CVE-2023-38633

NameCVE-2023-38633
DescriptionA directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5484-1
Debian Bugs1041810

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
librsvg (PTS)bullseye (security), bullseye2.50.3+dfsg-1+deb11u1fixed
bookworm, bookworm (security)2.54.7+dfsg-1~deb12u1fixed
trixie2.59.0+dfsg-3fixed
sid2.59.1+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
librsvgsourcebuster(not affected)
librsvgsourcebullseye2.50.3+dfsg-1+deb11u1DSA-5484-1
librsvgsourcebookworm2.54.7+dfsg-1~deb12u1DSA-5484-1
librsvgsource(unstable)2.54.7+dfsg-11041810

Notes

[buster] - librsvg <not-affected> (The vulnerable code was introduced later)
https://bugzilla.suse.com/show_bug.cgi?id=1213502
https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
https://gitlab.gnome.org/GNOME/librsvg/-/commit/15293f1243e1dd4756ffc1d13d5a8ea49167174f (2.54.6)
https://gitlab.gnome.org/GNOME/librsvg/-/commit/d1f066bf2198bd46c5ba80cb5123b768ec16e37d (2.50.8)
https://gitlab.gnome.org/GNOME/librsvg/-/commit/22bcb919c8b39133370c7fc0eb27176fb09aa4fb (2.46.6)
https://www.openwall.com/lists/oss-security/2023/07/27/1
https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/

Search for package or bug name: Reporting problems