Bug 1213502 (CVE-2023-38633) - VUL-0: CVE-2023-38633: librsvg: directory traversal in URI decoder
Summary: VUL-0: CVE-2023-38633: librsvg: directory traversal in URI decoder
Status: RESOLVED FIXED
Alias: CVE-2023-38633
Product: Granite
Classification: SUSE ALP - SUSE Adaptable Linux Platform
Component: GNOME / Wayland (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Federico Mena Quintero
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/373022/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-38633:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-07-20 06:59 UTC by Marcus Meissner
Modified: 2024-11-12 11:40 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Federico Mena Quintero 2023-07-21 04:12:32 UTC
Fix for the stable branch: https://gitlab.gnome.org/GNOME/librsvg/-/merge_requests/862

Fix for the development branch: https://gitlab.gnome.org/GNOME/librsvg/-/merge_requests/861

I've backported this to all affected release streams; there are new versions:

  2.56.3
  2.55.3
  2.54.6
  2.52.10
  2.50.8
  2.48.11
  2.46.6

"osc mbranch librsvg" shows these with affected versions:

./librsvg.SUSE_SLE-15-SP2_Update/librsvg-2.46.5.tar.xz
./librsvg.SUSE_SLE-15-SP4_Update/librsvg-2.52.9.tar.xz

I guess those are the only two that need updates - I'll take care of them.
Comment 2 Federico Mena Quintero 2023-07-21 04:14:29 UTC
Marcus, do you think I should remove the confidential status from the upstream bug now that releases are all out?  Or should we wait until disclosure?
Comment 3 Marcus Meissner 2023-07-21 07:18:58 UTC
Mitre has assigned CVE-2023-38633.

It would be good if you can reference it.


As for upstream confidentiality, I would remove it now as you posted new versions.
Comment 4 Federico Mena Quintero 2023-07-21 17:50:05 UTC
* Created request 303588 for librsvg.SUSE_SLE-15-SP2_Update, librsvg-2.46.6

* Created request 303589 for librsvg.SUSE_SLE-15-SP4_Update, librsvg-2.52.10
Comment 6 Federico Mena Quintero 2023-07-23 02:13:36 UTC
* Created request 303594 for librsvg-2.46.7 in SLE-15-SP2 - the previous one had a compilation error, my bad.
Comment 8 Marcus Meissner 2023-07-24 06:56:43 UTC
dont forget to also submit the factory update additionaly to
 SUSE:ALP:Source:Standard:1.0
Comment 9 Maintenance Automation 2023-07-28 20:30:07 UTC
SUSE-SU-2023:3021-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1213502
CVE References: CVE-2023-38633
Sources used:
openSUSE Leap 15.4 (src): librsvg-2.52.10-150400.3.6.1
openSUSE Leap Micro 5.3 (src): librsvg-2.52.10-150400.3.6.1
openSUSE Leap Micro 5.4 (src): librsvg-2.52.10-150400.3.6.1
openSUSE Leap 15.5 (src): librsvg-2.52.10-150400.3.6.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): librsvg-2.52.10-150400.3.6.1
SUSE Linux Enterprise Micro 5.3 (src): librsvg-2.52.10-150400.3.6.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): librsvg-2.52.10-150400.3.6.1
SUSE Linux Enterprise Micro 5.4 (src): librsvg-2.52.10-150400.3.6.1
Basesystem Module 15-SP4 (src): librsvg-2.52.10-150400.3.6.1
Basesystem Module 15-SP5 (src): librsvg-2.52.10-150400.3.6.1
Desktop Applications Module 15-SP4 (src): librsvg-2.52.10-150400.3.6.1
Desktop Applications Module 15-SP5 (src): librsvg-2.52.10-150400.3.6.1
SUSE Package Hub 15 15-SP5 (src): librsvg-2.52.10-150400.3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2023-08-07 16:30:24 UTC
SUSE-SU-2023:3208-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1213502
CVE References: CVE-2023-38633
Sources used:
SUSE Manager Server 4.2 (src): librsvg-2.46.7-150200.3.9.1
SUSE Enterprise Storage 7.1 (src): librsvg-2.46.7-150200.3.9.1
SUSE Enterprise Storage 7 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise Micro 5.2 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): librsvg-2.46.7-150200.3.9.1
openSUSE Leap 15.4 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): librsvg-2.46.7-150200.3.9.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): librsvg-2.46.7-150200.3.9.1
SUSE Manager Proxy 4.2 (src): librsvg-2.46.7-150200.3.9.1
SUSE Manager Retail Branch Server 4.2 (src): librsvg-2.46.7-150200.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Federico Mena Quintero 2023-08-29 00:26:02 UTC
The update is already there?  It's the same that Bjørn Lie did for openSUSE:Factory on July 21.
Comment 13 Marcus Meissner 2023-08-31 09:59:32 UTC
ALP confirmed to be in sync with factory. closing
Comment 14 Federico Mena Quintero 2023-08-31 23:07:45 UTC
Thanks again for all your help with this whole process, Marcus :)