Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-477-1 librsvg

Debian Security Advisory

DLA-477-1 librsvg -- LTS security update

Date Reported:

17 May 2016

Affected Packages:

librsvg

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-7558, CVE-2016-4347, CVE-2016-4348.

More information:

(Note CVE-2016-4347 is a duplicate of CVE-2015-7558)

Two DoS in librsvg 2.40.2 parsing SVGs with circular definitions were found (they will produce stack exhaustion) by Gustavo Grieco.

The version in wheezy (2.36.1-2+deb7u1) is also vulnerable.

For Debian 7 Wheezy, these problems have been fixed in version 2.36.1-2+deb7u2.

We recommend that you upgrade your librsvg packages.