Your message dated Mon, 18 Jan 2021 09:18:26 +0000
with message-id <[email protected]>
and subject line Bug#979597: fixed in cairosvg 2.5.0-1.1
has caused the Debian Bug report #979597,
regarding cairosvg: CVE-2021-21236: Regular Expression Denial of Service (REDoS)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
979597: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979597
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: cairosvg
Version: 2.5.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for cairosvg.
CVE-2021-21236[0]:
| CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter
| based on Cairo. In CairoSVG before version 2.5.1, there is a regular
| expression denial of service (REDoS) vulnerability. When processing
| SVG files, the python package CairoSVG uses two regular expressions
| which are vulnerable to Regular Expression Denial of Service (REDoS).
| If an attacker provides a malicious SVG, it can make cairosvg get
| stuck processing the file for a very long time. This is fixed in
| version 2.5.1. See Referenced GitHub advisory for more information.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-21236
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21236
[1] https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf
[2]
https://github.com/Kozea/CairoSVG/commit/063185b60588a41d4df661ad70f9f7b699901abc
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: cairosvg
Source-Version: 2.5.0-1.1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
cairosvg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated cairosvg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 16 Jan 2021 09:45:26 +0100
Source: cairosvg
Architecture: source
Version: 2.5.0-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 979597
Changes:
cairosvg (2.5.0-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* Don't use overlapping groups for regular expressions (CVE-2021-21236)
(Closes: #979597)
Checksums-Sha1:
56cbde4030cfe37cd115b2e787c2c0cbdf4ce009 2365 cairosvg_2.5.0-1.1.dsc
e8f7fe570341e047ac0544dfd974340f8464e81a 6960 cairosvg_2.5.0-1.1.debian.tar.xz
854a5245658139be7f6db1743268c068bca44d34 7161
cairosvg_2.5.0-1.1_source.buildinfo
Checksums-Sha256:
c9e4412fe23e111f5df92325bbd1d45314dcc6f78c7d3d68aece0715d7d7dae7 2365
cairosvg_2.5.0-1.1.dsc
454600f0ae60c18dc4bd718aa00d9293f0a7fb0386d3ae029912eb148609e1af 6960
cairosvg_2.5.0-1.1.debian.tar.xz
94e85764d23603064f723e63e417402a5cf375eeb0d1f49d5c297e5296fba921 7161
cairosvg_2.5.0-1.1_source.buildinfo
Files:
520c0fb8e2b9db2d3b52859cb56f2916 2365 python optional cairosvg_2.5.0-1.1.dsc
c23ba0452e7bfd3bf0b3009fca87d686 6960 python optional
cairosvg_2.5.0-1.1.debian.tar.xz
cedc646ead10d5be112d866f37dde16e 7161 python optional
cairosvg_2.5.0-1.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmACp/VfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E3kAP/RNmSoB8VI4pkDVRSR0TusHv85pIeBUV
LSPtmSc9Nn5N+A8vgsPcJlgVXQxza/JiG/N/DDBkiEPZvcqBFoE/SlAHRDhn/mzO
ZqkWNZtyoo5oVjy6n4HwOM35Gm7eW+qRQ89Hj4QUkyvR69pqbfUOZPI+Tsm9Gig9
lSrACf4ajHpVSZSNlG/aktcaPbWDMzBSYueBFiCYTUtDs9tUAQSlDGhzQv1rKCpz
HIC4EbCoiyNKUfd3PXn0CeD0bWEC3LSTfmhZOMIQlpJ+PhhU+8CCvgaZTIGuxwU8
hjjFZfmFud2dFeBARaaLjwI0K844zirOeobstEmcd1x2S1sNHCSQE17hAP/OQ6Nm
H4q2GmvuCLrCKo5oFeO7d+INbgpZcJySMk1qlXnY7WTwDoEU/427Wwt6kmjV5Aip
ekfSY9G52gDW0KEoz7YsrxQSPPrDqpKJ5/ZXC52i8x5wVgGl8NldEb+qIiGE4OgP
FwFpwbAWON0b7fMh6wEzATOJIzcfEtT46z3PDapozFpUUcB2J+b8eGM4XLwagM97
JX75qg+5DqybAYAwMaaXnc3ks4cUjsq6afp93jlBUyP9GTEH8x76mp/Wu6AoPgrP
BnFBe5g+lPZT8dTYaa8GIg1MVv/JL91yZi1YS8/erQGoydruCMTvr/EjxWy9lq5m
rLgIyuza+rCG
=hErs
-----END PGP SIGNATURE-----
--- End Message ---
