Bug#1033527: marked as done (unblock: cairosvg/2.5.2-1.1)

To: Sebastian Ramacher <sramacher@respighi.debian.org>
Subject: Bug#1033527: marked as done (unblock: cairosvg/2.5.2-1.1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 27 Mar 2023 18:54:05 +0000
Message-id: <[🔎] handler.1033527.D1033527.16799430683413762.ackdone@bugs.debian.org>
Reply-to: 1033527@bugs.debian.org
References: <E1pgrvu-00C6Au-9l@respighi.debian.org> <[🔎] 167985847688.1187755.4130420791539287641.reportbug@eldamar.lan>

Your message dated Mon, 27 Mar 2023 18:51:06 +0000
with message-id <E1pgrvu-00C6Au-9l@respighi.debian.org>
and subject line unblock cairosvg
has caused the Debian Bug report #1033527,
regarding unblock: cairosvg/2.5.2-1.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1033527: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033527
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: cairosvg/2.5.2-1.1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 26 Mar 2023 21:21:16 +0200
Message-id: <[🔎] 167985847688.1187755.4130420791539287641.reportbug@eldamar.lan>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: cairosvg@packages.debian.org, carnil@debian.org
Control: affects -1 + src:cairosvg

Dear release team,

Please unblock package cairosvg

It addresses CVE-2023-27586, #1033295 for which we plan to release as
well a DSA for bullseye-security. Testing with the new version both
manually and with the ci setup for security did not show so far any
regression.

What changes is that one need to explicitly allow to allow fetching
external files to address the problem.

I would propose to unblock it and age the package a bit, but still
give it some further exposure in unstable before it will migrate to
testing.

unblock cairosvg/2.5.2-1.1

Regards,
Salvatore

diff -Nru cairosvg-2.5.2/debian/changelog cairosvg-2.5.2/debian/changelog
--- cairosvg-2.5.2/debian/changelog	2021-08-30 22:54:50.000000000 +0200
+++ cairosvg-2.5.2/debian/changelog	2023-03-21 22:21:22.000000000 +0100
@@ -1,3 +1,11 @@
+cairosvg (2.5.2-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Don't allow fetching external files unless explicitly asked for
+    (CVE-2023-27586) (Closes: #1033295)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Tue, 21 Mar 2023 22:21:22 +0100
+
 cairosvg (2.5.2-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch
--- cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch	1970-01-01 01:00:00.000000000 +0100
+++ cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch	2023-03-21 22:20:00.000000000 +0100
@@ -0,0 +1,66 @@
+From: Guillaume Ayoub <guillaume@courtbouillon.org>
+Date: Fri, 10 Mar 2023 16:11:22 +0100
+Subject: =?UTF-8?q?Don=E2=80=99t=20allow=20fetching=20external=20files=20u?=
+ =?UTF-8?q?nless=20explicitly=20asked=20for?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255
+Bug-Debian: https://bugs.debian.org/1033295
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-27586
+
+---
+ cairosvg/__main__.py | 4 ++--
+ cairosvg/parser.py   | 6 ++++++
+ cairosvg/surface.py  | 3 ++-
+ 3 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/cairosvg/__main__.py b/cairosvg/__main__.py
+index 3ff6b5d1282f..0aad3d782489 100644
+--- a/cairosvg/__main__.py
++++ b/cairosvg/__main__.py
+@@ -42,8 +42,8 @@ def main(argv=None, stdout=None, stdin=None):
+         help='replace every raster pixel with its complementary color')
+     parser.add_argument(
+         '-u', '--unsafe', action='store_true',
+-        help='resolve XML entities and allow very large files '
+-             '(WARNING: vulnerable to XXE attacks and various DoS)')
++        help='fetch external files, resolve XML entities and allow very large '
++             'files (WARNING: vulnerable to XXE attacks and various DoS)')
+     parser.add_argument(
+         '--output-width', default=None, type=float,
+         help='desired output width in pixels')
+diff --git a/cairosvg/parser.py b/cairosvg/parser.py
+index f0f3a82573f3..61275f0a1073 100644
+--- a/cairosvg/parser.py
++++ b/cairosvg/parser.py
+@@ -390,6 +390,12 @@ class Tree(Node):
+             tree = ElementTree.fromstring(
+                 bytestring, forbid_entities=not unsafe,
+                 forbid_external=not unsafe)
++
++        # Don’t allow fetching external files unless explicitly asked for
++        if 'url_fetcher' not in kwargs and not unsafe:
++            self.url_fetcher = (
++                lambda *args, **kwargs: b'<svg width="1" height="1"></svg>')
++
+         self.xml_tree = tree
+         root = cssselect2.ElementWrapper.from_xml_root(tree)
+         style = parent.style if parent else css.parse_stylesheets(self, url)
+diff --git a/cairosvg/surface.py b/cairosvg/surface.py
+index c5569e768032..a2f7736aabbe 100644
+--- a/cairosvg/surface.py
++++ b/cairosvg/surface.py
+@@ -113,7 +113,8 @@ class Surface(object):
+         :param parent_width: The width of the parent container in pixels.
+         :param parent_height: The height of the parent container in pixels.
+         :param scale: The ouptut scaling factor.
+-        :param unsafe: A boolean allowing XML entities and very large files
++        :param unsafe: A boolean allowing external file access, XML entities
++                       and very large files
+                        (WARNING: vulnerable to XXE attacks and various DoS).
+ 
+         Specifiy the output with:
+-- 
+2.39.2
+
diff -Nru cairosvg-2.5.2/debian/patches/series cairosvg-2.5.2/debian/patches/series
--- cairosvg-2.5.2/debian/patches/series	2021-08-30 22:54:50.000000000 +0200
+++ cairosvg-2.5.2/debian/patches/series	2023-03-21 22:20:08.000000000 +0100
@@ -1 +1,2 @@
 0001-Remove-pytest-options-for-plugins-not-packaged-for-D.patch
+Don-t-allow-fetching-external-files-unless-explicitl.patch

--- End Message ---

--- Begin Message ---

To: 1033527-done@bugs.debian.org

Subject: unblock cairosvg

From: Sebastian Ramacher <sramacher@respighi.debian.org>

Date: Mon, 27 Mar 2023 18:51:06 +0000

Message-id: <E1pgrvu-00C6Au-9l@respighi.debian.org>
Unblocked.
--- End Message ---

Reply to:

References:
- Bug#1033527: unblock: cairosvg/2.5.2-1.1
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Bug#1033529: marked as done (unblock: libmicrohttpd/0.9.75-6)
Next by Date: Bug#1033555: marked as done (unblock: fraqtive/0.4.8.1-1)
Previous by thread: Processed: unblock: cairosvg/2.5.2-1.1
Next by thread: Bug#1033529: unblock: libmicrohttpd/0.9.75-6
Index(es):
- Date
- Thread