XXE vulnerability during rasterization of SVG images

would simply disabling the DTD dereferencing be good enough of a fix?

Yes.

In libxml2 (which is the XML parser used by Inkscape), the xmlParserOption should used :
http://xmlsoft.org/html/libxml-parser.html

http://wiki.laptop.org/go/Making_Sugar_icons has a "normal" usage of this feature

possible fix:
src/xml/repr-io.cpp line 297:
                                /*XML_PARSE_NOENT |*/ XML_PARSE_HUGE);

This disables reading of a file on Windows (quick test), but it still allows
  <!ENTITY stroke_color "#666666">
so that's nice.

Also, read: https://issues.apache.org/bugzilla/show_bug.cgi?id=53603

note that FileImportFromOCALDialog::searchTagEntryChangedCallback is the other place where xml is read and parsed.

here a file that tries to construct an URL from a local file. (so it could potentially send the contents of that file to a webserver, similar to "http://www.google.com/search?q=1234567890")

it also shows nice usage with color substitution, that still works when calling xmlReadIO with options
  /*XML_PARSE_NOENT |*/ XML_PARSE_NONET | XML_PARSE_HUGE
(so *without* the XML_PARSE_NOENT option

right now, I feel we should disable this functionality per default, and perhaps provide an option/preference to enable local file access and web access.

@johanengelen: "here a file that tries to construct an URL from a local file"

This behavior is forbidden by the XML spec. You can't use an entity inside the URL of an external entity.

ok perfect, good to know.

regardless of the validity of the thread: i am not so happy with inkscape accessing internet because an SVG requests it. I think that should be optional, possibly on a per file or per access basis.

If anyone knows, please comment on what is wrong with the fix proposed in #6

The best way to configure the parser (but this would need some functional testing) would imho be:
- without XML_PARSE_NOENT ("Substitute entities")
- without XML_PARSE_XINCLUDE ("Implement XInclude substitution")
- without XML_PARSE_DTDLOAD ("load the external subset")
- with XML_PARSE_NONET ("Forbid network access")

For your information, here's the patch that XML::Atom applied regarding CVE-2012-1102:
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libxml-atom-perl.git;a=commitdiff;h=4f68e738c6f298e2bda0bad456fc97a3122c0a17

fixed in r11931. removed the _NOENT option, and made network access optional through preferences.xml (/options/externalresources/xml/allow_net_access)

backported to 0.48.x, r9932

Please note CVE-2012-1102 has already been assigned to a similar XXE issue in Perl-Atom, as per:
http://seclists.org/oss-sec/2012/q1/549

This flaw needs to be a assigned a different CVE.

Details at:
http://www.openwall.com/lists/oss-security/2012/12/19/2

Adding patch for backporting to Linux distros

Follow-up report:
- Bug #1093433 “XML Entities used for namespace declarations prevent file loading in trunk and 0.48.4”
  <https://bugs.launchpad.net/inkscape/+bug/1093433>