Bug 13553

Summary: [CVE 21] librsvg 2.52.6 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: a.proklov, e.kosachev, i.gaptrakhmanov, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2023-38633,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-08-24 00:21:33 MSK 
Please patch CVEs for package librsvg version 2.52.6
  
INFO (CVEs are): librsvg 2.52.6
 cves found
CVE-2023-38633
Desc: A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-38633
Severity: MEDIUM
Comment 1 ilfat 2023-09-12 14:52:26 MSK 
********** QA ADVISORY **********

CVE closed by project update:

Updated to 2.52.11


https://abf.io/build_lists/4683277 i686
https://abf.io/build_lists/4683278 x86_64
https://abf.io/build_lists/4683279 aarch64
https://abf.io/build_lists/4683280 riscv64
Comment 2 Dmitry Postnikov 2023-09-14 12:27:11 MSK 
***************************
The update sent to testings
Comment 3 Vladimir Potapov 2023-09-19 06:42:33 MSK 
librsvg-2.52.11-1
https://abf.io/build_lists/4683277 i686
https://abf.io/build_lists/4683278 x86_64
https://abf.io/build_lists/4683279 aarch64
https://abf.io/build_lists/4683280 riscv64
************************* Advisory *****************************
CVE closed by project update:

Updated to 2.52.11
*****************************************************************
QA Verified
Comment 4 Yury 2023-10-18 16:35:28 MSK 
secteam_verified