** Information type changed from Private Security to Public Security

You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to librsvg in Ubuntu.

  terminate process when processing svg file

Status in librsvg package in Ubuntu:
  Fix Released

Bug description:
  - Description
  In 2.52.5, the stable version distributed on ubuntu22, the process is 
terminated due to large font size when processing svg files.

  The vulnerability occurs in the assert!(h >= 0.0); code in
  src/text.rs:359. Since the font size can be controlled by an attacker,
  this is a 'Reachable assertion'.

  An attacker can prove the poc by using a large value for the font size
  inside the <g> tag of the svg file.

  Any application that uses a vulnerable version of the librsvg package
  may be affected. I observed that other applications using version
  2.52.5 terminated.

  This can prove it using the rsvg-convert tool provided when building
  librsvg version 2.52.5, and also the Image Viewer does not execute
  normally and terminates.

  - Version
  $ apt search librsvg2
  Sorting... Done
  Full Text Search... Done
  librsvg2-2/jammy,now 2.52.5+dfsg-3 amd64 [installed,automatic]
    SAX-based renderer library for SVG files (runtime)

  librsvg2-common/jammy,now 2.52.5+dfsg-3 amd64 [installed,automatic]
    SAX-based renderer library for SVG files (extra runtime)

  librsvg2-dev/jammy,now 2.52.5+dfsg-3 amd64 [installed]
    SAX-based renderer library for SVG files (development)

  The rsvg-convert tool is created by building the 2.52.5 source in

  - POC
  normal execute
  $ ./rsvg-convert poc

  (process:3460): Pango-WARNING **: 01:06:26.068: failed to create cairo
  scaled font, expect ugly output. the offending font is 'Liberation
  Serif 2097151.9990234375'

  (process:3460): Pango-WARNING **: 01:06:26.068: font_face status is:
  error occurred in libfreetype

  (process:3460): Pango-WARNING **: 01:06:26.068: scaled_font status is: error 
occurred in libfreetype
  thread 'main' panicked at 'assertion failed: h >= 0.0', src/text.rs:359:9
  note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

  'RUST_BACKTRACE=full' result is too long to write. But if you request,
  I'll write

To manage notifications about this bug go to:

Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to