[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1051936: marked as done (bookworm-pu: package cairosvg/2.5.2-1.1+deb12u1)

Your message dated Sat, 07 Oct 2023 09:59:42 +0000
with message-id <E1qp462-00A4Gt-84@coccia.debian.org>
and subject line Released with 12.2
has caused the Debian Bug report #1051936,
regarding bookworm-pu: package cairosvg/2.5.2-1.1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1051936: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051936
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: cairosvg@packages.debian.org, Joe Burmeister <joe.burmeister@devtank.co.uk>, carnil@debian.org
Control: affects -1 + src:cairosvg

Dear SRM,

[ Reason ]
Triggered by a offlist-report from Joe Burmeister, cairosvg suffers
from a regression from the original fix upstream for CVE-2023-27586,
where embedded images using data URIs no longer work without the
unsafe flag. To fix the issue it would only be necessary to dissalow
loading of external files, but data URIs would be expected to still
work.

See:
- https://bugs.debian.org/1050643
- https://github.com/Kozea/CairoSVG/issues/383

[ Impact ]
Without using the unsafe flag, it is not possible to embed images
using data URIs.

[ Tests ]
Joe tested the updated package with a (non public) testcase.

[ Risks ]
Syncs up with upstream fixes after the original fix for
CVE-2023-27586.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Allow to handle data-URLs in safe mode as well, using a introduced
safe_fetch which fetches the content of a passed url if it's a data
URL and return an empty SVG otherwise.

[ Other info ]
None

Regards,
Salvatore

diff -Nru cairosvg-2.5.2/debian/changelog cairosvg-2.5.2/debian/changelog
--- cairosvg-2.5.2/debian/changelog	2023-03-21 22:21:22.000000000 +0100
+++ cairosvg-2.5.2/debian/changelog	2023-09-06 21:20:16.000000000 +0200
@@ -1,3 +1,10 @@
+cairosvg (2.5.2-1.1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Handle data-URLs in safe mode (Closes: #1050643)
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Wed, 06 Sep 2023 21:20:16 +0200
+
 cairosvg (2.5.2-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru cairosvg-2.5.2/debian/patches/Handle-data-URLs-in-safe-mode.patch cairosvg-2.5.2/debian/patches/Handle-data-URLs-in-safe-mode.patch
--- cairosvg-2.5.2/debian/patches/Handle-data-URLs-in-safe-mode.patch	1970-01-01 01:00:00.000000000 +0100
+++ cairosvg-2.5.2/debian/patches/Handle-data-URLs-in-safe-mode.patch	2023-09-06 21:20:16.000000000 +0200
@@ -0,0 +1,61 @@
+From: Guillaume Ayoub <guillaume@courtbouillon.org>
+Date: Tue, 18 Apr 2023 14:51:13 +0200
+Subject: Handle data-URLs in safe mode.
+Origin: https://github.com/Kozea/CairoSVG/commit/2cbe3066e604af67c31d6651aa3acafe4ae0749d
+Bug: https://github.com/Kozea/CairoSVG/issues/383
+Bug-Debian: https://bugs.debian.org/1050643
+
+Fix #383.
+---
+ cairosvg/parser.py |  5 ++---
+ cairosvg/url.py    | 11 +++++++++++
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/cairosvg/parser.py b/cairosvg/parser.py
+index 61275f0a1073..06a65db5c0e2 100644
+--- a/cairosvg/parser.py
++++ b/cairosvg/parser.py
+@@ -14,7 +14,7 @@ from defusedxml import ElementTree
+ from . import css
+ from .features import match_features
+ from .helpers import flatten, pop_rotation, rotations
+-from .url import fetch, parse_url, read_url
++from .url import fetch, parse_url, read_url, safe_fetch
+ 
+ # 'display' is actually inherited but handled differently because some markers
+ # are part of a none-displaying group (see test painting-marker-07-f.svg)
+@@ -393,8 +393,7 @@ class Tree(Node):
+ 
+         # Don’t allow fetching external files unless explicitly asked for
+         if 'url_fetcher' not in kwargs and not unsafe:
+-            self.url_fetcher = (
+-                lambda *args, **kwargs: b'<svg width="1" height="1"></svg>')
++            self.url_fetcher = safe_fetch
+ 
+         self.xml_tree = tree
+         root = cssselect2.ElementWrapper.from_xml_root(tree)
+diff --git a/cairosvg/url.py b/cairosvg/url.py
+index b4a78eaf6645..7b184e6e74d9 100644
+--- a/cairosvg/url.py
++++ b/cairosvg/url.py
+@@ -84,6 +84,17 @@ def fetch(url, resource_type):
+     return urlopen(Request(url, headers=HTTP_HEADERS)).read()
+ 
+ 
++def safe_fetch(url, resource_type):
++    """Fetch the content of ``url`` only if it’s a data-URL.
++
++    Otherwise, return an empty SVG.
++
++    """
++    if url and url.startswith('data:'):
++        return fetch(url, resource_type)
++    return b'<svg width="1" height="1"></svg>'
++
++
+ def parse_url(url, base=None):
+     """Parse an URL.
+ 
+-- 
+2.40.1
+
diff -Nru cairosvg-2.5.2/debian/patches/series cairosvg-2.5.2/debian/patches/series
--- cairosvg-2.5.2/debian/patches/series	2023-03-21 22:20:08.000000000 +0100
+++ cairosvg-2.5.2/debian/patches/series	2023-09-06 21:19:48.000000000 +0200
@@ -1,2 +1,3 @@
 0001-Remove-pytest-options-for-plugins-not-packaged-for-D.patch
 Don-t-allow-fetching-external-files-unless-explicitl.patch
+Handle-data-URLs-in-safe-mode.patch

--- End Message ---
--- Begin Message --- 
Version: 12.2

The upload requested in this bug has been released as part of 12.2.

--- End Message ---
Reply to: