[librsvg: 3/7] SECURITY.md - Include details on dependencies and how SVG is processed
- From: Federico Mena Quintero <federico src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [librsvg: 3/7] SECURITY.md - Include details on dependencies and how SVG is processed
- Date: Tue, 18 May 2021 01:08:38 +0000 (UTC)
commit b9650f2c4c945a4c9b5547d26255710b023f008f
Author: Federico Mena Quintero <federico gnome org>
Date: Mon May 17 12:13:21 2021 -0500
SECURITY.md - Include details on dependencies and how SVG is processed
SECURITY.md | 104 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 103 insertions(+), 1 deletion(-)
---
diff --git a/SECURITY.md b/SECURITY.md
index afd1f4f3..eab12b77 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -52,12 +52,17 @@ from malicious SVGs.
CVE-2019-20446 - guard against exponential growth of CPU time
from malicious SVGs.
-### 2.42.9
+### 2.42.9
CVE-2018-20991 - RUSTSEC-2018-0003 - double-free in smallvec.
### 2.40.21
+**Important:** Note that librsvg 2.40.x and earlier use
+[libcroco](https://gitlab.gnome.org/Archive/libcroco/) for parsing
+CSS, but that library is deprecated, unmaintained, and has open CVEs as
+of May 2021. Please do not use librsvg 2.40.x or earlier.
+
CVE-2019-20446 - guard against exponential growth of CPU time
from malicious SVGs.
@@ -66,3 +71,100 @@ from malicious SVGs.
CVE-2017-11464 - Fix division-by-zero in the Gaussian blur code.
### Earlier releases should be avoided and are not listed here.
+
+# Librsvg's dependencies
+
+Librsvg depends on the following libraries implemented in memory-unsafe languages:
+
+* **libxml2** - loading XML data.
+* **cairo** - 2D rendering engine.
+* **gdk-pixbuf** - decoding raster images like JPEG/PNG.
+* **freetype2** - font renderer.
+* **harfbuzz** - text shaping engine.
+
+And of course, their recursive dependencies as well, such as **glib/gio**.
+
+## Security considerations for libxml2
+
+Librsvg uses the following configuration for the SAX2 parser in libxml2:
+
+ * `XML_PARSE_NONET` - forbid network access.
+ * `XML_PARSE_BIG_LINES` - store big line numbers.
+
+As a special case, librsvg enables `replaceEntities` in the
+`_xmlParserCtxtPtr` struct so that libxml2 will expand references only
+to internal entities declared in the DTD subset. External entities
+are disabled.
+
+For example, the following document renders two rectangles that are
+expanded from internal entities:
+
+```
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1 Basic//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11-basic.dtd"; [
+ <!ENTITY Rect1 "<rect x='15' y='10' width='20' height='30' fill='blue'/>">
+ <!ENTITY Rect2 "<rect x='10' y='5' width='10' height='20' fill='green'/>">
+]>
+<svg xmlns="http://www.w3.org/2000/svg"; width="60" height="60">
+ &Rect1;
+ &Rect2;
+</svg>
+```
+
+However, an external entity like
+
+```
+ <!ENTITY foo SYSTEM "foo.xml">
+```
+
+will generate an XML parse error and the document will not be loaded.
+
+## Security considerations for Cairo
+
+Cairo is easy to crash if given coordinates that fall outside the
+range of its 24.8 fixed-point numbers. Librsvg is working on
+mitigating this.
+
+## Security considerations for gdk-pixbuf
+
+Gdk-pixbuf depends on **libpng**, **libjpeg**, and other libraries for
+different image formats.
+
+# Security considerations for librsvg
+
+**Built-in limits:** Librsvg has built-in limits for the following:
+
+* Limit on the maximum number of loaded XML elements, set to 1,000,000
+ (one million). SVG documents with more than this number of elements
+ will fail to load. This is a mitigation for malicious documents
+ that would otherwise consume large amounts of memory, for example by
+ including a huge number of `<g/>` elements with no useful content.
+ This is set in the file `src/limits.rs` in the `MAX_LOADED_ELEMENTS`
+ constant.
+
+* Limit on the maximum number of referenced elements while rendering.
+ The `<use>` element in SVG and others like `<pattern>` can reference
+ other elements in the document. Malicious documents can cause an
+ exponential number of references to be resolved, so librsvg places a
+ limit of 500,000 references (half a million) to avoid unbounded
+ consumption of CPU time. This is set in the file `src/limits.rs` in
+ the `MAX_REFERENCED_ELEMENTS` constant.
+
+Librsvg has no built-in limits on the total amount of memory or CPU
+time consumed to process a document. Your application may want to
+place limits on this, especially if it processes untrusted SVG
+documents.
+
+**Processing external files:** Librsvg processes references to
+external files by itself: XML XInclude, `xlink:href` attributes, etc.
+Please see the section "Security and locations of referenced files" in
+the [developer's
+documentation](https://developer.gnome.org/rsvg/stable/RsvgHandle.html)
+to see what criteria is used to accept or reject a file based on its
+location. If your application has more stringent requirements, it may
+need to sandbox its use of librsvg.
+
+**SVG features:** Librsvg ignores animations, scripts, and events
+declared in SVG documents. It always handles referenced images,
+similar to SVG's [static processing
+mode](https://www.w3.org/TR/SVG2/conform.html#static-mode).
+
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
