Your message dated Sat, 16 Sep 2023 18:03:20 +0000
with message-id <[email protected]>
and subject line Bug#1050643: fixed in cairosvg 2.5.0-1.1+deb11u2
has caused the Debian Bug report #1050643,
regarding cairosvg: Embedded images using data URIs no longer work without
unsafe flag (after original fix for CVE-2023-27586)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1050643: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050643
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: cairosvg
Version: 2.5.2-1.1
Severity: important
Tags: upstream fixed-upstream
Forwarded: https://github.com/Kozea/CairoSVG/issues/383
X-Debbugs-Cc: Joe Burmeister <[email protected]>, [email protected]
Control: done -1 2.7.1-1
Control: found -1 2.5.0-1.1+deb11u1
Control: affects + release.debian.org,security.debian.org
As reported in https://github.com/Kozea/CairoSVG/issues/383 and as
well asked privately by Joe Burmeister, after the (original) upstream
fix for CVE-2023-27586, data URIs. Admittely the aim was to disallow
loading of external files.
This was addressed upstream with a followup and fixed in 2.7.1
upstream.
https://github.com/Kozea/CairoSVG/commit/2cbe3066e604af67c31d6651aa3acafe4ae0749d
Given we picked the orignal upstream patch for the cairosvg releases
in 2.5.2-1.1 and 2.5.0-1.1+deb11u1 this should be fixed in bookworm
and bullseye (though a point release update is enough I believe
instead of ra regression security advisory).
Regards,
Salvatore
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.4.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: cairosvg
Source-Version: 2.5.0-1.1+deb11u2
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
cairosvg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated cairosvg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 06 Sep 2023 21:24:37 +0200
Source: cairosvg
Architecture: source
Version: 2.5.0-1.1+deb11u2
Distribution: bullseye
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1050643
Changes:
cairosvg (2.5.0-1.1+deb11u2) bullseye; urgency=medium
.
* Non-maintainer upload.
* Handle data-URLs in safe mode (Closes: #1050643)
Checksums-Sha1:
0faa2dc60d27c154fdecf690b3963b9b80a7a10f 2397 cairosvg_2.5.0-1.1+deb11u2.dsc
c8fdd62b0e14fe2b1b38c55df0286c694edadcab 8612
cairosvg_2.5.0-1.1+deb11u2.debian.tar.xz
66b9502df4d692caa81df5b6fdd9666338a88cc0 7841
cairosvg_2.5.0-1.1+deb11u2_source.buildinfo
Checksums-Sha256:
022bba61870f9678267d59bf928db98ee04834aefb61727271ef1dcec0c91683 2397
cairosvg_2.5.0-1.1+deb11u2.dsc
0f0154529398b42937d2cb95cde0b1a57a605cf41dc2b0a4d3e733e3a1df2902 8612
cairosvg_2.5.0-1.1+deb11u2.debian.tar.xz
d731aa5c71507bc9e9e1ad0e2deb9e16f8c4ba02e41f3f7ca35f7d0695a5592e 7841
cairosvg_2.5.0-1.1+deb11u2_source.buildinfo
Files:
c65464843b0b1b38694b29a4469c6992 2397 python optional
cairosvg_2.5.0-1.1+deb11u2.dsc
1e6974bba7979d0b5850c4343456d125 8612 python optional
cairosvg_2.5.0-1.1+deb11u2.debian.tar.xz
f6e8f4c2b150ae3d6114f89049199ffd 7841 python optional
cairosvg_2.5.0-1.1+deb11u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUDASdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EqM8P/ircSBRVxU69mhAwHMiyVI/T6/YUcJDX
tMymOqhXjiR/3WslarzvNYdKJ4SYpEz/P5ZGPJqz3FbHlpRMB/2P6hsvvC78SGuZ
vV/JavXstf7mx/rTLqRQ7cvFswKBSuY3b6ptmgERAJ64fIkjJ2TTWpz2Ear+OkqT
aRA8MVSJTSVuFM5yaIp+BqcnS7HtHUlFtb1f8ETGCquyqMzYkxdyy2M2YSbZfHIy
7I8TsUVURwQGYGghY0i8BOTmlcnlY6IgUWe9reXW4xyWfNCtsUORzdfPusXAwKkO
B9Oou59jgi81H0tBhLAz/JxdS5rOWiY1mxVpUyzF7s1NvultAWItT9VnlMv8Ga79
259VoHB0+wJVGOWxZ3FokqhsNk10tHdXIw7dFnY1crquQSVfAz7e6u22yusu0XEf
StYERnacBh8jIJpEVw9B6J7A+vzykyxYwW/lNR2Ase8s0NpgqJ8lH2jxeGEimQIV
quBM7G8hqj73z1JKKxMxaYxHi+p1t8kfwHyhNKG9S4hYozjM7FnLtIpTHNqZXLhM
Brfn1ploKWG5fM+UAHw8Jm9dOjIt7HVpl4wdJBemXXeZJAf2grzvLxHnVg7KU2IY
aWWkKIuuPy/SV1LyNbbGchBByKFsJa1PMr1DzwYmCW9QPwUpGolIQOl1bBWY4OJ4
OEhii7GE13ZB
=iItA
-----END PGP SIGNATURE-----
--- End Message ---
