Bugzilla – Bug 1213502
VUL-0: CVE-2023-38633: librsvg: directory traversal in URI decoder
Last modified: 2024-11-12 11:40:07 UTC
Fix for the stable branch: https://gitlab.gnome.org/GNOME/librsvg/-/merge_requests/862 Fix for the development branch: https://gitlab.gnome.org/GNOME/librsvg/-/merge_requests/861 I've backported this to all affected release streams; there are new versions: 2.56.3 2.55.3 2.54.6 2.52.10 2.50.8 2.48.11 2.46.6 "osc mbranch librsvg" shows these with affected versions: ./librsvg.SUSE_SLE-15-SP2_Update/librsvg-2.46.5.tar.xz ./librsvg.SUSE_SLE-15-SP4_Update/librsvg-2.52.9.tar.xz I guess those are the only two that need updates - I'll take care of them.
Marcus, do you think I should remove the confidential status from the upstream bug now that releases are all out? Or should we wait until disclosure?
Mitre has assigned CVE-2023-38633. It would be good if you can reference it. As for upstream confidentiality, I would remove it now as you posted new versions.
* Created request 303588 for librsvg.SUSE_SLE-15-SP2_Update, librsvg-2.46.6 * Created request 303589 for librsvg.SUSE_SLE-15-SP4_Update, librsvg-2.52.10
* Created request 303594 for librsvg-2.46.7 in SLE-15-SP2 - the previous one had a compilation error, my bad.
dont forget to also submit the factory update additionaly to SUSE:ALP:Source:Standard:1.0
SUSE-SU-2023:3021-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1213502 CVE References: CVE-2023-38633 Sources used: openSUSE Leap 15.4 (src): librsvg-2.52.10-150400.3.6.1 openSUSE Leap Micro 5.3 (src): librsvg-2.52.10-150400.3.6.1 openSUSE Leap Micro 5.4 (src): librsvg-2.52.10-150400.3.6.1 openSUSE Leap 15.5 (src): librsvg-2.52.10-150400.3.6.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): librsvg-2.52.10-150400.3.6.1 SUSE Linux Enterprise Micro 5.3 (src): librsvg-2.52.10-150400.3.6.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): librsvg-2.52.10-150400.3.6.1 SUSE Linux Enterprise Micro 5.4 (src): librsvg-2.52.10-150400.3.6.1 Basesystem Module 15-SP4 (src): librsvg-2.52.10-150400.3.6.1 Basesystem Module 15-SP5 (src): librsvg-2.52.10-150400.3.6.1 Desktop Applications Module 15-SP4 (src): librsvg-2.52.10-150400.3.6.1 Desktop Applications Module 15-SP5 (src): librsvg-2.52.10-150400.3.6.1 SUSE Package Hub 15 15-SP5 (src): librsvg-2.52.10-150400.3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3208-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1213502 CVE References: CVE-2023-38633 Sources used: SUSE Manager Server 4.2 (src): librsvg-2.46.7-150200.3.9.1 SUSE Enterprise Storage 7.1 (src): librsvg-2.46.7-150200.3.9.1 SUSE Enterprise Storage 7 (src): librsvg-2.46.7-150200.3.9.1 SUSE Linux Enterprise Micro 5.2 (src): librsvg-2.46.7-150200.3.9.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): librsvg-2.46.7-150200.3.9.1 openSUSE Leap 15.4 (src): librsvg-2.46.7-150200.3.9.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): librsvg-2.46.7-150200.3.9.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): librsvg-2.46.7-150200.3.9.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): librsvg-2.46.7-150200.3.9.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): librsvg-2.46.7-150200.3.9.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): librsvg-2.46.7-150200.3.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): librsvg-2.46.7-150200.3.9.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): librsvg-2.46.7-150200.3.9.1 SUSE Manager Proxy 4.2 (src): librsvg-2.46.7-150200.3.9.1 SUSE Manager Retail Branch Server 4.2 (src): librsvg-2.46.7-150200.3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
The update is already there? It's the same that Bjørn Lie did for openSUSE:Factory on July 21.
ALP confirmed to be in sync with factory. closing
Thanks again for all your help with this whole process, Marcus :)