Mailinglist Archive: opensuse-updates (133 mails)

< Previous Next >
openSUSE-SU-2016:1333-1: moderate: Security update for librsvg
openSUSE Security Update: Security update for librsvg
______________________________________________________________________________

Announcement ID: openSUSE-SU-2016:1333-1
Rating: moderate
References: #977986
Cross-References: CVE-2016-4348
Affected Products:
openSUSE Leap 42.1
openSUSE 13.2
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:


This librsvg update to version 2.40.15 fixes the following issues:

Security issues fixed:
- CVE-2016-4348: DoS parsing SVGs with circular definitions
_rsvg_css_normalize_font_size() function (boo#977986)

Bugs fixed:
- Actually scale the image if required, regression fix from upstream git
(bgo#760262).
- Fixed bgo#759084: Don't crash when filters don't actually exist.
- Updated our autogen.sh to use modern autotools.
- Fixed bgo#761728: Memory leak in the PrimitiveComponentTransfer filter.
- Added basic support for the "baseline-shift" attribute in text objects
(bgo#340047).
- Fixed some duplicate logic when rendering paths (bgo#749415).
- Rewrote the markers engine (bgo#685906, bgo#760180).
- Refactoring of the test harness to use Glib's gtest infrastructure,
instead of using home-grown machinery. Tests can simply be put as SVG
files in the tests/subdirectories; it is not necessary to list them
explicitly in some text file.
- Gzipped SVGs now work if read from streams.
- References to objects/filters/URIs/etc. are now handled lazily. Also,
there is a general-purpose cycle detector so malformed SVGs don't cause
infinite loops.
- Removed parsing of Adobe blend modes; they were not implemented, anyway.
- Add project files for building on Visual Studio (bgo#753555).
- Added an "--export-id" option to rsvg-convert(1). This lets you select a
single object to export, for example, to pick out a group from a
multi-part drawing. Note that this is mostly useful for PNG output
right now; for SVG output we don't preserve many attributes which could
be useful in the extracted version. Doing this properly requires an
internal "output to SVG" backend instead of just telling Cairo to render
to SVG.


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE Leap 42.1:

zypper in -t patch openSUSE-2016-608=1

- openSUSE 13.2:

zypper in -t patch openSUSE-2016-608=1

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE Leap 42.1 (i586 x86_64):

gdk-pixbuf-loader-rsvg-2.40.15-7.1
gdk-pixbuf-loader-rsvg-debuginfo-2.40.15-7.1
librsvg-2-2-2.40.15-7.1
librsvg-2-2-debuginfo-2.40.15-7.1
librsvg-debugsource-2.40.15-7.1
librsvg-devel-2.40.15-7.1
rsvg-view-2.40.15-7.1
rsvg-view-debuginfo-2.40.15-7.1
typelib-1_0-Rsvg-2_0-2.40.15-7.1

- openSUSE Leap 42.1 (x86_64):

gdk-pixbuf-loader-rsvg-32bit-2.40.15-7.1
gdk-pixbuf-loader-rsvg-debuginfo-32bit-2.40.15-7.1
librsvg-2-2-32bit-2.40.15-7.1
librsvg-2-2-debuginfo-32bit-2.40.15-7.1

- openSUSE 13.2 (i586 x86_64):

gdk-pixbuf-loader-rsvg-2.40.15-10.1
gdk-pixbuf-loader-rsvg-debuginfo-2.40.15-10.1
librsvg-2-2-2.40.15-10.1
librsvg-2-2-debuginfo-2.40.15-10.1
librsvg-debugsource-2.40.15-10.1
librsvg-devel-2.40.15-10.1
rsvg-view-2.40.15-10.1
rsvg-view-debuginfo-2.40.15-10.1
typelib-1_0-Rsvg-2_0-2.40.15-10.1

- openSUSE 13.2 (x86_64):

gdk-pixbuf-loader-rsvg-32bit-2.40.15-10.1
gdk-pixbuf-loader-rsvg-debuginfo-32bit-2.40.15-10.1
librsvg-2-2-32bit-2.40.15-10.1
librsvg-2-2-debuginfo-32bit-2.40.15-10.1


References:

https://www.suse.com/security/cve/CVE-2016-4348.html
https://bugzilla.suse.com/977986


< Previous Next >
This Thread
  • No further messages