Your message dated Mon, 27 Mar 2023 18:51:06 +0000
with message-id <[email protected]>
and subject line unblock cairosvg
has caused the Debian Bug report #1033527,
regarding unblock: cairosvg/2.5.2-1.1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1033527: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033527
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:cairosvg
Dear release team,
Please unblock package cairosvg
It addresses CVE-2023-27586, #1033295 for which we plan to release as
well a DSA for bullseye-security. Testing with the new version both
manually and with the ci setup for security did not show so far any
regression.
What changes is that one need to explicitly allow to allow fetching
external files to address the problem.
I would propose to unblock it and age the package a bit, but still
give it some further exposure in unstable before it will migrate to
testing.
unblock cairosvg/2.5.2-1.1
Regards,
Salvatore
diff -Nru cairosvg-2.5.2/debian/changelog cairosvg-2.5.2/debian/changelog
--- cairosvg-2.5.2/debian/changelog 2021-08-30 22:54:50.000000000 +0200
+++ cairosvg-2.5.2/debian/changelog 2023-03-21 22:21:22.000000000 +0100
@@ -1,3 +1,11 @@
+cairosvg (2.5.2-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Don't allow fetching external files unless explicitly asked for
+ (CVE-2023-27586) (Closes: #1033295)
+
+ -- Salvatore Bonaccorso <[email protected]> Tue, 21 Mar 2023 22:21:22 +0100
+
cairosvg (2.5.2-1) unstable; urgency=low
* New upstream release.
diff -Nru
cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch
cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch
---
cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch
1970-01-01 01:00:00.000000000 +0100
+++
cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch
2023-03-21 22:20:00.000000000 +0100
@@ -0,0 +1,66 @@
+From: Guillaume Ayoub <[email protected]>
+Date: Fri, 10 Mar 2023 16:11:22 +0100
+Subject: =?UTF-8?q?Don=E2=80=99t=20allow=20fetching=20external=20files=20u?=
+ =?UTF-8?q?nless=20explicitly=20asked=20for?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin:
https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255
+Bug-Debian: https://bugs.debian.org/1033295
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-27586
+
+---
+ cairosvg/__main__.py | 4 ++--
+ cairosvg/parser.py | 6 ++++++
+ cairosvg/surface.py | 3 ++-
+ 3 files changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/cairosvg/__main__.py b/cairosvg/__main__.py
+index 3ff6b5d1282f..0aad3d782489 100644
+--- a/cairosvg/__main__.py
++++ b/cairosvg/__main__.py
+@@ -42,8 +42,8 @@ def main(argv=None, stdout=None, stdin=None):
+ help='replace every raster pixel with its complementary color')
+ parser.add_argument(
+ '-u', '--unsafe', action='store_true',
+- help='resolve XML entities and allow very large files '
+- '(WARNING: vulnerable to XXE attacks and various DoS)')
++ help='fetch external files, resolve XML entities and allow very large
'
++ 'files (WARNING: vulnerable to XXE attacks and various DoS)')
+ parser.add_argument(
+ '--output-width', default=None, type=float,
+ help='desired output width in pixels')
+diff --git a/cairosvg/parser.py b/cairosvg/parser.py
+index f0f3a82573f3..61275f0a1073 100644
+--- a/cairosvg/parser.py
++++ b/cairosvg/parser.py
+@@ -390,6 +390,12 @@ class Tree(Node):
+ tree = ElementTree.fromstring(
+ bytestring, forbid_entities=not unsafe,
+ forbid_external=not unsafe)
++
++ # Don’t allow fetching external files unless explicitly asked for
++ if 'url_fetcher' not in kwargs and not unsafe:
++ self.url_fetcher = (
++ lambda *args, **kwargs: b'<svg width="1" height="1"></svg>')
++
+ self.xml_tree = tree
+ root = cssselect2.ElementWrapper.from_xml_root(tree)
+ style = parent.style if parent else css.parse_stylesheets(self, url)
+diff --git a/cairosvg/surface.py b/cairosvg/surface.py
+index c5569e768032..a2f7736aabbe 100644
+--- a/cairosvg/surface.py
++++ b/cairosvg/surface.py
+@@ -113,7 +113,8 @@ class Surface(object):
+ :param parent_width: The width of the parent container in pixels.
+ :param parent_height: The height of the parent container in pixels.
+ :param scale: The ouptut scaling factor.
+- :param unsafe: A boolean allowing XML entities and very large files
++ :param unsafe: A boolean allowing external file access, XML entities
++ and very large files
+ (WARNING: vulnerable to XXE attacks and various DoS).
+
+ Specifiy the output with:
+--
+2.39.2
+
diff -Nru cairosvg-2.5.2/debian/patches/series
cairosvg-2.5.2/debian/patches/series
--- cairosvg-2.5.2/debian/patches/series 2021-08-30 22:54:50.000000000
+0200
+++ cairosvg-2.5.2/debian/patches/series 2023-03-21 22:20:08.000000000
+0100
@@ -1 +1,2 @@
0001-Remove-pytest-options-for-plugins-not-packaged-for-D.patch
+Don-t-allow-fetching-external-files-unless-explicitl.patch
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
