Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
Raphaël has prepared a stable update for librsvg in order to fix
CVE-2013-1881.
Thanks for considering.
--
.''`. Josselin Mouette
: :' :
`. `'
`-
Index: debian/changelog
===================================================================
--- debian/changelog (révision 40303)
+++ debian/changelog (copie de travail)
@@ -1,3 +1,11 @@
+librsvg (2.36.1-2) stable; urgency=low
+
+ [ Raphaël Geissert ]
+ * Fix CVE-2013-1881: disable loading of external entities.
+ Closes: #724741.
+
+ -- Josselin Mouette <j...@debian.org> Wed, 04 Dec 2013 15:06:01 +0100
+
librsvg (2.36.1-1) unstable; urgency=low
* New upstream release.
Index: debian/patches/01_CVE-2013-1881_policy.patch
===================================================================
--- debian/patches/01_CVE-2013-1881_policy.patch (révision 0)
+++ debian/patches/01_CVE-2013-1881_policy.patch (copie de travail)
@@ -0,0 +1,165 @@
+From f01aded72c38f0e18bc7ff67dee800e380251c8e Mon Sep 17 00:00:00 2001
+From: Christian Persch <c...@gnome.org>
+Date: Mon, 11 Feb 2013 21:36:58 +0000
+Subject: io: Implement strict load policy
+
+Allow any file to load from data:, and any resource to load from other
+resources. Only allow file: to load other file: URIs from below the path
+of the base file. Any other loads are denied.
+
+Bug #691708.
+---
+Index: librsvg-2.36.1/rsvg-base.c
+===================================================================
+--- librsvg-2.36.1.orig/rsvg-base.c 2012-03-26 14:25:08.000000000 +0200
++++ librsvg-2.36.1/rsvg-base.c 2013-11-26 16:07:42.481471848 +0100
+@@ -25,6 +25,7 @@
+ */
+
+ #include "config.h"
++#define _GNU_SOURCE 1
+
+ #include "rsvg.h"
+ #include "rsvg-private.h"
+@@ -1001,6 +1002,7 @@ void
+ rsvg_handle_set_base_uri (RsvgHandle * handle, const char *base_uri)
+ {
+ gchar *uri;
++ GFile *file;
+
+ g_return_if_fail (handle != NULL);
+
+@@ -1012,11 +1014,10 @@ rsvg_handle_set_base_uri (RsvgHandle * h
+ else
+ uri = rsvg_get_base_uri_from_filename (base_uri);
+
+- if (uri) {
+- if (handle->priv->base_uri)
+- g_free (handle->priv->base_uri);
+- handle->priv->base_uri = uri;
+- }
++ file = g_file_new_for_uri (uri ? uri : "data:");
++ rsvg_handle_set_base_gfile (handle, file);
++ g_object_unref (file);
++ g_free (uri);
+ }
+
+ /**
+@@ -2146,12 +2147,84 @@ _rsvg_handle_allow_load (RsvgHandle *han
+ const char *uri,
+ GError **error)
+ {
+- RsvgLoadPolicy policy = handle->priv->load_policy;
++ RsvgHandlePrivate *priv = handle->priv;
++ GFile *base;
++ char *path, *dir;
++ char *scheme = NULL, *cpath = NULL, *cdir = NULL;
+
+- if (policy == RSVG_LOAD_POLICY_ALL_PERMISSIVE)
+- return TRUE;
++ g_assert (handle->priv->load_policy == RSVG_LOAD_POLICY_STRICT);
++
++ scheme = g_uri_parse_scheme (uri);
++
++ /* Not a valid URI */
++ if (scheme == NULL)
++ goto deny;
++
++ /* Allow loads of data: from any location */
++ if (g_str_equal (scheme, "data"))
++ goto allow;
++
++ /* No base to compare to? */
++ if (priv->base_gfile == NULL)
++ goto deny;
++
++ /* Deny loads from differing URI schemes */
++ if (!g_file_has_uri_scheme (priv->base_gfile, scheme))
++ goto deny;
++
++ /* resource: is allowed to load anything from other resources */
++ if (g_str_equal (scheme, "resource"))
++ goto allow;
+
++ /* Non-file: isn't allowed to load anything */
++ if (!g_str_equal (scheme, "file"))
++ goto deny;
++
++ base = g_file_get_parent (priv->base_gfile);
++ if (base == NULL)
++ goto deny;
++
++ dir = g_file_get_path (base);
++ g_object_unref (base);
++
++ /* FIXME portability */
++ cdir = canonicalize_file_name (dir);
++ g_free (dir);
++ if (cdir == NULL)
++ goto deny;
++
++ path = g_filename_from_uri (uri, NULL, NULL);
++ if (path == NULL)
++ goto deny;
++
++ /* FIXME portability */
++ cpath = canonicalize_file_name (path);
++ g_free (path);
++
++ if (cpath == NULL)
++ goto deny;
++
++ /* Now check that @cpath is below @cdir */
++ if (!g_str_has_prefix (cpath, cdir) ||
++ cpath[strlen (cdir)] != G_DIR_SEPARATOR)
++ goto deny;
++
++ /* Allow load! */
++
++ allow:
++ g_free (scheme);
++ free (cpath);
++ free (cdir);
+ return TRUE;
++
++ deny:
++ g_free (scheme);
++ free (cpath);
++ free (cdir);
++
++ g_set_error (error, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED,
++ "File may not link to URI \"%s\"", uri);
++ return FALSE;
+ }
+
+ guint8*
+Index: librsvg-2.36.1/rsvg-io.c
+===================================================================
+--- librsvg-2.36.1.orig/rsvg-io.c 2012-03-26 14:25:08.000000000 +0200
++++ librsvg-2.36.1/rsvg-io.c 2013-11-26 16:07:25.021364586 +0100
+@@ -79,7 +79,7 @@ rsvg_acquire_data_data (const char *uri,
+ gboolean base64 = FALSE;
+
+ g_assert (out_len != NULL);
+- g_assert (g_str_has_prefix (uri, "data:"));
++ g_assert (strncmp (uri, "data:", 5) == 0);
+
+ mime_type = NULL;
+ start = uri + 5;
+Index: librsvg-2.36.1/rsvg-private.h
+===================================================================
+--- librsvg-2.36.1.orig/rsvg-private.h 2012-02-07 17:38:41.000000000 +0100
++++ librsvg-2.36.1/rsvg-private.h 2013-11-26 16:07:25.025364611 +0100
+@@ -123,10 +123,10 @@ struct RsvgSaxHandler {
+ };
+
+ typedef enum {
+- RSVG_LOAD_POLICY_ALL_PERMISSIVE
++ RSVG_LOAD_POLICY_STRICT
+ } RsvgLoadPolicy;
+
+-#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_ALL_PERMISSIVE)
++#define RSVG_LOAD_POLICY_DEFAULT (RSVG_LOAD_POLICY_STRICT)
+
+ struct RsvgHandlePrivate {
+ RsvgHandleFlags flags;
Index: debian/patches/02_CVE-2013-1881_xmlentities.patch
===================================================================
--- debian/patches/02_CVE-2013-1881_xmlentities.patch (révision 0)
+++ debian/patches/02_CVE-2013-1881_xmlentities.patch (copie de travail)
@@ -0,0 +1,50 @@
+From d83e426fff3f6d0fa6042d0930fb70357db24125 Mon Sep 17 00:00:00 2001
+From: Christian Persch <c...@gnome.org>
+Date: Mon, 11 Feb 2013 21:36:30 +0000
+Subject: io: Use XML_PARSE_NONET
+
+We don't want to load resources off the net.
+
+Bug #691708.
+---
+Index: librsvg-2.36.1/rsvg-base.c
+===================================================================
+--- librsvg-2.36.1.orig/rsvg-base.c 2013-11-26 16:07:25.021364586 +0100
++++ librsvg-2.36.1/rsvg-base.c 2013-11-26 16:07:25.037364682 +0100
+@@ -573,6 +573,7 @@ rsvg_start_xinclude (RsvgHandle * ctx, R
+ goto fallback;
+
+ xml_parser = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, ctx, NULL, 0, NULL);
++ xml_parser->options |= XML_PARSE_NONET;
+
+ buffer = _rsvg_xml_input_buffer_new_from_stream (stream, NULL /* cancellable */, XML_CHAR_ENCODING_NONE, &err);
+ g_object_unref (stream);
+@@ -1112,6 +1113,7 @@ rsvg_handle_write_impl (RsvgHandle * han
+ if (handle->priv->ctxt == NULL) {
+ handle->priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0,
+ rsvg_handle_get_base_uri (handle));
++ handle->priv->ctxt->options |= XML_PARSE_NONET;
+
+ /* if false, external entities work, but internal ones don't. if true, internal entities
+ work, but external ones don't. favor internal entities, in order to not cause a
+@@ -1768,6 +1770,7 @@ rsvg_handle_read_stream_sync (RsvgHandle
+ if (priv->ctxt == NULL) {
+ priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0,
+ rsvg_handle_get_base_uri (handle));
++ priv->ctxt->options |= XML_PARSE_NONET;
+
+ /* if false, external entities work, but internal ones don't. if true, internal entities
+ work, but external ones don't. favor internal entities, in order to not cause a
+Index: librsvg-2.36.1/rsvg-css.c
+===================================================================
+--- librsvg-2.36.1.orig/rsvg-css.c 2012-03-26 14:25:11.000000000 +0200
++++ librsvg-2.36.1/rsvg-css.c 2013-11-26 16:07:25.041364707 +0100
+@@ -830,6 +830,8 @@ rsvg_css_parse_xml_attribute_string (con
+ xmlSAX2InitDefaultSAXHandler (&handler, 0);
+ handler.serror = rsvg_xml_noerror;
+ parser = xmlCreatePushParserCtxt (&handler, NULL, tag, strlen (tag) + 1, NULL);
++ parser->options |= XML_PARSE_NONET;
++
+ if (xmlParseDocument (parser) != 0)
+ goto done;
+
Index: debian/patches/series
===================================================================
--- debian/patches/series (révision 40303)
+++ debian/patches/series (copie de travail)
@@ -1,3 +1,5 @@
+01_CVE-2013-1881_policy.patch
+02_CVE-2013-1881_xmlentities.patch
10_rsvg-gz.patch
20_rsvg_compat.patch
99_ltmain_as-needed.patch
