Development guide for librsvg documentation (original) (raw)
Toggle table of contents sidebar
Security¶
Reporting security bugs¶
Please mail the maintainer at federico@gnome.org. You can use the GPG public key from https://viruta.org/docs/fmq-gpg.asc to send encrypted mail.
Librsvg releases with security fixes¶
Librsvg releases have a version number like major.minor.micro.
Before version 2.55.x, librsvg’s versioning scheme was such that a release with an even minor number was considered a stable release suitable for production use (e.g. 2.54.x), and an odd minor number was a development release only.
Starting with 2.55.x, all minor numbers are considered stable. Development and beta versions have a micro version starting at 90 (e.g. 2.55.90), per GNOME’s release versioning as of 2022/September.
The following list is only for stable release streams.
2.56.3¶
CVE-2023-38633 -#996 - Arbitrary file read when xinclude href has special characters.
2.55.3¶
CVE-2023-38633 -#996 - Arbitrary file read when xinclude href has special characters.
2.54.7¶
CVE-2023-38633 -#996 - Arbitrary file read when xinclude href has special characters.
2.52.11¶
CVE-2023-38633 -#996 - Arbitrary file read when xinclude href has special characters.
2.50.9¶
CVE-2023-38633 -#996 - Arbitrary file read when xinclude href has special characters.
2.50.4¶
RUSTSEC-2020-0146 - lifetime erasure in generic-array.
2.48.12¶
CVE-2023-38633 -#996 - Arbitrary file read when xinclude href has special characters.
2.48.10¶
CVE 2020-35905 - RUSTSEC-2020-0059 - data race in futures-util.
CVE 2020-35906 - RUSTSEC-2020-0060 - use-after-free in futures-task.
CVE 2021-25900 - RUSTSEC-2021-0003 - buffer overflow in smallvec.
RUSTSEC-2020-0146 - lifetime erasure in generic-array.
2.48.0¶
CVE 2019-20446 - guard against exponential growth of CPU time from malicious SVGs.
Caution
**Releases older than 2.48.0 are not recommended.**See notes below on libcroco.
2.46.7¶
CVE-2023-38633 -#996 - Arbitrary file read when xinclude href has special characters.
See notes below on libcroco.
2.46.5¶
RUSTSEC-2020-0146 - lifetime erasure in generic-array.
CVE 2021-25900 - RUSTSEC-2021-0003 - buffer overflow in smallvec.
See notes below on libcroco.
2.44.17¶
RUSTSEC-2020-0146 - lifetime erasure in generic-array.
CVE 2019-15554 - RUSTSEC-2019-0012 - memory corruption in smallvec.
CVE 2019-15551 - RUSTSEC-2019-0009 - double-free and use-after-free in smallvec.
CVE 2021-25900 - RUSTSEC-2021-0003 - buffer overflow in smallvec.
See notes below on libcroco.
2.44.16¶
CVE 2019-20446 - guard against exponential growth of CPU time from malicious SVGs.
See notes below on libcroco.
2.42.8¶
CVE 2019-20446 - guard against exponential growth of CPU time from malicious SVGs.
See notes below on libcroco.
2.42.9¶
CVE 2018-20991 - RUSTSEC-2018-0003 - double-free in smallvec.
See notes below on libcroco.
2.40.21¶
CVE 2019-20446 - guard against exponential growth of CPU time from malicious SVGs.
See notes below on libcroco.
2.40.18¶
CVE 2017-11464 - Fix division-by-zero in the Gaussian blur code.
See notes below on libcroco.
Attention
Earlier releases should be avoided and are not listed here.
Important note on libcroco
Note that librsvg 2.46.x and earlier uselibcroco for parsing CSS, but that library is deprecated, unmaintained, and has open CVEs as of May 2021.
If your application processes untrusted data, please avoid using librsvg 2.46.x or earlier. The first release of librsvg that does not use libcroco is 2.48.0.
Librsvg’s C dependencies¶
Librsvg depends on the following libraries implemented in memory-unsafe languages:
- libxml2 - loading XML data.
- cairo - 2D rendering engine.
- freetype2 - font renderer.
- harfbuzz - text shaping engine.
- pango - high-level text rendering.
- fontconfig - system fonts and rules for using them.
And of course, their recursive dependencies as well, such asglib/gio.
The required versions for those libraries are not pinned (fixed to a specific version). Instead, the minimum required version is checked via the meson build system, for shared library builds, or by Rust’ssystem-deps which uses pkg-config underneath.
Librsvg’s Rust dependencies¶
Librsvg’s Rust dependencies are pinned to specific versions withCargo.lock. We track the security and recency of these versions in various ways:
- There is a
denyjob in the CI which runs cargo-deny. This presents information about dependencies with vulnerabilities, duplicate versions of dependencies, and other interesting data. - There is a project badge in the main librsvg project page which points to
deps.rs. This checks whether dependencies are out of date, and flags vulnerable versions as well.
Security considerations for the image-rs crate¶
Librsvg uses the image-rs crate for decoding raster images. You may want to look at its dependencies for specific codecs like the png or zune-jpeg crates.
Librsvg explicitly compiles image-rs with support for only the following formats:
- JPEG
- PNG
- GIF
- WEBP
The following formats are optional, and selected at compilation time:
- AVIF (compile-time option
avif)
See the Compile-time options section in Detailed compilation instructions for details.
Security considerations for libxml2¶
Librsvg uses the following configuration for the SAX2 parser in libxml2:
XML_PARSE_NONET- forbid network access.XML_PARSE_BIG_LINES- store big line numbers.
As a special case, librsvg enables replaceEntities in the_xmlParserCtxtPtr struct so that libxml2 will expand references only to internal entities declared in the DTD subset. External entities are disabled.
For example, the following document renders two rectangles that are expanded from internal entities:
"> "> ]>
However, an external entity like
will generate an XML parse error and the document will not be loaded.
Security considerations for Cairo¶
Cairo versions before 1.17.0 are easy to crash if given coordinates that fall outside the range of its 24.8 fixed-point numbers. Please make sure that you use librsvg with Cairo 1.17.0 or newer.
The first version of librsvg to require at least Cairo 1.17.0 is librsvg 2.56.90 (development), or librsvg 2.57.0 (stable).
Security considerations for librsvg¶
Built-in limits: Librsvg has built-in limits for the following:
- Limit on the maximum number of loaded XML elements, set to 1,000,000 (one million). SVG documents with more than this number of elements will fail to load. This is a mitigation for malicious documents that would otherwise consume large amounts of memory, for example by including a huge number of
<g/>elements with no useful content. This is set in the filersvg/src/limits.rsin theMAX_LOADED_ELEMENTSconstant. - Limit on the maximum number of referenced elements while rendering. The
<use>element in SVG and others like<pattern>can reference other elements in the document. Malicious documents can cause an exponential number of references to be resolved, so librsvg places a limit of 500,000 references (half a million) to avoid unbounded consumption of CPU time. This is set in the filersvg/src/limits.rsin theMAX_REFERENCED_ELEMENTSconstant. - Limit on the nesting level for XML Includes (
xi:include), to avoid infinite recursion from an SVG file that includes itself. This is set in the filersvg/src/limits.rsin theMAX_XINCLUDE_DEPTHconstant.
Librsvg has no built-in limits on the total amount of memory or CPU time consumed to process a document. Your application may want to place limits on this, especially if it processes untrusted SVG documents.
Processing external files: Librsvg processes references to external files by itself: XML XInclude, xlink:href attributes, etc. Please see the section “Security and locations of referenced files” in the reference documentation to see what criteria are used to accept or reject a file based on its location. If your application has more stringent requirements, it may need to sandbox its use of librsvg.
SVG features: Librsvg ignores animations, scripts, and events declared in SVG documents. It always handles referenced images, similar to SVG’s static processing mode.