Impact
A specially crafted SVG input can cause libvips versions between 8.12.0 and 8.14.3 (inclusive) to segfault when attempting to parse a malformed UTF-8 character.
Patches
Users of libvips compiled with support for SVG should upgrade to at least version 8.14.4 when processing untrusted input.
Workarounds
libvips versions between 8.12.0 and 8.14.3 can be patched with https://github.com/libvips/libvips/commit/e091d65835966ef56d53a4105a7362cafdb1582b.patch
Alternatively libvips can be compiled without SVG support using either the -Drsvg=disabled (Meson) or --without-rsvg (Autotools) flags.
References
Credit
Thank you to Christopher Krah of Code Intelligence GmbH for the responsible disclosure.
Impact
A specially crafted SVG input can cause libvips versions between 8.12.0 and 8.14.3 (inclusive) to segfault when attempting to parse a malformed UTF-8 character.
Patches
Users of libvips compiled with support for SVG should upgrade to at least version 8.14.4 when processing untrusted input.
Workarounds
libvips versions between 8.12.0 and 8.14.3 can be patched with https://github.com/libvips/libvips/commit/e091d65835966ef56d53a4105a7362cafdb1582b.patch
Alternatively libvips can be compiled without SVG support using either the
-Drsvg=disabled(Meson) or--without-rsvg(Autotools) flags.References
Credit
Thank you to Christopher Krah of Code Intelligence GmbH for the responsible disclosure.