ArchLinux: 202101-12: python-cairosvg: denial of service
Summary
In python-cairosvg before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to regular expression denial of service (REDoS). If an attacker provides a malicious SVG, it can make python-cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1.
Resolution
Upgrade to 2.5.1-1.
# pacman -Syu "python-cairosvg>=2.5.1-1"
The problem has been fixed upstream in version 2.5.1.
References
https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf https://github.com/Kozea/CairoSVG/commit/063185b60588a41d4df661ad70f9f7b699901abc https://security.archlinux.org/CVE-2021-21236
Workaround
None.