Hi Simon, On Sun, Jul 30, 2023 at 04:07:50PM +0100, Simon McVittie wrote: > On Sun, 23 Jul 2023 at 21:13:38 +0200, Salvatore Bonaccorso wrote: > > The following vulnerability was published for librsvg. > > > > CVE-2023-38633[0]: > > | A directory traversal problem in the URL decoder of librsvg before > > | 2.56.3 could be used by local or remote attackers to disclose files > > | (on the local filesystem outside of the expected area), as > > | demonstrated by href=".?../../../../../../../../../../etc/passwd" in > > | an xi:include element. > > I'm testing > <https://salsa.debian.org/gnome-team/librsvg/-/merge_requests/18> > to fix this in unstable. In addition to importing the new upstream > release, we need to work around #1038447, otherwise there will be no > fixed version for s390x and the package will be unable to migrate - > I asked the porting teams for the big-endian architectures to debbisect > this and find out which package triggered #1038447, but it appears this > has not yet happened.
Ok thanks for this background information. > > For stable, since librsvg has hardly changed since bookworm, I think > the best route will be a 2.54.7+dfsg-1~deb12u1 rather than backporting > individual changes (because we would have to backport the vast majority > of the delta between bookworm and unstable to fix #1041810 and avoid > FTBFSs anyway). #1038447 affects bookworm on s390x, so if the big-endian > architectures' porting teams cannot help to diagnose it, we will have > to work around it by skipping those tests and accepting that some SVGs > will be mis-rendered on BE architectures. Similarly, #1038252 affects > bookworm on i386, so we will have to work around that by skipping a > couple of tests. > > One change that happened between bookworm's 2.54.5+dfsg-1 and trixie's > 2.54.5+dfsg-3 is that Sebastien Bacher did the trip through NEW to add a > librsvg2-tests binary package and an autopkgtest that runs it: > <https://salsa.debian.org/gnome-team/librsvg/-/commit/910bc84280648f2e011a359230a83e4be06d41e0>, > <https://salsa.debian.org/gnome-team/librsvg/-/commit/49132e6ff06ecaa6521af956db10143142f78c1f>. > This doesn't affect the contents of existing binary packages, it only > adds a new binary package. Would the security team be OK with including > that change for the sake of better test coverage and minimizing delta, > or do we need to revert it for a bookworm update? Sounds good with your plan to backport the unstable version to bookworm, and no need to revert the librsvg2-tests additionas this actually will help for running the autopkgtests. Let's expose the version in unstable a bit, then move on to the lower suites. For bullseye I think we should simply pick the upstream commit? Regards, Salvatore