Arch Linux 811 Published by

A python-cairosvg security update has been released for Arch Linux.



ASA-202101-12: python-cairosvg: denial of service


Arch Linux Security Advisory ASA-202101-12
=========================================
Severity: Low
Date : 2021-01-12
CVE-ID : CVE-2021-21236
Package : python-cairosvg
Type : denial of service
Remote : No
Link :   https://security.archlinux.org/AVG-1412

Summary
======
The package python-cairosvg before version 2.5.1-1 is vulnerable to
denial of service.

Resolution
=========
Upgrade to 2.5.1-1.

# pacman -Syu "python-cairosvg>=2.5.1-1"

The problem has been fixed upstream in version 2.5.1.

Workaround
=========
None.

Description
==========
In python-cairosvg before version 2.5.1, there is a regular expression
denial of service (REDoS) vulnerability. When processing SVG files, the
python package CairoSVG uses two regular expressions which are
vulnerable to regular expression denial of service (REDoS). If an
attacker provides a malicious SVG, it can make python-cairosvg get
stuck processing the file for a very long time. This is fixed in
version 2.5.1.

Impact
=====
A malicious user could craft a SVG that takes a very long time to
process, resulting in a denial of service.

References
=========
  https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf
  https://github.com/Kozea/CairoSVG/commit/063185b60588a41d4df661ad70f9f7b699901abc
  https://security.archlinux.org/CVE-2021-21236