RSVG has recently changed its external entity expansion policy, from allowing access to all local files to only allowing files in the same directory as the input file. This is not sufficiently secure for us as it is, since input files are typically in /tmp and there may be all sorts of private data in /tmp, owned by apache.
However, it would be nice to securely support the new stock RSVG, so that we can stop maintaining our security patch, and so that external users can use RSVG without patching it. So, I propose having SvgHandler create a new temporary directory on transform, and having it copy (or symlink if RSVG's security policy allows) the source files into that directory.
We are planning on migrating to Ubuntu 14.04 soon, which means either porting the security patch or implementing this proposal, hence it is fairly urgent.
Version: unspecified
Severity: normal