Alerts This Week
Warning Icon 1 483
Alerts This Week
Warning Icon 1 483

Ubuntu 18.04, 16.04 LTS: USN-4436-2 Update on Librsvg Regression

ubuntu
Calendar Grey July 29, 2020
Dist Ubuntu Esm H88
Ubuntu Security Notice USN-4436-3 highlights an important fix in libgtk across multiple versions, with significant information provided.
USN-4436-1 introduced a regression in librsvg.

Summary

USN-4436-1 introduced a regression in librsvg.

Software Description:

- librsvg: renderer library for SVG files

Details:

USN-4436-1 fixed a vulnerability in librsvg. The upstream fix caused a

regression when parsing certain SVG files. This update backs out the fix

pending further investigation.

Original advisory details:

It was discovered that librsvg incorrectly handled parsing certain SVG

files. A remote attacker could possibly use this issue to cause librsvg to

crash, resulting in a denial of service. This issue only affected Ubuntu

16.04 LTS. (CVE-2017-11464)

It was discovered that librsvg incorrectly handled parsing certain SVG

files with nested patterns. A remote attacker could possibly use this issue

to cause librsvg to consume resources and crash, resulting in a denial of

service. (CVE-2019-20446)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.04 LTS:
  librsvg2-2                      2.40.20-2ubuntu0.2

Ubuntu 16.04 LTS:
  librsvg2-2                      2.40.13-3ubuntu0.2

After a standard system update you need to restart your session to make all
the necessary changes.

References

https://ubuntu.com/security/notices/USN-4436-2

https://ubuntu.com/security/notices/USN-4436-1

https://bugs.launchpad.net/ubuntu/xenial/+source/librsvg/+bug/1889206

Severity
critical
Lowest
Low
Medium
High
Critical

July 29, 2020

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here