CLD-288 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-1000041 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) librsvg
Deficiency Type SECURITY
Date Created 2018-02-09 21:18:17
Date Last Modified 2018-02-12 14:19:27

Version Specific Information:

Cucumber 1.0 i686 fixed in librsvg-2.40.18-i686-2
Cucumber 1.0 x86_64 fixed in librsvg-2.40.18-x86_64-2 and librsvg-lib_i686-2.40.18-lib_i686-2

Cucumber 1.1 i686 fixed in librsvg-2.40.18-i686-2
Cucumber 1.1 x86_64 fixed in librsvg-2.40.18-x86_64-2 and librsvg-lib_i686-2.40.18-lib_i686-2

Details:

=================================== Overview ===================================

GNOME librsvg version before commit c6ddf2ed4d768fd88adbea2b63f575cd523022ea
contains a Improper input validation vulnerability in rsvg-io.c that can result
in the victim's Windows username and NTLM password hash being leaked to remote
attackers through SMB. This attack appear to be exploitable via The victim must
process a specially crafted SVG file containing an UNC path on Windows. 

================================ Initial Report ================================

None

================================= Our Analysis =================================

----- Affected Products -----
Versions of librsvg that have not had the patch from
https://github.com/GNOME/librsvg/commit/c6ddf2ed4d768fd88adbea2b63f575cd523022ea
are vulnerable. This includes librsvg as originally packaged in Cucumber Linux
1.0 and 1.1 Beta.

----- Scope and Impact of this Vulnerability -----
This vulnerability allegedly could allow for leaking of a victim's Windows
username and password hash to a remote attacker. It is unclear how (if at all)
this is exploitable on Linux; however, we have patched it nonetheless to err on
the side of caution.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from
https://github.com/GNOME/librsvg/commit/c6ddf2ed4d768fd88adbea2b63f575cd523022ea

Debian claims that only the first hunk of the commit is needed to fix the
vulnerability. The smaller patch is available at
https://github.com/GNOME/librsvg/commit/4de19d9fdddf81773125b04a4defe1ffd0d3bfe0.patch.

There is no clear indication about how much of c6ddf2e commit is needed to fix
this vulnerability from the upstream developers. Unfortunately though, this
commit doesn't apply cleanly against librsvg 2.40.18 (the version used in
Cucumber Linux 1.0 and 1.1), but the smaller patch (commit 4de19d9) does so we
have used that instead with the hope that the Debian security team is correct
in their cherrypicking.

================================= Our Solution =================================

We have applied the patch from
https://github.com/GNOME/librsvg/commit/4de19d9fdddf81773125b04a4defe1ffd0d3bfe0
and rebuilt.