Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: cairo...@packages.debian.org, Joe Burmeister <joe.burmeis...@devtank.co.uk>, car...@debian.org Control: affects -1 + src:cairosvg
Dear SRM, [ Reason ] Triggered by a offlist-report from Joe Burmeister, cairosvg suffers from a regression from the original fix upstream for CVE-2023-27586, where embedded images using data URIs no longer work without the unsafe flag. To fix the issue it would only be necessary to dissalow loading of external files, but data URIs would be expected to still work. See: - https://bugs.debian.org/1050643 - https://github.com/Kozea/CairoSVG/issues/383 [ Impact ] Without using the unsafe flag, it is not possible to embed images using data URIs. [ Tests ] Joe tested the updated package with a (non public) testcase. [ Risks ] Syncs up with upstream fixes after the original fix for CVE-2023-27586. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Allow to handle data-URLs in safe mode as well, using a introduced safe_fetch which fetches the content of a passed url if it's a data URL and return an empty SVG otherwise. [ Other info ] None Regards, Salvatore
diff -Nru cairosvg-2.5.0/debian/changelog cairosvg-2.5.0/debian/changelog --- cairosvg-2.5.0/debian/changelog 2023-03-23 20:51:51.000000000 +0100 +++ cairosvg-2.5.0/debian/changelog 2023-09-06 21:24:37.000000000 +0200 @@ -1,3 +1,10 @@ +cairosvg (2.5.0-1.1+deb11u2) bullseye; urgency=medium + + * Non-maintainer upload. + * Handle data-URLs in safe mode (Closes: #1050643) + + -- Salvatore Bonaccorso <car...@debian.org> Wed, 06 Sep 2023 21:24:37 +0200 + cairosvg (2.5.0-1.1+deb11u1) bullseye-security; urgency=high * Non-maintainer upload by the Security Team. diff -Nru cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch --- cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch 1970-01-01 01:00:00.000000000 +0100 +++ cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch 2023-09-06 21:24:37.000000000 +0200 @@ -0,0 +1,61 @@ +From: Guillaume Ayoub <guilla...@courtbouillon.org> +Date: Tue, 18 Apr 2023 14:51:13 +0200 +Subject: Handle data-URLs in safe mode. +Origin: https://github.com/Kozea/CairoSVG/commit/2cbe3066e604af67c31d6651aa3acafe4ae0749d +Bug: https://github.com/Kozea/CairoSVG/issues/383 +Bug-Debian: https://bugs.debian.org/1050643 + +Fix #383. +--- + cairosvg/parser.py | 5 ++--- + cairosvg/url.py | 11 +++++++++++ + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/cairosvg/parser.py b/cairosvg/parser.py +index 61275f0a1073..06a65db5c0e2 100644 +--- a/cairosvg/parser.py ++++ b/cairosvg/parser.py +@@ -14,7 +14,7 @@ from defusedxml import ElementTree + from . import css + from .features import match_features + from .helpers import flatten, pop_rotation, rotations +-from .url import fetch, parse_url, read_url ++from .url import fetch, parse_url, read_url, safe_fetch + + # 'display' is actually inherited but handled differently because some markers + # are part of a none-displaying group (see test painting-marker-07-f.svg) +@@ -393,8 +393,7 @@ class Tree(Node): + + # Don’t allow fetching external files unless explicitly asked for + if 'url_fetcher' not in kwargs and not unsafe: +- self.url_fetcher = ( +- lambda *args, **kwargs: b'<svg width="1" height="1"></svg>') ++ self.url_fetcher = safe_fetch + + self.xml_tree = tree + root = cssselect2.ElementWrapper.from_xml_root(tree) +diff --git a/cairosvg/url.py b/cairosvg/url.py +index b4a78eaf6645..7b184e6e74d9 100644 +--- a/cairosvg/url.py ++++ b/cairosvg/url.py +@@ -84,6 +84,17 @@ def fetch(url, resource_type): + return urlopen(Request(url, headers=HTTP_HEADERS)).read() + + ++def safe_fetch(url, resource_type): ++ """Fetch the content of ``url`` only if it’s a data-URL. ++ ++ Otherwise, return an empty SVG. ++ ++ """ ++ if url and url.startswith('data:'): ++ return fetch(url, resource_type) ++ return b'<svg width="1" height="1"></svg>' ++ ++ + def parse_url(url, base=None): + """Parse an URL. + +-- +2.40.1 + diff -Nru cairosvg-2.5.0/debian/patches/series cairosvg-2.5.0/debian/patches/series --- cairosvg-2.5.0/debian/patches/series 2023-03-23 20:51:07.000000000 +0100 +++ cairosvg-2.5.0/debian/patches/series 2023-09-06 21:23:58.000000000 +0200 @@ -1,3 +1,4 @@ 0001-Remove-pytest-options-for-plugins-not-packaged-for-D.patch 0002-Don-t-use-overlapping-groups-for-regular-expressions.patch Don-t-allow-fetching-external-files-unless-explicitl.patch +Handle-data-URLs-in-safe-mode.patch
