Subject: [ASA-202101-12] python-cairosvg: denial of service Arch Linux Security Advisory ASA-202101-12 ========================================== Severity: Low Date : 2021-01-12 CVE-ID : CVE-2021-21236 Package : python-cairosvg Type : denial of service Remote : No Link : https://security.archlinux.org/AVG-1412 Summary ======= The package python-cairosvg before version 2.5.1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 2.5.1-1. # pacman -Syu "python-cairosvg>=2.5.1-1" The problem has been fixed upstream in version 2.5.1. Workaround ========== None. Description =========== In python-cairosvg before version 2.5.1, there is a regular expression denial of service (REDoS) vulnerability. When processing SVG files, the python package CairoSVG uses two regular expressions which are vulnerable to regular expression denial of service (REDoS). If an attacker provides a malicious SVG, it can make python-cairosvg get stuck processing the file for a very long time. This is fixed in version 2.5.1. Impact ====== A malicious user could craft a SVG that takes a very long time to process, resulting in a denial of service. References ========== https://github.com/Kozea/CairoSVG/security/advisories/GHSA-hq37-853p-g5cf https://github.com/Kozea/CairoSVG/commit/063185b60588a41d4df661ad70f9f7b699901abc https://security.archlinux.org/CVE-2021-21236