Your message dated Sun, 30 Jul 2023 16:46:00 +0000
with message-id <[email protected]>
and subject line Bug#1041810: fixed in librsvg 2.54.7+dfsg-1
has caused the Debian Bug report #1041810,
regarding librsvg: CVE-2023-38633
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1041810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041810
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: librsvg
Version: 2.54.5+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for librsvg.
CVE-2023-38633[0]:
| A directory traversal problem in the URL decoder of librsvg before
| 2.56.3 could be used by local or remote attackers to disclose files
| (on the local filesystem outside of the expected area), as
| demonstrated by href=".?../../../../../../../../../../etc/passwd" in
| an xi:include element.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-38633
https://www.cve.org/CVERecord?id=CVE-2023-38633
[1] https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: librsvg
Source-Version: 2.54.7+dfsg-1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
librsvg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated librsvg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 30 Jul 2023 15:13:38 +0100
Source: librsvg
Architecture: source
Version: 2.54.7+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1041810
Changes:
librsvg (2.54.7+dfsg-1) unstable; urgency=high
.
* Team upload
* New upstream stable release 2.54.6
- Fix a directory traversal vulnerability
(Closes: #1041810, CVE-2023-38633)
- Drop a redundant test-case that frequently regressed as a result of
non-problematic font rendering changes
* New upstream stable release 2.54.7
- Fix compilation of 2.54.6 on rustc < 1.58
* d/rules: Skip several known-failing reftests on big-endian architectures.
These succeeded when librsvg_2.54.5+dfsg-1 was uploaded in September
2022, but regressed sometime between then and the bookworm release,
presumably as a result of changes in some other package.
(Mitigates: #1038447)
Checksums-Sha1:
c6645f9d5d3082f3a393b96d1fba9a842beab053 3080 librsvg_2.54.7+dfsg-1.dsc
a9b696f80b361e4a6318edcd7e1a652676302171 14342756
librsvg_2.54.7+dfsg.orig.tar.xz
823a921914bf08cb3adb993a50ced7aeef3fd624 35024
librsvg_2.54.7+dfsg-1.debian.tar.xz
03262321dd4db8b653e2f09a1d8eba0393cda6db 11221
librsvg_2.54.7+dfsg-1_source.buildinfo
Checksums-Sha256:
88bb8664f3e434442f3330fad399e311bf022958f0e2130eebdc167da443a3f1 3080
librsvg_2.54.7+dfsg-1.dsc
799f93b73ed24c03efda1c707d8c40630fdee18c7e7532dda4ad1ce9671e98c2 14342756
librsvg_2.54.7+dfsg.orig.tar.xz
5fd18db125927059b9dee4ffb5aade9ddb77557429c3ea97c857f08250be2a21 35024
librsvg_2.54.7+dfsg-1.debian.tar.xz
a8b54de0fccaf5ad6cea0aab8065ab9c5e11c12e7b7e71a6701aa8544ab98921 11221
librsvg_2.54.7+dfsg-1_source.buildinfo
Files:
557a6f1c29ff8ba865caf33ac89689d8 3080 libs optional librsvg_2.54.7+dfsg-1.dsc
4b6ba4f19da0a7859eaad6461246aa91 14342756 libs optional
librsvg_2.54.7+dfsg.orig.tar.xz
70a5621ffe4df3dad0429530fae2c975 35024 libs optional
librsvg_2.54.7+dfsg-1.debian.tar.xz
33bc153a6df925befb5043f4a8f3e04e 11221 libs optional
librsvg_2.54.7+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmTGinsACgkQ4FrhR4+B
TE+B6Q//daBbfbX0WINSpDsVuy/x4obZBc1Tg8WDby0NT+A+5NMS1sMWyNqKIGu0
xhHw+W/nAbdW8wRPcy4KPZWgwStaIMkNoeNSobPY3H5GBIG2wYI3ddOYBSHb7Tdc
w1DIY21H3KqwSzQDYayzfTuUctvW7z6JApy/1p6LhcgJRxfScSzgjUldXRjFNqFo
QQpVGtSQ1cSyMyL8xz9WhEVb2375X0tNrqomr42NU3CBsyzF76sJQTT49byWPRWF
HMK2/ZNK7qWTbjqMCshmED8tR7818MwrARNlCN0IclH1lgK4MevnyFsy5jdK0e77
Yyxyk7vBJGzP5gs+jymR5HwH8j5+a74izVIOTG+O/l6nJ6f8Ud+5yU+JjcAeiZyB
PMRfCUxBMbIKyx1H8Rd2NqiUDOTthVv3hdY6aikI3UwtCglen611YUjDpD2HrPyH
T8EnbtEkP14HaVGy/6pYT9a6Y8V3PHrgW28Jvm9v3+jSnSqKUQkL1a/OFndvOkIO
VQeHp/SV6qF3nf0hz/OY9YBRMem75EtQdytZDHSr5qsraIWUR6wbeZmsCmwqwZAu
SVs9bkuxdScBn8AcbAcE9PIPTHPbtVU+S/oLuKxuWeGaalIRK6wJv2jmkoFe6/in
w4xFUOtDjLE1yj695CYTJv0q61frEKyqHe4IuipwPxNy9Q0K/gk=
=7jLO
-----END PGP SIGNATURE-----
--- End Message ---
