On Sun, 23 Jul 2023 at 21:13:38 +0200, Salvatore Bonaccorso wrote: > The following vulnerability was published for librsvg. > > CVE-2023-38633[0]: > | A directory traversal problem in the URL decoder of librsvg before > | 2.56.3 could be used by local or remote attackers to disclose files > | (on the local filesystem outside of the expected area), as > | demonstrated by href=".?../../../../../../../../../../etc/passwd" in > | an xi:include element.
I'm testing <https://salsa.debian.org/gnome-team/librsvg/-/merge_requests/18> to fix this in unstable. In addition to importing the new upstream release, we need to work around #1038447, otherwise there will be no fixed version for s390x and the package will be unable to migrate - I asked the porting teams for the big-endian architectures to debbisect this and find out which package triggered #1038447, but it appears this has not yet happened. For stable, since librsvg has hardly changed since bookworm, I think the best route will be a 2.54.7+dfsg-1~deb12u1 rather than backporting individual changes (because we would have to backport the vast majority of the delta between bookworm and unstable to fix #1041810 and avoid FTBFSs anyway). #1038447 affects bookworm on s390x, so if the big-endian architectures' porting teams cannot help to diagnose it, we will have to work around it by skipping those tests and accepting that some SVGs will be mis-rendered on BE architectures. Similarly, #1038252 affects bookworm on i386, so we will have to work around that by skipping a couple of tests. One change that happened between bookworm's 2.54.5+dfsg-1 and trixie's 2.54.5+dfsg-3 is that Sebastien Bacher did the trip through NEW to add a librsvg2-tests binary package and an autopkgtest that runs it: <https://salsa.debian.org/gnome-team/librsvg/-/commit/910bc84280648f2e011a359230a83e4be06d41e0>, <https://salsa.debian.org/gnome-team/librsvg/-/commit/49132e6ff06ecaa6521af956db10143142f78c1f>. This doesn't affect the contents of existing binary packages, it only adds a new binary package. Would the security team be OK with including that change for the sake of better test coverage and minimizing delta, or do we need to revert it for a bookworm update? Thanks, smcv