FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CairoSVG -- Regular Expression Denial of Service vulnerability

Affected packages
2.0.0 <= py36-cairosvg < 2.5.1
2.0.0 <= py37-cairosvg < 2.5.1
2.0.0 <= py38-cairosvg < 2.5.1
2.0.0 <= py39-cairosvg < 2.5.1

Details

VuXML ID a3cef1e6-51d8-11eb-9b8d-08002728f74c
Discovery 2020-12-30
Entry 2021-01-10

CairoSVG security advisories:

When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to Regular Expression Denial of Service (REDoS).

If an attacker provides a malicious SVG, it can make cairosvg get stuck processing the file for a very long time.

References

URL https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf