Your message dated Sat, 16 Sep 2023 18:02:58 +0000
with message-id <[email protected]>
and subject line Bug#1050643: fixed in cairosvg 2.5.2-1.1+deb12u1
has caused the Debian Bug report #1050643,
regarding cairosvg: Embedded images using data URIs no longer work without
unsafe flag (after original fix for CVE-2023-27586)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1050643: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050643
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: cairosvg
Version: 2.5.2-1.1
Severity: important
Tags: upstream fixed-upstream
Forwarded: https://github.com/Kozea/CairoSVG/issues/383
X-Debbugs-Cc: Joe Burmeister <[email protected]>, [email protected]
Control: done -1 2.7.1-1
Control: found -1 2.5.0-1.1+deb11u1
Control: affects + release.debian.org,security.debian.org
As reported in https://github.com/Kozea/CairoSVG/issues/383 and as
well asked privately by Joe Burmeister, after the (original) upstream
fix for CVE-2023-27586, data URIs. Admittely the aim was to disallow
loading of external files.
This was addressed upstream with a followup and fixed in 2.7.1
upstream.
https://github.com/Kozea/CairoSVG/commit/2cbe3066e604af67c31d6651aa3acafe4ae0749d
Given we picked the orignal upstream patch for the cairosvg releases
in 2.5.2-1.1 and 2.5.0-1.1+deb11u1 this should be fixed in bookworm
and bullseye (though a point release update is enough I believe
instead of ra regression security advisory).
Regards,
Salvatore
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.4.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: cairosvg
Source-Version: 2.5.2-1.1+deb12u1
Done: Salvatore Bonaccorso <[email protected]>
We believe that the bug you reported is fixed in the latest version of
cairosvg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated cairosvg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 06 Sep 2023 21:20:16 +0200
Source: cairosvg
Architecture: source
Version: 2.5.2-1.1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Python Team <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 1050643
Changes:
cairosvg (2.5.2-1.1+deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* Handle data-URLs in safe mode (Closes: #1050643)
Checksums-Sha1:
1eb2ede326bc141cf38c6a96832a9948624dcab9 2418 cairosvg_2.5.2-1.1+deb12u1.dsc
3f8ccff97b19b7388968f02c9d0b6f321dfb8b85 8108
cairosvg_2.5.2-1.1+deb12u1.debian.tar.xz
0ab3744ae14f1a233de02f90f08dff7844ff10a0 7841
cairosvg_2.5.2-1.1+deb12u1_source.buildinfo
Checksums-Sha256:
eaf6427fe0f7d6b94dfe290ad91d0fd85da9f020e1005423010647b702741fae 2418
cairosvg_2.5.2-1.1+deb12u1.dsc
ccb4b81dfe6ca8a80546fe78ff34fbdf147ca0fd0f355dc2d0c91e6b9387922a 8108
cairosvg_2.5.2-1.1+deb12u1.debian.tar.xz
53f37532cc601333c3e5edddae840bd0877c2ca63360e1c4abf6dac2ec0add12 7841
cairosvg_2.5.2-1.1+deb12u1_source.buildinfo
Files:
d1801b2ec523dba63965444f22e10523 2418 python optional
cairosvg_2.5.2-1.1+deb12u1.dsc
94a239645f1585888d21cf0cf3ae5304 8108 python optional
cairosvg_2.5.2-1.1+deb12u1.debian.tar.xz
fa0120f383b6fc3304f9af6eb3af84e0 7841 python optional
cairosvg_2.5.2-1.1+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUDAOVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89Ez2cP/jhleheWl3mx4dasN9TmwET4EBaW5Q/F
f1+SZhnE0MSTGl6tCMTvIP7LSDSU+ZrDaBjKEbjNXYyXrYMX0EgA9NbWi82/+2l9
lchsWSEc7ZsXcr1PGRxfPh/QyT/+mg0AArvL8C/XwvdJbGGURYO6/V2UdCpNZVuo
G0m6hT4VFLD+Cl2+B1snkJLwZO28uJJQUpbYwi1Eht7eVVSTDd5/zZY9QZ3Lbe5a
S5SDEXPgQ0fKaBpB1JSRYeUcpvqkaQziv72wtX/OYoFMmQ4yfjGP9x8+4/zPLja8
bvT08y/Vyznpo9k3LCRQZCudFsW3DXl0j756oK/O2s2kgmIw7M1f2olJvE68dj6J
+MxESfj3vD18P1jPceiZSZPtrLcjhAPyg39foHNTjRFOkOTVh8VfSfddgV+oyffZ
sdx4HZ4g0l8ubi1vnYZNrNLdvd+zf9DiJ/p6SaNbCWtHHDEL4jm0ce5cUVKpAJ7g
Fm/udlG8+QjEzOFxsWbaajLadc9Z648PRWuw8+/y35DhljGq6JF+lRC9XHiLhjqR
wtFu5s266T8dFrWZWjA3KoW8CpiPgjlHg7moI0V9uHElhMWpJ+dVBJyceJE4F3rn
tAlcVRWASJ0E5WmnywVJC5G68Xp//m1TSTr8jSLrNmKBs+SCfHDd72tfJBUbg0eu
jB4/hJzWl0UF
=Av1C
-----END PGP SIGNATURE-----
--- End Message ---
