CVE-2016-6163 Gnome CVE debrief

Who should care

Administrators and developers using gnome librsvg/librsvg2 2.40.2 to parse or render untrusted SVG content, especially in document conversion, thumbnailing, preview, or web upload workflows.

Technical summary

According to the NVD record, rsvg_pattern_fix_fallback in rsvg-paint_server.c can read out of bounds when processing a crafted SVG file, producing a denial of service condition. The record maps the weakness to CWE-125 and lists the vulnerable CPE as cpe:2.3:a:gnome:librsvg:2.40.2:*:*:*:*:*:*:*. NVD also assigns CVSS v3.0 5.5/Medium with vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.

Defensive priority

Medium. The issue is limited to availability, but it can still disrupt any service or application that automatically processes SVG input.

Recommended defensive actions

• Inventory systems that use gnome librsvg/librsvg2 2.40.2 or bundle it indirectly.
• Prioritize upgrading or replacing the vulnerable librsvg2 version in any component that renders untrusted SVG.
• Restrict or sandbox SVG parsing in upload, preview, conversion, and thumbnailing paths until patched.
• Treat unexpected crashes during SVG processing as a potential sign of this issue and investigate affected inputs.
• Use the linked vendor or issue-tracking references to confirm the fixed build available in your environment.

Evidence notes

The vulnerability description, affected version, and weakness classification come from the official NVD record and its referenced sources. NVD lists the flaw as an out-of-bounds read in rsvg_pattern_fix_fallback within rsvg-paint_server.c, names gnome:librsvg:2.40.2 as vulnerable, and maps the weakness to CWE-125. The linked references include two oss-security mailing list advisories and a Red Hat Bugzilla patch reference. Note: the prose description says 'remote attackers,' while the CVSS vector in the NVD record uses AV:L/UI:R; this debrief preserves both source facts without resolving that discrepancy.

Official resources