Your message dated Fri, 01 Sep 2023 17:32:23 +0000
with message-id <[email protected]>
and subject line Bug#1041810: fixed in librsvg 2.50.3+dfsg-1+deb11u1
has caused the Debian Bug report #1041810,
regarding librsvg: CVE-2023-38633
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1041810: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041810
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: librsvg
Version: 2.54.5+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for librsvg.
CVE-2023-38633[0]:
| A directory traversal problem in the URL decoder of librsvg before
| 2.56.3 could be used by local or remote attackers to disclose files
| (on the local filesystem outside of the expected area), as
| demonstrated by href=".?../../../../../../../../../../etc/passwd" in
| an xi:include element.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-38633
https://www.cve.org/CVERecord?id=CVE-2023-38633
[1] https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: librsvg
Source-Version: 2.50.3+dfsg-1+deb11u1
Done: Simon McVittie <[email protected]>
We believe that the bug you reported is fixed in the latest version of
librsvg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <[email protected]> (supplier of updated librsvg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 19 Aug 2023 23:25:46 BST
Source: librsvg
Architecture: source
Version: 2.50.3+dfsg-1+deb11u1
Distribution: bullseye-security
Urgency: high
Maintainer: Debian GNOME Maintainers
<[email protected]>
Changed-By: Simon McVittie <[email protected]>
Closes: 1041810
Changes:
librsvg (2.50.3+dfsg-1+deb11u1) bullseye-security; urgency=high
.
* Team upload
* d/gbp.conf: Branch for bullseye
* d/p/996-Fix-arbitrary-file-read-when-href-has-special-charact.patch:
Add patch from upstream 2.50.8 to fix a directory traversal
vulnerability (Closes: #1041810, CVE-2023-38633)
* d/p/Fix-compilation-on-rustc-1.40.0.patch:
Add patch from upstream 2.50.9 to fix a build regression in the fix
for #1041810
* d/p/tests-Fix-build-with-older-Autotools.patch:
Fix another build regression in the fix for #1041810
Checksums-Sha256:
e53781567bc5b1bbc83c4c212e88315a4eb659790431e24c979269acd7c0b0b2 3033
librsvg_2.50.3+dfsg-1+deb11u1.dsc
959b744c95516d8aa90034c3f48fb8c519440e8633649f71fdb0e39306824667 33936
librsvg_2.50.3+dfsg-1+deb11u1.debian.tar.xz
b2fc5196e8d7ed4ae85bc7667133bf71129af291d5ae4af42746effa09731282 11627
librsvg_2.50.3+dfsg-1+deb11u1_source.buildinfo
6aa4e614292de77c6b5fa1fd05d6c5d658d4bb9857f678b7b57d0865d5e50116 16290880
librsvg_2.50.3+dfsg.orig.tar.xz
Checksums-Sha1:
0080c49c026d4bdf7d7d987ed28d6a8d85971941 3033 librsvg_2.50.3+dfsg-1+deb11u1.dsc
6db6e6054454d500077d61d992d9b0edcd31c8c1 33936
librsvg_2.50.3+dfsg-1+deb11u1.debian.tar.xz
b54edacb04b5ce83dd4d96090514648f935a6d20 11627
librsvg_2.50.3+dfsg-1+deb11u1_source.buildinfo
a5daf615ef09be4aeedc312cbb0e44f8c680da37 16290880
librsvg_2.50.3+dfsg.orig.tar.xz
Files:
111a82280e7c3f2be7046d516400eee1 3033 libs optional
librsvg_2.50.3+dfsg-1+deb11u1.dsc
6c31383fbb38a409ec5bda4638006062 33936 libs optional
librsvg_2.50.3+dfsg-1+deb11u1.debian.tar.xz
c3ea8345c627b45e8a3ad1c016b533d8 11627 libs optional
librsvg_2.50.3+dfsg-1+deb11u1_source.buildinfo
55172cde181acf4dcc0595cd296bc58f 16290880 libs optional
librsvg_2.50.3+dfsg.orig.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAmThQaQACgkQ4FrhR4+B
TE/HWw/9Fy3lmNCv+qZrQ9kOMSfJK0VJ/jzTf/WSJD+kDdHrp4HaTmQ9G3vJ+jLI
mgE1jPPvDwgHrSWkjlb1HBWzRG9qu+LP/XL9bB7LpRRLdu/nsJVgQ/jn6PCgwcgJ
djqLaGwrqzsyxkUHCZoCHj9ymYfktz2XIBLwWktpYMqfIhcFiHfNqxEX90p2LFzc
S0Vu1WPncrlVv2iijyYilR0Kw/3ppyoS8LTPjRwRFdoVuVzEBExmA+75bGDZdWy3
W6ga2JTE1l44Vvqwiu9F8Gt+tVjSl5ffqiJh/rDq3Gxs8RSDNPnvWT4u+muc4+yB
zrbHk+7/ZkwUarTzFxJ8O5z0s8i4PaBZgG6jT4VCygRsH0fpBwhx1BY5LJuDSBaD
TsD6MYLQRsrfhYuQVA9nfklAVIvEUXJZXw09zcwFGF0k/gZfYrgQavcszej/Vn9E
Fvou/sNdLkrq8mjrYknsfH3CaAMZ2R/r6NTWutY9NVLl/iXFph0zC8T1ZH60R2+E
MSyrclOQ24kcQ3iZUtXhjMAfK/kcokUElgYQaXcySM4I7kNgpbXKdWWcxa7WIgNT
JR15L7ZfGHubsFE3G8VQzG58ETfbgSM4N1zD3GXg8rpYPBL2prM0q/Txbp1Fzscy
oRHNvaarfBglfrJt141hSaJuuPI415nVoevqbPkJpZGQ5Y30nl0=
=tTOB
-----END PGP SIGNATURE-----
--- End Message ---
