** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to librsvg in Ubuntu. https://bugs.launchpad.net/bugs/2006615
Title: terminate process when processing svg file Status in librsvg package in Ubuntu: Fix Released Bug description: - Description In 2.52.5, the stable version distributed on ubuntu22, the process is terminated due to large font size when processing svg files. The vulnerability occurs in the assert!(h >= 0.0); code in src/text.rs:359. Since the font size can be controlled by an attacker, this is a 'Reachable assertion'. An attacker can prove the poc by using a large value for the font size inside the <g> tag of the svg file. Any application that uses a vulnerable version of the librsvg package may be affected. I observed that other applications using version 2.52.5 terminated. This can prove it using the rsvg-convert tool provided when building librsvg version 2.52.5, and also the Image Viewer does not execute normally and terminates. - Version ======================================================================= $ apt search librsvg2 Sorting... Done Full Text Search... Done librsvg2-2/jammy,now 2.52.5+dfsg-3 amd64 [installed,automatic] SAX-based renderer library for SVG files (runtime) librsvg2-common/jammy,now 2.52.5+dfsg-3 amd64 [installed,automatic] SAX-based renderer library for SVG files (extra runtime) librsvg2-dev/jammy,now 2.52.5+dfsg-3 amd64 [installed] SAX-based renderer library for SVG files (development) ======================================================================= The rsvg-convert tool is created by building the 2.52.5 source in gitlab. - POC normal execute ======================================================================= $ ./rsvg-convert poc (process:3460): Pango-WARNING **: 01:06:26.068: failed to create cairo scaled font, expect ugly output. the offending font is 'Liberation Serif 2097151.9990234375' (process:3460): Pango-WARNING **: 01:06:26.068: font_face status is: error occurred in libfreetype (process:3460): Pango-WARNING **: 01:06:26.068: scaled_font status is: error occurred in libfreetype thread 'main' panicked at 'assertion failed: h >= 0.0', src/text.rs:359:9 note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace ======================================================================= 'RUST_BACKTRACE=full' result is too long to write. But if you request, I'll write To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/librsvg/+bug/2006615/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp