Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

openSUSE 15.2: 2021:1134-1 Moderate: Python-CairoSVG Denial Of Service

opensuse
Calendar Grey August 10, 2021
Dist Opensuse Esm H88
This release fixes bugs in python-NumPy and python-Requests, improving efficiency and reliability.
An update that fixes 13 vulnerabilities is now available

Description

This update for python-CairoSVG, python-Pillow fixes the following issues:

Update to version 2.5.1.

* Security fix: When processing SVG files, CairoSVG was using two regular

expressions which are vulnerable to Regular Expression Denial of Service

(REDoS). If an attacker provided a malicious SVG, it could make CairoSVG

get stuck processing the file for a very long time.

* Fix marker positions for unclosed paths

* Follow hint when only output_width or output_height is set

* Handle opacity on raster images

* Don???t crash when use tags reference unknown tags

* Take care of the next letter when A/a is replaced by l

* Fix misalignment in node.vertices

Updates for version 2.5.0.

* Drop support of Python 3.5, add support of Python 3.9.

* Add EPS export

* Add background-color, negate-colors, and invert-images options

* Improve support for font weights

* Fix opacity of patterns and gradients

* Support auto-start-reverse value...

Read the Full Advisory

Topics%20covered

Topics Covered

security advisory moderate DoS openSUSE python-Pillow python-CairoSVG

Patch

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods

like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.2:

zypper in -t patch openSUSE-2021-1134=1

Package List

- openSUSE Leap 15.2 (noarch):

python3-CairoSVG-2.5.1-lp152.2.3.1

- openSUSE Leap 15.2 (x86_64):

python-Pillow-debuginfo-8.3.1-lp152.5.3.1

python-Pillow-debugsource-8.3.1-lp152.5.3.1

python3-Pillow-8.3.1-lp152.5.3.1

python3-Pillow-debuginfo-8.3.1-lp152.5.3.1

python3-Pillow-tk-8.3.1-lp152.5.3.1

python3-Pillow-tk-debuginfo-8.3.1-lp152.5.3.1

References

https://www.suse.com/security/cve/CVE-2020-15999.html

https://www.suse.com/security/cve/CVE-2020-35653.html

https://www.suse.com/security/cve/CVE-2020-35654.html

https://www.suse.com/security/cve/CVE-2020-35655.html

https://www.suse.com/security/cve/CVE-2021-25289.html

https://www.suse.com/security/cve/CVE-2021-25290.html

https://www.suse.com/security/cve/CVE-2021-25291.html

https://www.suse.com/security/cve/CVE-2021-25292.html

https://www.suse.com/security/cve/CVE-2021-25293.html

https://www.suse.com/security/cve/CVE-2021-27921.html

https://www.suse.com/security/cve/CVE-2021-27922.html

https://www.suse.com/security/cve/CVE-2021-27923.html

https://www.suse.com/security/cve/CVE-2021-34552.html

https://bugzilla.suse.com/1180832

https://bugzilla.suse.com/1180833

https://bugzilla.suse.com/1180834

https://bugzilla.suse.com/1181281

Announcement ID: openSUSE-SU-2021:1134-1
Rating: moderate
Affected Products: openSUSE Leap 15.2 .

Topics%20covered

Topics Covered

security advisory moderate DoS openSUSE python-Pillow python-CairoSVG

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here