Control: tag -1 patch
Hi,
Attached CVE-2013-1881* patches apply to librsvg in squeeze, with only
a partial origin policy (it ignores the location in the local fs).
Upstream's librsvg patches apply clean to the version in wheezy,
except that the gtk+3.0 patch needs some tweaks;
use_data_uris_for_symbolic_icons.patch does the same for the version
in wheezy.
Could you please prepare packages for O/SPU and coordinate with the
release team?
TIA.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Index: librsvg-2.26.3/rsvg-image.c
===================================================================
--- librsvg-2.26.3.orig/rsvg-image.c 2013-11-28 12:01:22.865236793 +0100
+++ librsvg-2.26.3/rsvg-image.c 2013-11-28 12:17:25.242370794 +0100
@@ -356,6 +356,51 @@ rsvg_acquire_vfs_resource (const char *f
}
#endif
+/* Partial origin-based policy, based on the one implemented in f01aded72c38f0e1 */
+gboolean
+_rsvg_acquire_xlink_allow_load (const char *href, const char *base_uri, GError ** err)
+{
+ char *base_scheme = NULL, *href_scheme = NULL;
+
+ if (base_uri)
+ base_scheme = g_uri_parse_scheme (base_uri);
+ if (href)
+ href_scheme = g_uri_parse_scheme (href);
+
+ /* Not a valid URI */
+ if (href_scheme == NULL)
+ goto deny;
+
+ /* Allow loads of data: from any location */
+ if (g_str_equal (href_scheme, "data"))
+ return TRUE;
+
+ /* no valid base URI */
+ if (base_scheme == NULL)
+ goto deny;
+
+ /* Deny loads from differing URI schemes */
+ if (href_scheme == NULL || !g_str_equal (href_scheme, base_scheme))
+ goto deny;
+
+ /* resource: is allowed to load anything from other resources */
+ if (g_str_equal (href_scheme, "resource"))
+ return TRUE;
+
+ /* Non-file: isn't allowed to load anything */
+ if (!g_str_equal (href_scheme, "file"))
+ goto deny;
+
+ /* no local-file policy is applied here */
+
+ return TRUE;
+
+deny:
+ g_set_error (err, G_IO_ERROR, G_IO_ERROR_PERMISSION_DENIED,
+ "File may not link to URI \"%s\"", href);
+ return FALSE;
+}
+
GByteArray *
_rsvg_acquire_xlink_href_resource (const char *href, const char *base_uri, GError ** err)
{
@@ -367,6 +412,9 @@ _rsvg_acquire_xlink_href_resource (const
if (!strncmp (href, "data:", 5))
arr = rsvg_acquire_base64_resource (href, NULL);
+ if (!_rsvg_acquire_xlink_allow_load(href, base_uri, err))
+ return NULL;
+
if (!arr)
arr = rsvg_acquire_file_resource (href, base_uri, NULL);
Index: librsvg-2.26.3/rsvg-base.c
===================================================================
--- librsvg-2.26.3.orig/rsvg-base.c 2013-11-28 12:01:22.865236793 +0100
+++ librsvg-2.26.3/rsvg-base.c 2013-11-28 12:13:54.913248784 +0100
@@ -1049,12 +1049,13 @@ rsvg_handle_set_base_uri (RsvgHandle * h
else
uri = rsvg_get_base_uri_from_filename (base_uri);
- if (uri) {
- if (handle->priv->base_uri)
- g_free (handle->priv->base_uri);
- handle->priv->base_uri = uri;
- rsvg_defs_set_base_uri (handle->priv->defs, handle->priv->base_uri);
- }
+ if (!uri)
+ uri = g_strdup("data:");
+
+ if (handle->priv->base_uri)
+ g_free (handle->priv->base_uri);
+ handle->priv->base_uri = uri;
+ rsvg_defs_set_base_uri (handle->priv->defs, handle->priv->base_uri);
}
/**
Index: librsvg-2.26.3/rsvg-base.c
===================================================================
--- librsvg-2.26.3.orig/rsvg-base.c 2010-05-01 01:10:51.000000000 +0200
+++ librsvg-2.26.3/rsvg-base.c 2013-11-26 16:24:02.903472891 +0100
@@ -602,6 +602,7 @@ rsvg_start_xinclude (RsvgHandle * ctx, R
int result;
xml_parser = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, ctx, NULL, 0, NULL);
+ xml_parser->options |= XML_PARSE_NONET;
result = xmlParseChunk (xml_parser, (char *) data->data, data->len, 0);
result = xmlParseChunk (xml_parser, "", 0, TRUE);
@@ -1118,6 +1119,7 @@ rsvg_handle_write_impl (RsvgHandle * han
if (handle->priv->ctxt == NULL) {
handle->priv->ctxt = xmlCreatePushParserCtxt (&rsvgSAXHandlerStruct, handle, NULL, 0,
rsvg_handle_get_base_uri (handle));
+ handle->priv->ctxt->options |= XML_PARSE_NONET;
/* if false, external entities work, but internal ones don't. if true, internal entities
work, but external ones don't. favor internal entities, in order to not cause a
Index: gtk+3.0-3.4.2/gtk/gtkicontheme.c
===================================================================
--- gtk+3.0-3.4.2.orig/gtk/gtkicontheme.c 2012-05-02 14:46:50.000000000 +0200
+++ gtk+3.0-3.4.2/gtk/gtkicontheme.c 2013-11-27 14:16:27.393901153 +0100
@@ -3170,6 +3170,8 @@ _gtk_icon_info_load_symbolic_internal (G
GdkPixbuf *pixbuf;
gchar *data;
gchar *success, *warning, *err;
+ gchar *file_data, *escaped_file_data;
+ gsize file_len;
/* css_fg can't possibly have failed, otherwise
* that would mean we have a broken style */
@@ -3193,6 +3195,11 @@ _gtk_icon_info_load_symbolic_internal (G
err = gdk_color_to_css (&error_default_color);
}
+ if (!g_file_get_contents (icon_info->filename, &file_data, &file_len, NULL))
+ return NULL;
+
+ escaped_file_data = g_markup_escape_text (file_data, file_len);
+ g_free (file_data);
data = g_strconcat ("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\n"
"<svg version=\"1.1\"\n"
@@ -3214,9 +3221,10 @@ _gtk_icon_info_load_symbolic_internal (G
" fill: ", css_success ? css_success : success," !important;\n"
" }\n"
" </style>\n"
- " <xi:include href=\"", icon_info->filename, "\"/>\n"
+ " <xi:include href=\"data:text/xml,", escaped_file_data, "\"/>\n"
"</svg>",
NULL);
+ g_free (escaped_file_data);
g_free (warning);
g_free (err);
g_free (success);
