Your message dated Mon, 28 Aug 2023 19:17:08 +0000
with message-id <[email protected]>
and subject line Bug#1041810: fixed in librsvg 2.54.7+dfsg-1~deb12u1
has caused the Debian Bug report #1041810,
regarding librsvg: CVE-2023-38633
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1041810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041810
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: librsvg
Version: 2.54.5+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for librsvg.
CVE-2023-38633[0]:
| A directory traversal problem in the URL decoder of librsvg before
| 2.56.3 could be used by local or remote attackers to disclose files
| (on the local filesystem outside of the expected area), as
| demonstrated by href=".?../../../../../../../../../../etc/passwd" in
| an xi:include element.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-38633
https://www.cve.org/CVERecord?id=CVE-2023-38633
[1] https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: librsvg
Source-Version: 2.54.7+dfsg-1~deb12u1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
librsvg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated librsvg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 20 Aug 2023 01:04:16 BST
Source: librsvg
Binary: librsvg2-doc
Architecture: all source
Version: 2.54.7+dfsg-1~deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Description:
librsvg2-doc - SAX-based renderer library for SVG files (documentation)
Closes: 1041810
Changes:
librsvg (2.54.7+dfsg-1~deb12u1) bookworm-security; urgency=medium
.
* Team upload
* Rebuild for bookworm-security
.
librsvg (2.54.7+dfsg-1) unstable; urgency=high
.
* Team upload
* New upstream stable release 2.54.6
- Fix a directory traversal vulnerability
(Closes: #1041810, CVE-2023-38633)
- Drop a redundant test-case that frequently regressed as a result of
non-problematic font rendering changes
* New upstream stable release 2.54.7
- Fix compilation of 2.54.6 on rustc < 1.58
* d/rules: Skip several known-failing reftests on big-endian architectures.
These succeeded when librsvg_2.54.5+dfsg-1 was uploaded in September
2022, but regressed sometime between then and the bookworm release,
presumably as a result of changes in some other package.
(Mitigates: #1038447)
.
librsvg (2.54.5+dfsg-3) unstable; urgency=medium
.
* Team upload
* d/p/debian/tests-Skip-known-failing-tests-on-i386.patch:
Skip two tests that have started failing on i386 since October 2022
(Mitigates: #1038252)
.
librsvg (2.54.5+dfsg-2) unstable; urgency=medium
.
* Restore the librsvg2-tests build and corresponding autopkgtests
which were set up a while ago but disabled to avoid having the upload
blocked in the Debian NEW queue. Include the svg needed for the tests.
Checksums-Sha256:
0a228e6c2410c3735fd1fd139db1b41474f8c08f2a42e7c091b5417e88f464b2 71716
librsvg2-doc_2.54.7+dfsg-1~deb12u1_all.deb
d433d4aaa11e1d9ceabfa68d49090876abdc33570c06227e0b30b5d0b7206a49 11402
librsvg_2.54.7+dfsg-1~deb12u1_all.buildinfo
87925d4b6f5f1a8b5fc8e069d69322d4ac70694408490091c05737b97ba938ca 2997
librsvg_2.54.7+dfsg-1~deb12u1.dsc
ce0db15bd6a2633fbfcfacce894a81ad5c0056628ad176f00ddaa648d462e5fb 35052
librsvg_2.54.7+dfsg-1~deb12u1.debian.tar.xz
0aa85c97d6b225d3fe1eea80883b26a53a34f341187f21857197bf37d07a1b2d 11192
librsvg_2.54.7+dfsg-1~deb12u1_source.buildinfo
799f93b73ed24c03efda1c707d8c40630fdee18c7e7532dda4ad1ce9671e98c2 14342756
librsvg_2.54.7+dfsg.orig.tar.xz
Checksums-Sha1:
9b0dfdce37aaaa4591342dd8a3f2f7429015e8c5 71716
librsvg2-doc_2.54.7+dfsg-1~deb12u1_all.deb
62652d4905e6660b5ec741df470ebcc70e248dec 11402
librsvg_2.54.7+dfsg-1~deb12u1_all.buildinfo
bd6390d45292ac04b7432ad45dbc8c92286c0e91 2997 librsvg_2.54.7+dfsg-1~deb12u1.dsc
5c6df80d5c45fad79957be4e23177195bf16e467 35052
librsvg_2.54.7+dfsg-1~deb12u1.debian.tar.xz
d542d85893b011114d18e8105c3055983ebf3999 11192
librsvg_2.54.7+dfsg-1~deb12u1_source.buildinfo
a9b696f80b361e4a6318edcd7e1a652676302171 14342756
librsvg_2.54.7+dfsg.orig.tar.xz
Files:
803becbead40b4087e969cfded6bbd46 71716 doc optional
librsvg2-doc_2.54.7+dfsg-1~deb12u1_all.deb
1d3409621824786d4fdc4b7d7c8e7225 11402 libs optional
librsvg_2.54.7+dfsg-1~deb12u1_all.buildinfo
19b13227bcebdcb647616803758ddcbf 2997 libs optional
librsvg_2.54.7+dfsg-1~deb12u1.dsc
4b77f3682cf3d543b4fdecd2bd7e65ea 35052 libs optional
librsvg_2.54.7+dfsg-1~deb12u1.debian.tar.xz
78d130da555b5ec9101bf7315df391d6 11192 libs optional
librsvg_2.54.7+dfsg-1~deb12u1_source.buildinfo
4b6ba4f19da0a7859eaad6461246aa91 14342756 libs optional
librsvg_2.54.7+dfsg.orig.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmThWIkACgkQ4FrhR4+B
TE8qPRAAhya9W8kEgHutYyfZm7IjoATueH8RxsQbckzaPcrSFY1rv6ojKSXVPeXH
i8o7uqZBW5vC0TpJ+CQVkC8KkLHVXmqa8UV0tONcHQOfz/E0usJsHgUx8yNE8HDC
kP1EqeMUNmHQZFRguiARQfpSlE6EY9gtQihPJDQfb9xZqEcLEP280GYaSxNMh6Pz
uLbl6W7QJVKetUNWtB2udRs+9YY5y9goop4etkUa1R9HR+a3YtAi1+3x4VIWc8Zj
jWb+2eQjQEFXjwCZBJLrCxpLr+jzpm/3xHBtFPu+cU6qSe7A87zMRkV9wAnzyHrV
EXb4DjuOLAsdn23KsW4JvlGQkRgeMONNUtEYcLyYX43hpQIprraU96MkE2zUyeD+
qVIYjOb8pvSDTho58n4CINjaPIOvH9pY5TlUX5SnFGPSUp8iqD7HhSeOo/q4Yy1b
MI6+YInU2p3kaT3Lv1pyUogO7bC2pUQVv3hGKLyCT1qse+i0dVnSOEULm6m3RAjP
Tif7QuCdWtpQzXrX0Mo/7FXCLVGFjSMhcqQTBcQBD+HJSK5wRFBsMPhWDfWjCxNK
GUsmDJED07VPjUvqBTL35LplXZ/8pq4dpOGgYU+RgSl1UVv0sq9ZpgYYkCAuY7Lv
/J3oC1V0eHinHt7cwT/La8uxUeCrDHYpjStQeFVriF+K80v30DE=
=lXf/
-----END PGP SIGNATURE-----
--- End Message ---
