Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: cairo...@packages.debian.org, car...@debian.org Control: affects -1 + src:cairosvg
Dear release team, Please unblock package cairosvg It addresses CVE-2023-27586, #1033295 for which we plan to release as well a DSA for bullseye-security. Testing with the new version both manually and with the ci setup for security did not show so far any regression. What changes is that one need to explicitly allow to allow fetching external files to address the problem. I would propose to unblock it and age the package a bit, but still give it some further exposure in unstable before it will migrate to testing. unblock cairosvg/2.5.2-1.1 Regards, Salvatore
diff -Nru cairosvg-2.5.2/debian/changelog cairosvg-2.5.2/debian/changelog --- cairosvg-2.5.2/debian/changelog 2021-08-30 22:54:50.000000000 +0200 +++ cairosvg-2.5.2/debian/changelog 2023-03-21 22:21:22.000000000 +0100 @@ -1,3 +1,11 @@ +cairosvg (2.5.2-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * Don't allow fetching external files unless explicitly asked for + (CVE-2023-27586) (Closes: #1033295) + + -- Salvatore Bonaccorso <car...@debian.org> Tue, 21 Mar 2023 22:21:22 +0100 + cairosvg (2.5.2-1) unstable; urgency=low * New upstream release. diff -Nru cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch --- cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch 1970-01-01 01:00:00.000000000 +0100 +++ cairosvg-2.5.2/debian/patches/Don-t-allow-fetching-external-files-unless-explicitl.patch 2023-03-21 22:20:00.000000000 +0100 @@ -0,0 +1,66 @@ +From: Guillaume Ayoub <guilla...@courtbouillon.org> +Date: Fri, 10 Mar 2023 16:11:22 +0100 +Subject: =?UTF-8?q?Don=E2=80=99t=20allow=20fetching=20external=20files=20u?= + =?UTF-8?q?nless=20explicitly=20asked=20for?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://github.com/Kozea/CairoSVG/commit/12d31c653c0254fa9d9853f66b04ea46e7397255 +Bug-Debian: https://bugs.debian.org/1033295 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-27586 + +--- + cairosvg/__main__.py | 4 ++-- + cairosvg/parser.py | 6 ++++++ + cairosvg/surface.py | 3 ++- + 3 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/cairosvg/__main__.py b/cairosvg/__main__.py +index 3ff6b5d1282f..0aad3d782489 100644 +--- a/cairosvg/__main__.py ++++ b/cairosvg/__main__.py +@@ -42,8 +42,8 @@ def main(argv=None, stdout=None, stdin=None): + help='replace every raster pixel with its complementary color') + parser.add_argument( + '-u', '--unsafe', action='store_true', +- help='resolve XML entities and allow very large files ' +- '(WARNING: vulnerable to XXE attacks and various DoS)') ++ help='fetch external files, resolve XML entities and allow very large ' ++ 'files (WARNING: vulnerable to XXE attacks and various DoS)') + parser.add_argument( + '--output-width', default=None, type=float, + help='desired output width in pixels') +diff --git a/cairosvg/parser.py b/cairosvg/parser.py +index f0f3a82573f3..61275f0a1073 100644 +--- a/cairosvg/parser.py ++++ b/cairosvg/parser.py +@@ -390,6 +390,12 @@ class Tree(Node): + tree = ElementTree.fromstring( + bytestring, forbid_entities=not unsafe, + forbid_external=not unsafe) ++ ++ # Don’t allow fetching external files unless explicitly asked for ++ if 'url_fetcher' not in kwargs and not unsafe: ++ self.url_fetcher = ( ++ lambda *args, **kwargs: b'<svg width="1" height="1"></svg>') ++ + self.xml_tree = tree + root = cssselect2.ElementWrapper.from_xml_root(tree) + style = parent.style if parent else css.parse_stylesheets(self, url) +diff --git a/cairosvg/surface.py b/cairosvg/surface.py +index c5569e768032..a2f7736aabbe 100644 +--- a/cairosvg/surface.py ++++ b/cairosvg/surface.py +@@ -113,7 +113,8 @@ class Surface(object): + :param parent_width: The width of the parent container in pixels. + :param parent_height: The height of the parent container in pixels. + :param scale: The ouptut scaling factor. +- :param unsafe: A boolean allowing XML entities and very large files ++ :param unsafe: A boolean allowing external file access, XML entities ++ and very large files + (WARNING: vulnerable to XXE attacks and various DoS). + + Specifiy the output with: +-- +2.39.2 + diff -Nru cairosvg-2.5.2/debian/patches/series cairosvg-2.5.2/debian/patches/series --- cairosvg-2.5.2/debian/patches/series 2021-08-30 22:54:50.000000000 +0200 +++ cairosvg-2.5.2/debian/patches/series 2023-03-21 22:20:08.000000000 +0100 @@ -1 +1,2 @@ 0001-Remove-pytest-options-for-plugins-not-packaged-for-D.patch +Don-t-allow-fetching-external-files-unless-explicitl.patch