| Summary: | librsvg new security issue CVE-2023-38633 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Nicolas Salguero <nicolas.salguero> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs, tarazed25 |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8TOO MGA8-64-OK MGA9-64-OK | ||
| Source RPM: | librsvg-2.56.0-1.mga9.src.rpm | CVE: | |
| Status comment: | |||
|
Description
Nicolas Salguero
2023-08-30 16:46:20 CEST
Nicolas Salguero
2023-08-30 16:46:59 CEST
CC:
(none) =>
nicolas.salguero "A directory traversal problem in the URL decoder of librsvg before 2.56.3..." From the references, it looks as if the problem is fixed in v2.56.3. This pkg has no one maintainer, so assigning this update globally. Assignee:
bugsquad =>
pkg-bugs Suggested advisory: ======================== The updated packages fix a security vulnerability: A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element. (CVE-2023-38633) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38633 https://www.openwall.com/lists/oss-security/2023/07/27/1 https://bugzilla.suse.com/show_bug.cgi?id=1213502 https://gitlab.gnome.org/GNOME/librsvg/-/issues/996 https://security-tracker.debian.org/tracker/CVE-2023-38633 ======================== Updated packages in 8/core/updates_testing: ======================== lib(64)rsvg2_2-2.50.3-1.2.mga8 lib(64)rsvg2-devel-2.50.3-1.2.mga8 lib(64)rsvg-gir2.0-2.50.3-1.2.mga8 librsvg-2.50.3-1.2.mga8 from SRPM: librsvg-2.50.3-1.2.mga8.src.rpm Updated packages in 9/core/updates_testing: ======================== lib(64)rsvg2_2-2.56.0-1.1.mga9 lib(64)rsvg2-devel-2.56.0-1.1.mga9 lib(64)rsvg-gir2.0-2.56.0-1.1.mga9 librsvg-2.56.0-1.1.mga9 from SRPM: librsvg-2.56.0-1.1.mga9.src.rpm Status comment:
Fixed in 2.56.3 =>
(none) MGA8-64 Xfce on Acer Aspire 5253 No installation issues Ref bug 29055 Comment 8 for some tests Installed tuxpaint and pix, made a small drawing with tuxpaint, saved it and closed. Reopened the png file with tuxpaint, OK. Opened the png with pix, also OK. Good enough for me. Whiteboard:
MGA8TOO =>
MGA8TOO MGA8-64-OK Mageia9, x64 Checked the PoC before updating. Copied the text shown for CVE-2023-38633 into poc.svg:<?xml version="1.0" encoding="UTF-8" standalone="no"?> <svg width="300" height="300" xmlns:xi="http://www.w3.org/2001/XInclude"> <rect width="300" height="300" style="fill:rgb(255,255,255);" /> <text x="10" y="100"> <xi:include href=".?../../../../../../../../../../etc/passwd" parse="text" encoding="UTF-8"> <xi:fallback>file not found</xi:fallback> </xi:include> </text> </svg> $ eom poc.svg displayed a 300x300 square with the string "file not found", nothing else. Does that indicate that the libraries have been fixed already or is that test invalid? Ran a few tests before updating without problems. rsvg-view-3 seems to have disappeared. Repeated tests after updating and added these: $ rsvg-convert -f pdf -w 607 -h 512 -b 'OliveDrab' sample2.svg -o sample3.pdf Image of a crown against an olive background. $ rsvg-convert -f png -b '#ebafdc' sample2.svg -o sample8.png Copied the crown in the SVG file but filled in the background with pink - dimensions unchanged. No regressions AFAIKS. CC:
(none) =>
tarazed25 Validating. Advisory in comment 2. Keywords:
(none) =>
validated_update
Dave Hodgins
2023-09-11 02:35:27 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0259.html Status:
ASSIGNED =>
RESOLVED |