openSUSE Security Update : librsvg (openSUSE-2016-608)

This script is Copyright (C) 2016 Tenable Network Security, Inc.

Synopsis :

The remote openSUSE host is missing a security update.

Description :

This librsvg update to version 2.40.15 fixes the following issues :

Security issues fixed :

- CVE-2016-4348: DoS parsing SVGs with circular
definitions _rsvg_css_normalize_font_size() function

Bugs fixed :

- Actually scale the image if required, regression fix
from upstream git (bgo#760262).

- Fixed bgo#759084: Don't crash when filters don't
actually exist.

- Updated our to use modern autotools.

- Fixed bgo#761728: Memory leak in the
PrimitiveComponentTransfer filter.

- Added basic support for the 'baseline-shift' attribute
in text objects (bgo#340047).

- Fixed some duplicate logic when rendering paths

- Rewrote the markers engine (bgo#685906, bgo#760180).

- Refactoring of the test harness to use Glib's gtest
infrastructure, instead of using home-grown machinery.
Tests can simply be put as SVG files in the
tests/subdirectories; it is not necessary to list them
explicitly in some text file.

- Gzipped SVGs now work if read from streams.

- References to objects/filters/URIs/etc. are now handled
lazily. Also, there is a general-purpose cycle detector
so malformed SVGs don't cause infinite loops.

- Removed parsing of Adobe blend modes; they were not
implemented, anyway.

- Add project files for building on Visual Studio

- Added an '--export-id' option to rsvg-convert(1). This
lets you select a single object to export, for example,
to pick out a group from a multi-part drawing. Note that
this is mostly useful for PNG output right now; for SVG
output we don't preserve many attributes which could be
useful in the extracted version. Doing this properly
requires an internal 'output to SVG' backend instead of
just telling Cairo to render to SVG.

See also :

Solution :

Update the affected librsvg packages.

Risk factor :

Medium / CVSS Base Score : 5.0

Family: SuSE Local Security Checks

Nessus Plugin ID: 91278 ()

Bugtraq ID:

CVE ID: CVE-2016-4348

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now