See: https://www.openwall.com/lists/oss-security/2023/07/27/1 https://bugzilla.suse.com/show_bug.cgi?id=1213502 https://gitlab.gnome.org/GNOME/librsvg/-/issues/996 https://security-tracker.debian.org/tracker/CVE-2023-38633
CC: (none) => nicolas.salgueroSource RPM: (none) => librsvg-2.56.0-1.mga9.src.rpmWhiteboard: (none) => MGA9TOO, MGA8TOO
"A directory traversal problem in the URL decoder of librsvg before 2.56.3..." From the references, it looks as if the problem is fixed in v2.56.3. This pkg has no one maintainer, so assigning this update globally.
Assignee: bugsquad => pkg-bugsStatus comment: (none) => Fixed in 2.56.3
Suggested advisory: ======================== The updated packages fix a security vulnerability: A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element. (CVE-2023-38633) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38633 https://www.openwall.com/lists/oss-security/2023/07/27/1 https://bugzilla.suse.com/show_bug.cgi?id=1213502 https://gitlab.gnome.org/GNOME/librsvg/-/issues/996 https://security-tracker.debian.org/tracker/CVE-2023-38633 ======================== Updated packages in 8/core/updates_testing: ======================== lib(64)rsvg2_2-2.50.3-1.2.mga8 lib(64)rsvg2-devel-2.50.3-1.2.mga8 lib(64)rsvg-gir2.0-2.50.3-1.2.mga8 librsvg-2.50.3-1.2.mga8 from SRPM: librsvg-2.50.3-1.2.mga8.src.rpm Updated packages in 9/core/updates_testing: ======================== lib(64)rsvg2_2-2.56.0-1.1.mga9 lib(64)rsvg2-devel-2.56.0-1.1.mga9 lib(64)rsvg-gir2.0-2.56.0-1.1.mga9 librsvg-2.56.0-1.1.mga9 from SRPM: librsvg-2.56.0-1.1.mga9.src.rpm
Status comment: Fixed in 2.56.3 => (none)Assignee: pkg-bugs => qa-bugsWhiteboard: MGA9TOO, MGA8TOO => MGA8TOOVersion: Cauldron => 9Status: NEW => ASSIGNED
MGA8-64 Xfce on Acer Aspire 5253 No installation issues Ref bug 29055 Comment 8 for some tests Installed tuxpaint and pix, made a small drawing with tuxpaint, saved it and closed. Reopened the png file with tuxpaint, OK. Opened the png with pix, also OK. Good enough for me.
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OKCC: (none) => herman.viaene
Mageia9, x64 Checked the PoC before updating. Copied the text shown for CVE-2023-38633 into poc.svg:<?xml version="1.0" encoding="UTF-8" standalone="no"?> <svg width="300" height="300" xmlns:xi="http://www.w3.org/2001/XInclude"> <rect width="300" height="300" style="fill:rgb(255,255,255);" /> <text x="10" y="100"> <xi:include href=".?../../../../../../../../../../etc/passwd" parse="text" encoding="UTF-8"> <xi:fallback>file not found</xi:fallback> </xi:include> </text> </svg> $ eom poc.svg displayed a 300x300 square with the string "file not found", nothing else. Does that indicate that the libraries have been fixed already or is that test invalid? Ran a few tests before updating without problems. rsvg-view-3 seems to have disappeared. Repeated tests after updating and added these: $ rsvg-convert -f pdf -w 607 -h 512 -b 'OliveDrab' sample2.svg -o sample3.pdf Image of a crown against an olive background. $ rsvg-convert -f png -b '#ebafdc' sample2.svg -o sample8.png Copied the crown in the SVG file but filled in the background with pink - dimensions unchanged. No regressions AFAIKS.
CC: (none) => tarazed25Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK
Validating. Advisory in comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0259.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED