SB2020022622 - Resource exhaustion in librsvg (Alpine package)
Published: February 26, 2020
Security Bulletin ID
SB2020022622
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Resource exhaustion (CVE-ID: CVE-2019-20446)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect processing of nested patterns within SVG files in xml.rs in GNOME librsvg. A remote attacker can create a specially crafted SVG file, pass if to the affected application, trigger resource exhaustion and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=e3b5031082498016f420446f78bdb5251906c6aa
- https://git.alpinelinux.org/aports/commit/?id=168bf00ffd975b115c247919d1907995a2e10619
- https://git.alpinelinux.org/aports/commit/?id=6e26fefaecfc7f115cccd79b1b915a51b2fde85c
- https://git.alpinelinux.org/aports/commit/?id=37ef17473269d8c5fe15930431d09704bebd823c
- https://git.alpinelinux.org/aports/commit/?id=d16ad327b5fee8ba4904fbbdd2a1d1be037de9e8