| Name | CVE-2023-38633 |
| Description | A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-5484-1 |
| Debian Bugs | 1041810 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| librsvg (PTS) | buster | 2.44.10-2.1+deb10u3 | fixed |
| bullseye (security), bullseye | 2.50.3+dfsg-1+deb11u1 | fixed | |
| bookworm, bookworm (security) | 2.54.7+dfsg-1~deb12u1 | fixed | |
| trixie, sid | 2.58.0+dfsg-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| librsvg | source | buster | (not affected) | |||
| librsvg | source | bullseye | 2.50.3+dfsg-1+deb11u1 | DSA-5484-1 | ||
| librsvg | source | bookworm | 2.54.7+dfsg-1~deb12u1 | DSA-5484-1 | ||
| librsvg | source | (unstable) | 2.54.7+dfsg-1 | 1041810 |
[buster] - librsvg <not-affected> (The vulnerable code was introduced later)
https://bugzilla.suse.com/show_bug.cgi?id=1213502
https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
https://gitlab.gnome.org/GNOME/librsvg/-/commit/15293f1243e1dd4756ffc1d13d5a8ea49167174f (2.54.6)
https://gitlab.gnome.org/GNOME/librsvg/-/commit/d1f066bf2198bd46c5ba80cb5123b768ec16e37d (2.50.8)
https://gitlab.gnome.org/GNOME/librsvg/-/commit/22bcb919c8b39133370c7fc0eb27176fb09aa4fb (2.46.6)
https://www.openwall.com/lists/oss-security/2023/07/27/1
https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/