CVE-2019-20446: 
NixOS vulnerability analysis and mitigation

In xml.rs in GNOME librsvg before version 2.46.2, a vulnerability was discovered that could cause denial of service when processing crafted SVG files. The vulnerability, identified as CVE-2019-20446, was disclosed on February 2, 2020, and affects the librsvg library's handling of nested patterns (NVD, MITRE).

The vulnerability occurs when processing SVG files containing nested pattern elements. The issue arises when an attacker constructs pattern elements in a way that causes the number of final rendered objects to grow exponentially, leading to resource exhaustion. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NetApp Advisory).

When successfully exploited, this vulnerability can lead to a denial of service condition. The attack causes the library to consume excessive resources when processing specially crafted SVG files, potentially causing the application to crash or become unresponsive (Ubuntu Security, NetApp Advisory).

The vulnerability was fixed in librsvg version 2.46.2. The fix includes implementing limits on the number of loaded XML elements and the number of referenced elements within an SVG document (OpenSUSE Security). Users are recommended to upgrade to the fixed version through their respective distribution's package management system.