Executive Summary
Summary | |
---|---|
Title | librsvg2 security update |
Informations | |||
---|---|---|---|
Name | RHSA-2014:0127 | First vendor Publication | 2014-02-03 |
Vendor | RedHat | Last vendor Modification | 2014-02-03 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated librsvg2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: The librsvg2 packages provide an SVG (Scalable Vector Graphics) library based on libart. An XML External Entity expansion flaw was found in the way librsvg2 processed SVG files. If a user were to open a malicious SVG file, a remote attacker could possibly obtain a copy of the local resources that the user had access to. (CVE-2013-1881) All librsvg2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications that use librsvg2 must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 924414 - CVE-2013-1881 librsvg2: local resource access vulnerability due to XML External Entity enablement |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2014-0127.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:22535 | |||
Oval ID: | oval:org.mitre.oval:def:22535 | ||
Title: | RHSA-2014:0127: librsvg2 security update (Moderate) | ||
Description: | GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:0127-01 CESA-2014:0127 CVE-2013-1881 | Version: | 8 |
Platform(s): | Red Hat Enterprise Linux 6 CentOS Linux 6 | Product(s): | librsvg2 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24099 | |||
Oval ID: | oval:org.mitre.oval:def:24099 | ||
Title: | ELSA-2014:0127: librsvg2 security update (Moderate) | ||
Description: | GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014:0127-01 CVE-2013-1881 | Version: | 6 |
Platform(s): | Oracle Linux 6 | Product(s): | librsvg2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:24176 | |||
Oval ID: | oval:org.mitre.oval:def:24176 | ||
Title: | USN-2149-1 -- librsvg vulnerability | ||
Description: | Librsvg could be made to expose sensitive information. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2149-1 CVE-2013-1881 | Version: | 5 |
Platform(s): | Ubuntu 13.10 Ubuntu 12.10 Ubuntu 12.04 | Product(s): | librsvg |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:24299 | |||
Oval ID: | oval:org.mitre.oval:def:24299 | ||
Title: | USN-2149-2 -- gtk+3.0 update | ||
Description: | This update provides a compatibility fix for GTK+. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-2149-2 CVE-2013-1881 | Version: | 5 |
Platform(s): | Ubuntu 12.10 Ubuntu 12.04 | Product(s): | gtk+3.0 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27373 | |||
Oval ID: | oval:org.mitre.oval:def:27373 | ||
Title: | DEPRECATED: ELSA-2014-0127 -- librsvg2 security update (updated 02/05/2014) (moderate) | ||
Description: | [2.26.0-6.3] - Fix add-permission-check.patch to update all rsvg_pixbuf_new_from_href() callers [2.26.0-6.1] - Fix build by linking in -lm - io: Implement strict network policy (CVE-2013-1881) Resolves: #1049155 [2.26.0-6] - Store node type separately in RsvgNode (CVE-2011-3146) Resolves: #735267 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-0127 CVE-2013-1881 | Version: | 4 |
Platform(s): | Oracle Linux 6 | Product(s): | librsvg2 |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-10-22 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-1785-1.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-912.nasl - Type : ACT_GATHER_INFO |
2014-03-18 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2149-1.nasl - Type : ACT_GATHER_INFO |
2014-03-18 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2149-2.nasl - Type : ACT_GATHER_INFO |
2014-02-04 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-0127.nasl - Type : ACT_GATHER_INFO |
2014-02-04 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-0127.nasl - Type : ACT_GATHER_INFO |
2014-02-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0127.nasl - Type : ACT_GATHER_INFO |
2014-02-04 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140203_librsvg2_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2014-01-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-009.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:57:48 |
|
2014-02-03 21:19:21 |
|