Control: tags 1033295 + patch Control: tags 1033295 + pending
Dear maintainer, I've prepared an NMU for cairosvg (versioned as 2.5.2-1.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru cairosvg-2.5.2/debian/changelog cairosvg-2.5.2/debian/changelog --- cairosvg-2.5.2/debian/changelog 2021-08-30 22:54:50.000000000 +0200 +++ cairosvg-2.5.2/debian/changelog 2023-03-21 22:21:22.000000000 +0100 @@ -1,3 +1,11 @@ +cairosvg (2.5.2-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Don't allow fetching external files unless explicitly asked for + (CVE-2023-27586) (Closes: #1033295) + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 21 Mar 2023 22:21:22 +0100 + cairosvg (2.5.2-1) unstable; urgency=low * New upstream release. diff -Nru cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch --- cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch 1970-01-01 01:00:00.000000000 +0100 +++ cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch 2023-03-21 22:20:00.000000000 +0100 @@ -0,0 +1,66 @@ +From: Guillaume Ayoub <guilla...@courtbouillon.org> +Date: Fri, 10 Mar 2023 16:11:22 +0100 +Subject: =?UTF-8?q?Don=E2=80=99t=20allow=20fetching=20external=20files=20u?= + =?UTF-8?q?nless=20explicitly=20asked=20for?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255 +Bug-Debian: https://bugs.debian.org/1033295 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-27586 + +--- + cairosvg/__main__.py | 4 ++-- + cairosvg/parser.py | 6 ++++++ + cairosvg/surface.py | 3 ++- + 3 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/cairosvg/__main__.py b/cairosvg/__main__.py +index 3ff6b5d1282f..0aad3d782489 100644 +--- a/cairosvg/__main__.py ++++ b/cairosvg/__main__.py +@@ -42,8 +42,8 @@ def main(argv=None, stdout=None, stdin=None): + help='replace every raster pixel with its complementary color') + parser.add_argument( + '-u', '--unsafe', action='store_true', +- help='resolve XML entities and allow very large files ' +- '(WARNING: vulnerable to XXE attacks and various DoS)') ++ help='fetch external files, resolve XML entities and allow very large ' ++ 'files (WARNING: vulnerable to XXE attacks and various DoS)') + parser.add_argument( + '--output-width', default=None, type=float, + help='desired output width in pixels') +diff --git a/cairosvg/parser.py b/cairosvg/parser.py +index f0f3a82573f3..61275f0a1073 100644 +--- a/cairosvg/parser.py ++++ b/cairosvg/parser.py +@@ -390,6 +390,12 @@ class Tree(Node): + tree = ElementTree.fromstring( + bytestring, forbid_entities=not unsafe, + forbid_external=not unsafe) ++ ++ # Don???t allow fetching external files unless explicitly asked for ++ if 'url_fetcher' not in kwargs and not unsafe: ++ self.url_fetcher = ( ++ lambda *args, **kwargs: b'<svg width="1" height="1"></svg>') ++ + self.xml_tree = tree + root = cssselect2.ElementWrapper.from_xml_root(tree) + style = parent.style if parent else css.parse_stylesheets(self, url) +diff --git a/cairosvg/surface.py b/cairosvg/surface.py +index c5569e768032..a2f7736aabbe 100644 +--- a/cairosvg/surface.py ++++ b/cairosvg/surface.py +@@ -113,7 +113,8 @@ class Surface(object): + :param parent_width: The width of the parent container in pixels. + :param parent_height: The height of the parent container in pixels. + :param scale: The ouptut scaling factor. +- :param unsafe: A boolean allowing XML entities and very large files ++ :param unsafe: A boolean allowing external file access, XML entities ++ and very large files + (WARNING: vulnerable to XXE attacks and various DoS). + + Specifiy the output with: +-- +2.39.2 + diff -Nru cairosvg-2.5.2/debian/patches/series cairosvg-2.5.2/debian/patches/series --- cairosvg-2.5.2/debian/patches/series 2021-08-30 22:54:50.000000000 +0200 +++ cairosvg-2.5.2/debian/patches/series 2023-03-21 22:20:08.000000000 +0100 @@ -1 +1,2 @@ 0001-Remove-pytest-options-for-plugins-not-packaged-for-D.patch +Don-t-allow-fetching-external-files-unless-explicitl.patch