Debian 10224 Published by

A librsvg security update has been released for both Debian GNU/Linux 11 and 12 to address a directory traversal issue.



[SECURITY] [DSA 5484-1] librsvg security update


- -------------------------------------------------------------------------
Debian Security Advisory DSA-5484-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
August 27, 2023 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : librsvg
CVE ID : CVE-2023-38633
Debian Bug : 1041810

Zac Sims discovered a directory traversal in the URL decoder of librsvg,
a SAX-based renderer library for SVG files, which could result in read
of arbitrary files when processing a specially crafted SVG file with an
include element.

For the oldstable distribution (bullseye), this problem has been fixed
in version 2.50.3+dfsg-1+deb11u1.

For the stable distribution (bookworm), this problem has been fixed in
version 2.54.7+dfsg-1~deb12u1.

We recommend that you upgrade your librsvg packages.

For the detailed security status of librsvg please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/librsvg

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/