL, *href_scheme = NULL;
++
++    if (base_uri)
++        base_scheme = g_uri_parse_scheme (base_uri);
++    if (href)
++        href_scheme = g_uri_parse_scheme (href);
++
++    /* Not a valid URI */
++    if (href_scheme == NULL)
++        goto deny;
++
++    /* Allow loads of data: from any location */
++    if (g_str_equal (href_scheme, "data"))
++        return TRUE;
++
++    /* no valid base URI */
++    if (base_scheme == NULL)
++        goto deny;
++
++    /* Deny loads from differing URI schemes */
++    if (href_scheme == NULL || !g_str_equal (href_scheme, base_scheme))
++        goto deny;
++
++    /* resource: is allowed to load anything from other resources */
++    if (g_str_equal (href_scheme, "resource"))
++        return TRUE;
++
++    /* Non-file: isn't allowed to load anything */
++    if (!g_str_equal (href_scheme, "file"))
++        goto deny;
++
++    /* no local-file policy is applied here */
++
++    return TRUE;
++
++deny:
++    g_set_error (err, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED,
++                 "File may not link to URI \"%s\"", href);
++    return FALSE;
++}
++
+ GByteArray *
+ _rsvg_acquire_xlink_href_resource (const char *href, const char *base_uri, GError ** err)
+ {
+@@ -367,6 +412,9 @@ _rsvg_acquire_xlink_href_resource (const
+     if (!strncmp (href, "data:", 5))
+         arr = rsvg_acquire_base64_resource (href, NULL);
+ 
++    if (!_rsvg_acquire_xlink_allow_load(href, base_uri, err))
++        return NULL;
++
+     if (!arr)
+         arr = rsvg_acquire_file_resource (href, base_uri, NULL);
+ 
+Index: librsvg-2.26.3/rsvg-base.c
+===================================================================
+--- librsvg-2.26.3.orig/rsvg-base.c	2013-11-28 12:01:22.865236793 +0100
++++ librsvg-2.26.3/rsvg-base.c	2013-11-28 12:13:54.913248784 +0100
+@@ -1049,12 +1049,13 @@ rsvg_handle_set_base_uri (RsvgHandle * h
+     else
+         uri = rsvg_get_base_uri_from_filename (base_uri);
+ 
+-    if (uri) {
+-        if (handle->priv->base_uri)
+-            g_free (handle->priv->base_uri);
+-        handle->priv->base_uri = uri;
+-        rsvg_defs_set_base_uri (handle->priv->defs, handle->priv->base_uri);
+-    }
++    if (!uri)
++        uri = g_strdup("data:");
++
++    if (handle->priv->base_uri)
++        g_free (handle->priv->base_uri);
++    handle->priv->base_uri = uri;
++    rsvg_defs_set_base_uri (handle->priv->defs, handle->priv->base_uri);
+ }
+ 
+ /**
Index: debian/patches/CVE-2013-1881.xmlentities.patch
===================================================================
--- debian/patches/CVE-2013-1881.xmlentities.patch	(révision 0)
+++ debian/patches/CVE-2013-1881.xmlentities.patch	(copie de travail)
@@ -0,0 +1,20 @@
+Index: librsvg-2.26.3/rsvg-base.c
+===================================================================
+--- librsvg-2.26.3.orig/rsvg-base.c	2010-05-01 01:10:51.000000000 +0200
++++ librsvg-2.26.3/rsvg-base.c	2013-11-26 16:24:02.903472891 +0100
+@@ -602,6 +602,7 @@ rsvg_start_xinclude (RsvgHandle * ctx, R
+                 int result;
+ 
+                 xml_parser = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, ctx, NULL, 0, NULL);
++                xml_parser->options |= XML_PARSE_NONET;
+                 result = xmlParseChunk (xml_parser, (char *) data->data, data->len, 0);
+                 result = xmlParseChunk (xml_parser, "", 0, TRUE);
+ 
+@@ -1118,6 +1119,7 @@ rsvg_handle_write_impl (RsvgHandle * han
+     if (handle->priv->ctxt == NULL) {
+         handle->priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0,
+                                                       rsvg_handle_get_base_uri (handle));
++        handle->priv->ctxt->options |= XML_PARSE_NONET;
+ 
+         /* if false, external entities work, but internal ones don't. if true, internal entities
+            work, but external ones don't. favor internal entities, in order to not cause a
Reply to: