Security
Reporting security bugs
Please mail the maintainer at federico@gnome.org. You can use the GPG public key from https://viruta.org/docs/fmq-gpg.asc to send encrypted mail.
Librsvg releases with security fixes
Librsvg releases have a version number like major.minor.micro.
Before version 2.55.x, librsvg’s versioning scheme was such that a release with an even minor number was considered a stable release suitable for production use (e.g. 2.54.x), and an odd minor number was a development release only.
Starting with 2.55.x, all minor numbers are considered stable. Development and beta versions have a micro version starting at 90 (e.g. 2.55.90), per GNOME’s release versioning as of 2022/September.
The following list is only for stable release streams.
2.56.3
CVE-2023-38633 - #996 - Arbitrary file read when xinclude href has special characters.
2.55.3
CVE-2023-38633 - #996 - Arbitrary file read when xinclude href has special characters.
2.54.7
CVE-2023-38633 - #996 - Arbitrary file read when xinclude href has special characters.
2.52.11
CVE-2023-38633 - #996 - Arbitrary file read when xinclude href has special characters.
2.50.9
CVE-2023-38633 - #996 - Arbitrary file read when xinclude href has special characters.
2.50.4
RUSTSEC-2020-0146 - lifetime erasure in generic-array.
2.48.12
CVE-2023-38633 - #996 - Arbitrary file read when xinclude href has special characters.
2.48.10
CVE-2020-35905 - RUSTSEC-2020-0059 - data race in futures-util.
CVE-2020-35906 - RUSTSEC-2020-0060 - use-after-free in futures-task.
CVE-2021-25900 - RUSTSEC-2021-0003 - buffer overflow in smallvec.
RUSTSEC-2020-0146 - lifetime erasure in generic-array.
2.48.0
CVE-2019-20446 - guard against exponential growth of CPU time from malicious SVGs.
Releases older than 2.48.0 are not recommended
See notes below on libcroco.
2.46.7
CVE-2023-38633 - #996 - Arbitrary file read when xinclude href has special characters.
See notes below on libcroco.
2.46.5
RUSTSEC-2020-0146 - lifetime erasure in generic-array.
CVE-2021-25900 - RUSTSEC-2021-0003 - buffer overflow in smallvec.
See notes below on libcroco.
2.44.17
RUSTSEC-2020-0146 - lifetime erasure in generic-array.
CVE-2019-15554 - RUSTSEC-2019-0012 - memory corruption in smallvec.
CVE-2019-15551 - RUSTSEC-2019-0009 - double-free and use-after-free in smallvec.
CVE-2021-25900 - RUSTSEC-2021-0003 - buffer overflow in smallvec.
See notes below on libcroco.
2.44.16
CVE-2019-20446 - guard against exponential growth of CPU time from malicious SVGs.
See notes below on libcroco.
2.42.8
CVE-2019-20446 - guard against exponential growth of CPU time from malicious SVGs.
See notes below on libcroco.
2.42.9
CVE-2018-20991 - RUSTSEC-2018-0003 - double-free in smallvec.
See notes below on libcroco.
2.40.21
CVE-2019-20446 - guard against exponential growth of CPU time from malicious SVGs.
See notes below on libcroco.
2.40.18
CVE-2017-11464 - Fix division-by-zero in the Gaussian blur code.
See notes below on libcroco.
Earlier releases should be avoided and are not listed here.
Important note on libcroco
Note that librsvg 2.46.x and earlier use libcroco for parsing CSS, but that library is deprecated, unmaintained, and has open CVEs as of May 2021.
If your application processes untrusted data, please avoid using librsvg 2.46.x or earlier. The first release of librsvg that does not use libcroco is 2.48.0.
Librsvg’s dependencies
Librsvg depends on the following libraries implemented in memory-unsafe languages:
libxml2 - loading XML data.
cairo - 2D rendering engine.
freetype2 - font renderer.
harfbuzz - text shaping engine.
pango - high-level text rendering.
fontconfig - system fonts and rules for using them.
And of course, their recursive dependencies as well, such as glib/gio.
Security considerations for the image-rs crate
Librsvg uses the image-rs crate
for decoding raster images. You may want to look at its dependencies
for specific codecs like the png
or zune-jpeg
crates.
Librsvg explicitly compiles image-rs
with support for only the following formats:
JPEG
PNG
GIF
WEBP
The following formats are optional, and selected at compilation time:
AVIF (compile-time option
avif
)
See the Compile-time options section in Detailed compilation instructions for details.
Security considerations for libxml2
Librsvg uses the following configuration for the SAX2 parser in libxml2:
XML_PARSE_NONET
- forbid network access.XML_PARSE_BIG_LINES
- store big line numbers.
As a special case, librsvg enables replaceEntities
in the
_xmlParserCtxtPtr
struct so that libxml2 will expand references only
to internal entities declared in the DTD subset. External entities are
disabled.
For example, the following document renders two rectangles that are expanded from internal entities:
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1 Basic//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11-basic.dtd" [
<!ENTITY Rect1 "<rect x='15' y='10' width='20' height='30' fill='blue'/>">
<!ENTITY Rect2 "<rect x='10' y='5' width='10' height='20' fill='green'/>">
]>
<svg xmlns="http://www.w3.org/2000/svg" width="60" height="60">
&Rect1;
&Rect2;
</svg>
However, an external entity like
<!ENTITY foo SYSTEM "foo.xml">
will generate an XML parse error and the document will not be loaded.
Security considerations for Cairo
Cairo versions before 1.17.0 are easy to crash if given coordinates that fall outside the range of its 24.8 fixed-point numbers. Please make sure that you use librsvg with Cairo 1.17.0 or newer.
The first version of librsvg to require at least Cairo 1.17.0 is librsvg 2.56.90 (development), or librsvg 2.57.0 (stable).
Security considerations for librsvg
Built-in limits: Librsvg has built-in limits for the following:
Limit on the maximum number of loaded XML elements, set to 1,000,000 (one million). SVG documents with more than this number of elements will fail to load. This is a mitigation for malicious documents that would otherwise consume large amounts of memory, for example by including a huge number of
<g/>
elements with no useful content. This is set in the filersvg/src/limits.rs
in theMAX_LOADED_ELEMENTS
constant.Limit on the maximum number of referenced elements while rendering. The
<use>
element in SVG and others like<pattern>
can reference other elements in the document. Malicious documents can cause an exponential number of references to be resolved, so librsvg places a limit of 500,000 references (half a million) to avoid unbounded consumption of CPU time. This is set in the filersvg/src/limits.rs
in theMAX_REFERENCED_ELEMENTS
constant.Limit on the nesting level for XML Includes (
xi:include
), to avoid infinite recursion from an SVG file that includes itself. This is set in the filersvg/src/limits.rs
in theMAX_XINCLUDE_DEPTH
constant.
Librsvg has no built-in limits on the total amount of memory or CPU time consumed to process a document. Your application may want to place limits on this, especially if it processes untrusted SVG documents.
Processing external files: Librsvg processes references to
external files by itself: XML XInclude, xlink:href
attributes,
etc. Please see the section “Security and locations of referenced
files”
in the reference documentation to see what criteria are used to accept
or reject a file based on its location. If your application has more
stringent requirements, it may need to sandbox its use of librsvg.
SVG features: Librsvg ignores animations, scripts, and events declared in SVG documents. It always handles referenced images, similar to SVG’s static processing mode.