Bug#1041810: librsvg: CVE-2023-38633

Simon McVittie smcv at debian.org
Sun Jul 30 16:07:50 BST 2023


On Sun, 23 Jul 2023 at 21:13:38 +0200, Salvatore Bonaccorso wrote:
> The following vulnerability was published for librsvg.
> 
> CVE-2023-38633[0]:
> | A directory traversal problem in the URL decoder of librsvg before
> | 2.56.3 could be used by local or remote attackers to disclose files
> | (on the local filesystem outside of the expected area), as
> | demonstrated by href=".?../../../../../../../../../../etc/passwd" in
> | an xi:include element.

I'm testing
<https://salsa.debian.org/gnome-team/librsvg/-/merge_requests/18>
to fix this in unstable. In addition to importing the new upstream
release, we need to work around #1038447, otherwise there will be no
fixed version for s390x and the package will be unable to migrate -
I asked the porting teams for the big-endian architectures to debbisect
this and find out which package triggered #1038447, but it appears this
has not yet happened.

For stable, since librsvg has hardly changed since bookworm, I think
the best route will be a 2.54.7+dfsg-1~deb12u1 rather than backporting
individual changes (because we would have to backport the vast majority
of the delta between bookworm and unstable to fix #1041810 and avoid
FTBFSs anyway). #1038447 affects bookworm on s390x, so if the big-endian
architectures' porting teams cannot help to diagnose it, we will have
to work around it by skipping those tests and accepting that some SVGs
will be mis-rendered on BE architectures. Similarly, #1038252 affects
bookworm on i386, so we will have to work around that by skipping a
couple of tests.

One change that happened between bookworm's 2.54.5+dfsg-1 and trixie's
2.54.5+dfsg-3 is that Sebastien Bacher did the trip through NEW to add a
librsvg2-tests binary package and an autopkgtest that runs it:
<https://salsa.debian.org/gnome-team/librsvg/-/commit/910bc84280648f2e011a359230a83e4be06d41e0>,
<https://salsa.debian.org/gnome-team/librsvg/-/commit/49132e6ff06ecaa6521af956db10143142f78c1f>.
This doesn't affect the contents of existing binary packages, it only
adds a new binary package. Would the security team be OK with including
that change for the sake of better test coverage and minimizing delta,
or do we need to revert it for a bookworm update?

Thanks,
    smcv



More information about the pkg-gnome-maintainers mailing list