Bug 1213502 (CVE-2023-38633)

Summary: VUL-0: CVE-2023-38633: librsvg: directory traversal in URI decoder
Product: [SUSE ALP - SUSE Adaptable Linux Platform] Granite Reporter: Marcus Meissner <meissner>
Component: GNOME / WaylandAssignee: Federico Mena Quintero <federico>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: federico, meissner, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/373022/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-38633:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Federico Mena Quintero 2023-07-21 04:12:32 UTC 
Fix for the stable branch: https://gitlab.gnome.org/GNOME/librsvg/-/merge_requests/862

Fix for the development branch: https://gitlab.gnome.org/GNOME/librsvg/-/merge_requests/861

I've backported this to all affected release streams; there are new versions:

  2.56.3
  2.55.3
  2.54.6
  2.52.10
  2.50.8
  2.48.11
  2.46.6

"osc mbranch librsvg" shows these with affected versions:

./librsvg.SUSE_SLE-15-SP2_Update/librsvg-2.46.5.tar.xz
./librsvg.SUSE_SLE-15-SP4_Update/librsvg-2.52.9.tar.xz

I guess those are the only two that need updates - I'll take care of them.
Comment 2 Federico Mena Quintero 2023-07-21 04:14:29 UTC 
Marcus, do you think I should remove the confidential status from the upstream bug now that releases are all out?  Or should we wait until disclosure?
Comment 3 Marcus Meissner 2023-07-21 07:18:58 UTC 
Mitre has assigned CVE-2023-38633.

It would be good if you can reference it.


As for upstream confidentiality, I would remove it now as you posted new versions.
Comment 4 Federico Mena Quintero 2023-07-21 17:50:05 UTC 
* Created request 303588 for librsvg.SUSE_SLE-15-SP2_Update, librsvg-2.46.6

* Created request 303589 for librsvg.SUSE_SLE-15-SP4_Update, librsvg-2.52.10
Comment 6 Federico Mena Quintero 2023-07-23 02:13:36 UTC 
* Created request 303594 for librsvg-2.46.7 in SLE-15-SP2 - the previous one had a compilation error, my bad.
Comment 8 Marcus Meissner 2023-07-24 06:56:43 UTC 
dont forget to also submit the factory update additionaly to
 SUSE:ALP:Source:Standard:1.0
Comment 9 Maintenance Automation 2023-07-28 20:30:07 UTC 
SUSE-SU-2023:3021-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1213502
CVE References: CVE-2023-38633
Sources used:
openSUSE Leap 15.4 (src): librsvg-2.52.10-150400.3.6.1
openSUSE Leap Micro 5.3 (src): librsvg-2.52.10-150400.3.6.1
openSUSE Leap Micro 5.4 (src): librsvg-2.52.10-150400.3.6.1
openSUSE Leap 15.5 (src): librsvg-2.52.10-150400.3.6.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): librsvg-2.52.10-150400.3.6.1
SUSE Linux Enterprise Micro 5.3 (src): librsvg-2.52.10-150400.3.6.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): librsvg-2.52.10-150400.3.6.1
SUSE Linux Enterprise Micro 5.4 (src): librsvg-2.52.10-150400.3.6.1
Basesystem Module 15-SP4 (src): librsvg-2.52.10-150400.3.6.1
Basesystem Module 15-SP5 (src): librsvg-2.52.10-150400.3.6.1
Desktop Applications Module 15-SP4 (src): librsvg-2.52.10-150400.3.6.1
Desktop Applications Module 15-SP5 (src): librsvg-2.52.10-150400.3.6.1
SUSE Package Hub 15 15-SP5 (src): librsvg-2.52.10-150400.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2023-08-07 16:30:24 UTC 
SUSE-SU-2023:3208-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1213502
CVE References: CVE-2023-38633
Sources used:
SUSE Manager Server 4.2 (src): librsvg-2.46.7-150200.3.9.1
SUSE Enterprise Storage 7.1 (src): librsvg-2.46.7-150200.3.9.1
SUSE Enterprise Storage 7 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise Micro 5.2 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): librsvg-2.46.7-150200.3.9.1
openSUSE Leap 15.4 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): librsvg-2.46.7-150200.3.9.1
SUSE Manager Proxy 4.2 (src): librsvg-2.46.7-150200.3.9.1
SUSE Manager Retail Branch Server 4.2 (src): librsvg-2.46.7-150200.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Federico Mena Quintero 2023-08-29 00:26:02 UTC 
The update is already there?  It's the same that Bjørn Lie did for openSUSE:Factory on July 21.
Comment 13 Marcus Meissner 2023-08-31 09:59:32 UTC 
ALP confirmed to be in sync with factory. closing
Comment 14 Federico Mena Quintero 2023-08-31 23:07:45 UTC 
Thanks again for all your help with this whole process, Marcus :)