cnvd - cnvd-2020-23484

cnvd-2020-23484

Vulnerability from cnvd

Title

GNOME librsvg xml.rs文件拒绝服务漏洞

Description

GNOME librsvg是GNOME项目的一个开源的SVG图形开发库。 GNOME librsvg 2.46.2之前版本中的xml.rs文件存在安全漏洞。攻击者可借助特制的SVG文件利用该漏洞造成拒绝服务。

Severity

低

Patch Name

GNOME librsvg xml.rs文件拒绝服务漏洞的补丁

Patch Description

GNOME librsvg是GNOME项目的一个开源的SVG图形开发库。 GNOME librsvg 2.46.2之前版本中的xml.rs文件存在安全漏洞。攻击者可借助特制的SVG文件利用该漏洞造成拒绝服务。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://gitlab.gnome.org/GNOME/librsvg/issues/515

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-20446

Impacted products

Name
Gnome GNOME librsvg <2.46.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-20446"
    }
  },
  "description": "GNOME librsvg\u662fGNOME\u9879\u76ee\u7684\u4e00\u4e2a\u5f00\u6e90\u7684SVG\u56fe\u5f62\u5f00\u53d1\u5e93\u3002\n\nGNOME librsvg 2.46.2\u4e4b\u524d\u7248\u672c\u4e2d\u7684xml.rs\u6587\u4ef6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684SVG\u6587\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://gitlab.gnome.org/GNOME/librsvg/issues/515",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-23484",
  "openTime": "2020-04-20",
  "patchDescription": "GNOME librsvg\u662fGNOME\u9879\u76ee\u7684\u4e00\u4e2a\u5f00\u6e90\u7684SVG\u56fe\u5f62\u5f00\u53d1\u5e93\u3002\r\n\r\nGNOME librsvg 2.46.2\u4e4b\u524d\u7248\u672c\u4e2d\u7684xml.rs\u6587\u4ef6\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u501f\u52a9\u7279\u5236\u7684SVG\u6587\u4ef6\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "GNOME librsvg xml.rs\u6587\u4ef6\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Gnome GNOME librsvg \u003c2.46.2"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2019-20446",
  "serverity": "\u4f4e",
  "submitTime": "2020-01-16",
  "title": "GNOME librsvg xml.rs\u6587\u4ef6\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

CVE-2019-20446 (GCVE-0-2019-20446)

Vulnerability from cvelistv5

Published

2020-02-02 00:00

Modified

2024-08-05 02:39

Severity ?

CWE

Summary

In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.

References

URL

Tags

	https://gitlab.gnome.org/GNOME/librsvg/issues/515
	http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00024.html	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3B5RWJQD5LA45MYLLR55KZJOJ5NVZGP/	vendor-advisory
	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6IOHSO6BUKC6I66J5PZOMAGFVJ66ZS57/	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2020/07/msg00016.html	mailing-list
	https://usn.ubuntu.com/4436-1/	vendor-advisory
	https://security.netapp.com/advisory/ntap-20221111-0004/