diff options
author | Federico Mena Quintero <federico@gnome.org> | 2023-01-19 11:49:11 -0600 |
---|---|---|
committer | Federico Mena Quintero <federico@gnome.org> | 2023-01-19 11:49:11 -0600 |
commit | 08da2b2a136f18a9f48fd0a7980770464ae2d623 (patch) | |
tree | 3371ec4f102370a3255a751762b235127c91a4c4 | |
parent | 9510815ea6f362c4d74bf61b51e8b32ed9ac3795 (diff) | |
download | librsvg-08da2b2a136f18a9f48fd0a7980770464ae2d623.tar.gz |
Move SECURITY.md to devel-docs/security.rst
The security chapter is now in the development guide.
Part-of: <https://gitlab.gnome.org/GNOME/librsvg/-/merge_requests/783>
-rw-r--r-- | README.md | 6 | ||||
-rw-r--r-- | SECURITY.md | 195 | ||||
-rw-r--r-- | devel-docs/index.rst | 5 | ||||
-rw-r--r-- | devel-docs/security.rst | 216 |
4 files changed, 226 insertions, 196 deletions
@@ -69,6 +69,11 @@ Introspection][gi]. This way, it is available in many programming languages other than C. Please see your language binding's documentation for information on how to load the `Rsvg` namespace. +**Security:** For a list of releases with security issues, +instructions on reporting security-related bugs, and the security +considerations for librsvg's dependencies, see the [Security +chapter][security] in the development guide. + [c-docs]: https://gnome.pages.gitlab.gnome.org/librsvg/Rsvg-2.0/index.html [rust-docs]: https://gnome.pages.gitlab.gnome.org/librsvg/doc/librsvg/index.html @@ -206,3 +211,4 @@ ways: [gnome-hackers]: https://matrix.to/#/#gnome-hackers:gnome.org [gnome-rust]: https://matrix.to/#/#rust:gnome.org [devel-guide]: https://gnome.pages.gitlab.gnome.org/librsvg/devel-docs/index.html +[security]: https://gnome.pages.gitlab.gnome.org/librsvg/devel-docs/security.html diff --git a/SECURITY.md b/SECURITY.md deleted file mode 100644 index f9ae8781..00000000 --- a/SECURITY.md +++ /dev/null @@ -1,195 +0,0 @@ -# Reporting security bugs - -Please mail the maintainer at federico@gnome.org. You can use the GPG -public key from https://viruta.org/docs/fmq-gpg.asc to send encrypted -mail. - -# Librsvg releases with security fixes - -Librsvg releases have a version number like major.minor.micro. Note -that releases with an odd minor number (e.g. 2.47.x since 47 is odd) -are considered development releases and should not be used in -production systems. - -The following list is only for stable release streams, where the minor -number is even (e.g. 2.50.x). - -### 2.50.4 - -RUSTSEC-2020-0146 - lifetime erasure in generic-array. - -### 2.48.10 - -CVE-2020-35905 - RUSTSEC-2020-0059 - data race in futures-util. - -CVE-2020-35906 - RUSTSEC-2020-0060 - use-after-free in futures-task. - -CVE-2021-25900 - RUSTSEC-2021-0003 - buffer overflow in smallvec. - -RUSTSEC-2020-0146 - lifetime erasure in generic-array. - -### 2.48.0 - -CVE-2019-20446 - guard against exponential growth of CPU time -from malicious SVGs. - -### 2.46.5 - -RUSTSEC-2020-0146 - lifetime erasure in generic-array. - -CVE-2021-25900 - RUSTSEC-2021-0003 - buffer overflow in smallvec. - -See notes below on libcroco. - -### 2.44.17 - -RUSTSEC-2020-0146 - lifetime erasure in generic-array. - -CVE-2019-15554 - RUSTSEC-2019-0012 - memory corruption in smallvec. - -CVE-2019-15551 - RUSTSEC-2019-0009 - double-free and use-after-free in smallvec. - -CVE-2021-25900 - RUSTSEC-2021-0003 - buffer overflow in smallvec. - -See notes below on libcroco. - -### 2.44.16 - -CVE-2019-20446 - guard against exponential growth of CPU time -from malicious SVGs. - -See notes below on libcroco. - -### 2.42.8 - -CVE-2019-20446 - guard against exponential growth of CPU time -from malicious SVGs. - -See notes below on libcroco. - -### 2.42.9 - -CVE-2018-20991 - RUSTSEC-2018-0003 - double-free in smallvec. - -See notes below on libcroco. - -### 2.40.21 - -CVE-2019-20446 - guard against exponential growth of CPU time -from malicious SVGs. - -See notes below on libcroco. - -### 2.40.18 - -CVE-2017-11464 - Fix division-by-zero in the Gaussian blur code. - -See notes below on libcroco. - -### Earlier releases should be avoided and are not listed here. - -**Important note on libcroco:** Note that librsvg 2.46.x and earlier use -[libcroco](https://gitlab.gnome.org/Archive/libcroco/) for parsing -CSS, but that library is deprecated, unmaintained, and has open CVEs as -of May 2021. - -If your application processes untrusted data, please avoid using -librsvg 2.46.x or earlier. The first release of librsvg that does not -use libcroco is 2.48.0. - -# Librsvg's dependencies - -Librsvg depends on the following libraries implemented in memory-unsafe languages: - -* **libxml2** - loading XML data. -* **cairo** - 2D rendering engine. -* **gdk-pixbuf** - decoding raster images like JPEG/PNG. -* **freetype2** - font renderer. -* **harfbuzz** - text shaping engine. - -And of course, their recursive dependencies as well, such as **glib/gio**. - -## Security considerations for libxml2 - -Librsvg uses the following configuration for the SAX2 parser in libxml2: - - * `XML_PARSE_NONET` - forbid network access. - * `XML_PARSE_BIG_LINES` - store big line numbers. - -As a special case, librsvg enables `replaceEntities` in the -`_xmlParserCtxtPtr` struct so that libxml2 will expand references only -to internal entities declared in the DTD subset. External entities -are disabled. - -For example, the following document renders two rectangles that are -expanded from internal entities: - -``` -<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1 Basic//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11-basic.dtd" [ - <!ENTITY Rect1 "<rect x='15' y='10' width='20' height='30' fill='blue'/>"> - <!ENTITY Rect2 "<rect x='10' y='5' width='10' height='20' fill='green'/>"> -]> -<svg xmlns="http://www.w3.org/2000/svg" width="60" height="60"> - &Rect1; - &Rect2; -</svg> -``` - -However, an external entity like - -``` - <!ENTITY foo SYSTEM "foo.xml"> -``` - -will generate an XML parse error and the document will not be loaded. - -## Security considerations for Cairo - -Cairo is easy to crash if given coordinates that fall outside the -range of its 24.8 fixed-point numbers. Librsvg is working on -mitigating this. - -## Security considerations for gdk-pixbuf - -Gdk-pixbuf depends on **libpng**, **libjpeg**, and other libraries for -different image formats. - -# Security considerations for librsvg - -**Built-in limits:** Librsvg has built-in limits for the following: - -* Limit on the maximum number of loaded XML elements, set to 1,000,000 - (one million). SVG documents with more than this number of elements - will fail to load. This is a mitigation for malicious documents - that would otherwise consume large amounts of memory, for example by - including a huge number of `<g/>` elements with no useful content. - This is set in the file `src/limits.rs` in the `MAX_LOADED_ELEMENTS` - constant. - -* Limit on the maximum number of referenced elements while rendering. - The `<use>` element in SVG and others like `<pattern>` can reference - other elements in the document. Malicious documents can cause an - exponential number of references to be resolved, so librsvg places a - limit of 500,000 references (half a million) to avoid unbounded - consumption of CPU time. This is set in the file `src/limits.rs` in - the `MAX_REFERENCED_ELEMENTS` constant. - -Librsvg has no built-in limits on the total amount of memory or CPU -time consumed to process a document. Your application may want to -place limits on this, especially if it processes untrusted SVG -documents. - -**Processing external files:** Librsvg processes references to -external files by itself: XML XInclude, `xlink:href` attributes, etc. -Please see the section "Security and locations of referenced files" in -the [developer's -documentation](https://developer-old.gnome.org/rsvg/unstable/RsvgHandle.html) -to see what criteria is used to accept or reject a file based on its -location. If your application has more stringent requirements, it may -need to sandbox its use of librsvg. - -**SVG features:** Librsvg ignores animations, scripts, and events -declared in SVG documents. It always handles referenced images, -similar to SVG's [static processing -mode](https://www.w3.org/TR/SVG2/conform.html#static-mode). - diff --git a/devel-docs/index.rst b/devel-docs/index.rst index 97e5e724..856a3920 100644 --- a/devel-docs/index.rst +++ b/devel-docs/index.rst @@ -9,6 +9,7 @@ Development guide for librsvg features roadmap compiling + security .. toctree:: :caption: Getting Started as a Contributor @@ -60,7 +61,9 @@ evolved into a few different tools. - :doc:`features` - Supported elements, attributes, and properties. - :doc:`roadmap` - Ever-changing list of priorities for the maintainers; check this often! -- :doc:`compiling` - cross compilation, debug/release builds, special options. +- :doc:`compiling` - Cross compilation, debug/release builds, special options. +- :doc:`security` - Reporting security bugs, releases with security + fixes, security of dependencies. Getting started --------------- diff --git a/devel-docs/security.rst b/devel-docs/security.rst new file mode 100644 index 00000000..95b2f749 --- /dev/null +++ b/devel-docs/security.rst @@ -0,0 +1,216 @@ +Security +======== + +Reporting security bugs +----------------------- + +Please mail the maintainer at federico@gnome.org. You can use the GPG +public key from https://viruta.org/docs/fmq-gpg.asc to send encrypted +mail. + +Librsvg releases with security fixes +------------------------------------ + +Librsvg releases have a version number like major.minor.micro. Note that +releases with an odd minor number (e.g. 2.47.x since 47 is odd) are +considered development releases and should not be used in production +systems. + +The following list is only for stable release streams, where the minor +number is even (e.g. 2.50.x). + +2.50.4 +~~~~~~ + +RUSTSEC-2020-0146 - lifetime erasure in generic-array. + +2.48.10 +~~~~~~~ + +CVE-2020-35905 - RUSTSEC-2020-0059 - data race in futures-util. + +CVE-2020-35906 - RUSTSEC-2020-0060 - use-after-free in futures-task. + +CVE-2021-25900 - RUSTSEC-2021-0003 - buffer overflow in smallvec. + +RUSTSEC-2020-0146 - lifetime erasure in generic-array. + +2.48.0 +~~~~~~ + +CVE-2019-20446 - guard against exponential growth of CPU time from +malicious SVGs. + +2.46.5 +~~~~~~ + +RUSTSEC-2020-0146 - lifetime erasure in generic-array. + +CVE-2021-25900 - RUSTSEC-2021-0003 - buffer overflow in smallvec. + +See notes below on libcroco. + +2.44.17 +~~~~~~~ + +RUSTSEC-2020-0146 - lifetime erasure in generic-array. + +CVE-2019-15554 - RUSTSEC-2019-0012 - memory corruption in smallvec. + +CVE-2019-15551 - RUSTSEC-2019-0009 - double-free and use-after-free in +smallvec. + +CVE-2021-25900 - RUSTSEC-2021-0003 - buffer overflow in smallvec. + +See notes below on libcroco. + +2.44.16 +~~~~~~~ + +CVE-2019-20446 - guard against exponential growth of CPU time from +malicious SVGs. + +See notes below on libcroco. + +2.42.8 +~~~~~~ + +CVE-2019-20446 - guard against exponential growth of CPU time from +malicious SVGs. + +See notes below on libcroco. + +2.42.9 +~~~~~~ + +CVE-2018-20991 - RUSTSEC-2018-0003 - double-free in smallvec. + +See notes below on libcroco. + +2.40.21 +~~~~~~~ + +CVE-2019-20446 - guard against exponential growth of CPU time from +malicious SVGs. + +See notes below on libcroco. + +2.40.18 +~~~~~~~ + +CVE-2017-11464 - Fix division-by-zero in the Gaussian blur code. + +See notes below on libcroco. + +Earlier releases should be avoided and are not listed here. +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +**Important note on libcroco:** Note that librsvg 2.46.x and earlier use +`libcroco <https://gitlab.gnome.org/Archive/libcroco/>`__ for parsing +CSS, but that library is deprecated, unmaintained, and has open CVEs as +of May 2021. + +If your application processes untrusted data, please avoid using librsvg +2.46.x or earlier. The first release of librsvg that does not use +libcroco is 2.48.0. + +Librsvg’s dependencies +---------------------- + +Librsvg depends on the following libraries implemented in memory-unsafe +languages: + +- **libxml2** - loading XML data. +- **cairo** - 2D rendering engine. +- **gdk-pixbuf** - decoding raster images like JPEG/PNG. +- **freetype2** - font renderer. +- **harfbuzz** - text shaping engine. + +And of course, their recursive dependencies as well, such as +**glib/gio**, **libjpeg**, **libpng**. + +Security considerations for libxml2 +----------------------------------- + +Librsvg uses the following configuration for the SAX2 parser in libxml2: + +- ``XML_PARSE_NONET`` - forbid network access. +- ``XML_PARSE_BIG_LINES`` - store big line numbers. + +As a special case, librsvg enables ``replaceEntities`` in the +``_xmlParserCtxtPtr`` struct so that libxml2 will expand references only +to internal entities declared in the DTD subset. External entities are +disabled. + +For example, the following document renders two rectangles that are +expanded from internal entities: + +:: + + <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1 Basic//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11-basic.dtd" [ + <!ENTITY Rect1 "<rect x='15' y='10' width='20' height='30' fill='blue'/>"> + <!ENTITY Rect2 "<rect x='10' y='5' width='10' height='20' fill='green'/>"> + ]> + <svg xmlns="http://www.w3.org/2000/svg" width="60" height="60"> + &Rect1; + &Rect2; + </svg> + +However, an external entity like + +:: + + <!ENTITY foo SYSTEM "foo.xml"> + +will generate an XML parse error and the document will not be loaded. + +Security considerations for Cairo +--------------------------------- + +Cairo is easy to crash if given coordinates that fall outside the range +of its 24.8 fixed-point numbers. Librsvg is working on mitigating this. + +Security considerations for gdk-pixbuf +-------------------------------------- + +Gdk-pixbuf depends on **libpng**, **libjpeg**, and other libraries for +different image formats. + +Security considerations for librsvg +=================================== + +**Built-in limits:** Librsvg has built-in limits for the following: + +- Limit on the maximum number of loaded XML elements, set to 1,000,000 + (one million). SVG documents with more than this number of elements + will fail to load. This is a mitigation for malicious documents that + would otherwise consume large amounts of memory, for example by + including a huge number of ``<g/>`` elements with no useful content. + This is set in the file ``src/limits.rs`` in the + ``MAX_LOADED_ELEMENTS`` constant. + +- Limit on the maximum number of referenced elements while rendering. + The ``<use>`` element in SVG and others like ``<pattern>`` can + reference other elements in the document. Malicious documents can + cause an exponential number of references to be resolved, so librsvg + places a limit of 500,000 references (half a million) to avoid + unbounded consumption of CPU time. This is set in the file + ``src/limits.rs`` in the ``MAX_REFERENCED_ELEMENTS`` constant. + +Librsvg has no built-in limits on the total amount of memory or CPU time +consumed to process a document. Your application may want to place +limits on this, especially if it processes untrusted SVG documents. + +**Processing external files:** Librsvg processes references to +external files by itself: XML XInclude, ``xlink:href`` attributes, +etc. Please see the section "`Security and locations of referenced +files +<https://gnome.pages.gitlab.gnome.org/librsvg/Rsvg-2.0/class.Handle.html#security-and-locations-of-referenced-files>`_" +in the reference documentation to see what criteria are used to accept +or reject a file based on its location. If your application has more +stringent requirements, it may need to sandbox its use of librsvg. + +**SVG features:** Librsvg ignores animations, scripts, and events +declared in SVG documents. It always handles referenced images, similar +to SVG’s `static processing +mode <https://www.w3.org/TR/SVG2/conform.html#static-mode>`__. |