SUSE SLED12 / SLES12 Security Update : librsvg (SUSE-SU-2018:1288-1)

Medium Nessus Plugin ID 109859

Synopsis

The remote SUSE host is missing one or more security updates.

Description

This update for librsvg fixes the following issues :

- CVE-2018-1000041: Input validation issue could lead to credentials leak. (bsc#1083232) Update to version 2.40.20 :

+ Except for emergencies, this will be the LAST RELEASE of the librsvg-2.40.x series. We are moving to 2.41, which is vastly improved over the 2.40 series. The API/ABI there remain unchaged, so we strongly encourage you to upgrade your sources and binaries to librsvg-2.41.x.

+ bgo#761175 - Allow masks and clips to reuse a node being drawn.

+ Don't access the file system when deciding whether to load a remote file with a UNC path for a paint server (i.e. don't try to load it at all).

+ Vistual Studio: fixed and integrated introspection builds, so introspection data is built directly from the Visual Studio project (Chun-wei Fan).

+ Visual Studio: We now use HIGHENTROPYVA linker option on x64 builds, to enhance the security of built binaries (Chun-wei Fan).

+ Fix generation of Vala bindings when compiling in read-only source directories (Emmanuele Bassi). Update to version 2.40.19 :

+ bgo#621088: Using text objects as clipping paths is now supported.

+ bgo#587721: Fix rendering of text elements with transformations (Massimo).

+ bgo#777833 - Fix memory leaks when an RsvgHandle is disposed before being closed (Philip Withnall).

+ bgo#782098 - Don't pass deprecated options to gtk-doc (Ting-Wei Lan).

+ bgo#786372 - Fix the default for the 'type' attribute of the <style> element.

+ bgo#785276 - Don't crash on single-byte files.

+ bgo#634514: Don't render unknown elements and their sub-elements.

+ bgo#777155 - Ignore patterns that have close-to-zero dimensions.

+ bgo#634324 - Fix Gaussian blurs with negative scaling.

+ Fix the <switch> element; it wasn't working at all.

+ Fix loading when rsvg_handle_write() is called one byte at a time.

+ bgo#787895 - Fix incorrect usage of libxml2. Thanks to Nick Wellnhofer for advice on this.

+ Backported the test suite machinery from the master branch (Chun-wei Fan, Federico Mena).

+ We now require Pango 1.38.0 or later (released in 2015).

+ We now require libxml2 2.9.0 or later (released in 2012).

</style>

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'.

Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-912=1

SUSE Linux Enterprise Server 12-SP3:zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-912=1

SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-912=1

See Also

https://bugzilla.suse.com/1083232

https://www.suse.com/security/cve/CVE-2018-1000041.html

http://www.nessus.org/u?c70bda3a

Plugin Details

Severity: Medium

ID: 109859

File Name: suse_SU-2018-1288-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 2018/05/16

Modified: 2018/05/16

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4.3

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND

CVSSv3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:gdk-pixbuf-loader-rsvg, p-cpe:/a:novell:suse_linux:gdk-pixbuf-loader-rsvg-debuginfo, p-cpe:/a:novell:suse_linux:librsvg-2, p-cpe:/a:novell:suse_linux:librsvg-2-2, p-cpe:/a:novell:suse_linux:librsvg-2-2-debuginfo, p-cpe:/a:novell:suse_linux:librsvg-debugsource, p-cpe:/a:novell:suse_linux:rsvg-view, p-cpe:/a:novell:suse_linux:rsvg-view-debuginfo, cpe:/o:novell:suse_linux:12

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2018/05/15

Reference Information

CVE: CVE-2018-1000041

OSVDB: 172736