Bug#1033527: unblock: cairosvg/2.5.2-1.1

Salvatore Bonaccorso Sun, 26 Mar 2023 12:24:38 -0700

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: cairo...@packages.debian.org, car...@debian.org
Control: affects -1 + src:cairosvg


Dear release team,

Please unblock package cairosvg

It addresses CVE-2023-27586, #1033295 for which we plan to release as
well a DSA for bullseye-security. Testing with the new version both
manually and with the ci setup for security did not show so far any
regression.

What changes is that one need to explicitly allow to allow fetching
external files to address the problem.

I would propose to unblock it and age the package a bit, but still
give it some further exposure in unstable before it will migrate to
testing.

unblock cairosvg/2.5.2-1.1

Regards,
Salvatore

diff -Nru cairosvg-2.5.2/debian/changelog cairosvg-2.5.2/debian/changelog
--- cairosvg-2.5.2/debian/changelog     2021-08-30 22:54:50.000000000 +0200
+++ cairosvg-2.5.2/debian/changelog     2023-03-21 22:21:22.000000000 +0100
@@ -1,3 +1,11 @@
+cairosvg (2.5.2-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Don't allow fetching external files unless explicitly asked for
+    (CVE-2023-27586) (Closes: #1033295)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Tue, 21 Mar 2023 22:21:22 +0100
+
 cairosvg (2.5.2-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru 
cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch
 
cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch
--- 
cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch
    1970-01-01 01:00:00.000000000 +0100
+++ 
cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch
    2023-03-21 22:20:00.000000000 +0100
@@ -0,0 +1,66 @@
+From: Guillaume Ayoub <guilla...@courtbouillon.org>
+Date: Fri, 10 Mar 2023 16:11:22 +0100
+Subject: =?UTF-8?q?Don=E2=80=99t=20allow=20fetching=20external=20files=20u?=
+ =?UTF-8?q?nless=20explicitly=20asked=20for?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: 
https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255
+Bug-Debian: https://bugs.debian.org/1033295
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-27586
+
+---
+ cairosvg/__main__.py | 4 ++--
+ cairosvg/parser.py   | 6 ++++++
+ cairosvg/surface.py  | 3 ++-
+ 3 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/cairosvg/__main__.py b/cairosvg/__main__.py
+index 3ff6b5d1282f..0aad3d782489 100644
+--- a/cairosvg/__main__.py
++++ b/cairosvg/__main__.py
+@@ -42,8 +42,8 @@ def main(argv=None, stdout=None, stdin=None):
+         help='replace every raster pixel with its complementary color')
+     parser.add_argument(
+         '-u', '--unsafe', action='store_true',
+-        help='resolve XML entities and allow very large files '
+-             '(WARNING: vulnerable to XXE attacks and various DoS)')
++        help='fetch external files, resolve XML entities and allow very large 
'
++             'files (WARNING: vulnerable to XXE attacks and various DoS)')
+     parser.add_argument(
+         '--output-width', default=None, type=float,
+         help='desired output width in pixels')
+diff --git a/cairosvg/parser.py b/cairosvg/parser.py
+index f0f3a82573f3..61275f0a1073 100644
+--- a/cairosvg/parser.py
++++ b/cairosvg/parser.py
+@@ -390,6 +390,12 @@ class Tree(Node):
+             tree = ElementTree.fromstring(
+                 bytestring, forbid_entities=not unsafe,
+                 forbid_external=not unsafe)
++
++        # Don’t allow fetching external files unless explicitly asked for
++        if 'url_fetcher' not in kwargs and not unsafe:
++            self.url_fetcher = (
++                lambda *args, **kwargs: b'<svg width="1" height="1"></svg>')
++
+         self.xml_tree = tree
+         root = cssselect2.ElementWrapper.from_xml_root(tree)
+         style = parent.style if parent else css.parse_stylesheets(self, url)
+diff --git a/cairosvg/surface.py b/cairosvg/surface.py
+index c5569e768032..a2f7736aabbe 100644
+--- a/cairosvg/surface.py
++++ b/cairosvg/surface.py
+@@ -113,7 +113,8 @@ class Surface(object):
+         :param parent_width: The width of the parent container in pixels.
+         :param parent_height: The height of the parent container in pixels.
+         :param scale: The ouptut scaling factor.
+-        :param unsafe: A boolean allowing XML entities and very large files
++        :param unsafe: A boolean allowing external file access, XML entities
++                       and very large files
+                        (WARNING: vulnerable to XXE attacks and various DoS).
+ 
+         Specifiy the output with:
+-- 
+2.39.2
+
diff -Nru cairosvg-2.5.2/debian/patches/series 
cairosvg-2.5.2/debian/patches/series
--- cairosvg-2.5.2/debian/patches/series        2021-08-30 22:54:50.000000000 
+0200
+++ cairosvg-2.5.2/debian/patches/series        2023-03-21 22:20:08.000000000 
+0100
@@ -1 +1,2 @@
 0001-Remove-pytest-options-for-plugins-not-packaged-for-D.patch
+Don-t-allow-fetching-external-files-unless-explicitl.patch

Bug#1033527: unblock: cairosvg/2.5.2-1.1

Reply via email to