Source: cairosvg Version: 2.5.2-1.1 Severity: important Tags: upstream fixed-upstream Forwarded: https://github.com/Kozea/CairoSVG/issues/383 X-Debbugs-Cc: Joe Burmeister <joe.burmeis...@devtank.co.uk>, car...@debian.org Control: done -1 2.7.1-1 Control: found -1 2.5.0-1.1+deb11u1 Control: affects + release.debian.org,security.debian.org
As reported in https://github.com/Kozea/CairoSVG/issues/383 and as well asked privately by Joe Burmeister, after the (original) upstream fix for CVE-2023-27586, data URIs. Admittely the aim was to disallow loading of external files. This was addressed upstream with a followup and fixed in 2.7.1 upstream. https://github.com/Kozea/CairoSVG/commit/2cbe3066e604af67c31d6651aa3acafe4ae0749d Given we picked the orignal upstream patch for the cairosvg releases in 2.5.2-1.1 and 2.5.0-1.1+deb11u1 this should be fixed in bookworm and bullseye (though a point release update is enough I believe instead of ra regression security advisory). Regards, Salvatore -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.4.0-3-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled