Bug#1041810: librsvg: CVE-2023-38633

2023-08-27 Thread Salvatore Bonaccorso 
Hi Simon,

On Sat, Aug 19, 2023 at 06:57:30PM +0200, Salvatore Bonaccorso wrote:
> Hi Simon,
> 
> On Sun, Jul 30, 2023 at 09:48:57PM +0100, Simon McVittie wrote:
> > On Sun, 30 Jul 2023 at 22:04:24 +0200, Salvatore Bonaccorso wrote:
> > > For bullseye I think we should simply pick the upstream commit?
> > 
> > Yes: we didn't keep up with upstream 2.50.x so there are a bunch of
> > unrelated fixes (2.50.4 up to .7) which would be out of scope for a
> > security update. If it was a package I knew better then I might be
> > advocating the new upstream release, but I can't really assess risk vs
> > benefit for librsvg, so cherry-picking the equivalent of .8 and .9 seems
> > more conservative.
> > 
> > 
> > compiles successfully, I'll try it in a bullseye VM next.
> 
> If you are happy with the results and coverage from unstable, would
> you be open to prepare/finalize next the respective updates for
> bookworm-security and bullseye-security?
> 
> Thanks a lot for your work so far on it!

With some delays DSA released for it. In fact, I guess anybody running
e.g. a webservice converting untrusted svg files would sandbox anyway
such a service. Upstream correctly noted that in the upstream issue.

Thanks for your work and contributing the update!

Regards,
Salvatore

Bug#1041810: librsvg: CVE-2023-38633

2023-08-19 Thread Simon McVittie 
On Sat, 19 Aug 2023 at 18:57:29 +0200, Salvatore Bonaccorso wrote:
> If you are happy with the results and coverage from unstable, would
> you be open to prepare/finalize next the respective updates for
> bookworm-security and bullseye-security?

I already had them in what I believe to be an uploadable state, so I've
uploaded them to security-master. Please do whatever testing you feel is
appropriate and approve or reject.

librsvg_2.54.7+dfsg-1~deb12u1 is a trivial backport of what's in unstable,

(diff vs. unstable below, debdiff vs. bookworm attached). I've been
using it on a bookworm GNOME desktop for the last few weeks with no
apparent regressions, and I haven't seen any regression reports from
testing/unstable users either.

librsvg_2.50.3+dfsg-1+deb11u1 is

(debdiff vs. bullseye attached). I don't have bullseye on actual hardware
any more, so this has only been tested on a GNOME VM.

smcv



diff --git a/debian/changelog b/debian/changelog
index d58c430b1..825f50e1e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+librsvg (2.54.7+dfsg-1~deb12u1) bookworm-security; urgency=medium
+
+  * Team upload
+  * Rebuild for bookworm-security
+
+ -- Simon McVittie   Sun, 30 Jul 2023 17:13:13 +0100
+
 librsvg (2.54.7+dfsg-1) unstable; urgency=high
 
   * Team upload
diff --git a/debian/gbp.conf b/debian/gbp.conf
index 4ed071a96..098b7f22b 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,7 +1,7 @@
 [DEFAULT]
 pristine-tar = True
-debian-branch = debian/master
-upstream-branch = upstream/latest
+debian-branch = debian/bookworm
+upstream-branch = upstream/2.54.x
 
 [buildpackage]
 sign-tags = True


librsvg_2.50.3+dfsg-1+deb11u1.debdiff.gz
Description: application/gzip


librsvg_2.54.7+dfsg-1~deb12u1.debdiff.gz
Description: application/gzip

Bug#1041810: librsvg: CVE-2023-38633

2023-08-19 Thread Salvatore Bonaccorso 
Hi Simon,

On Sun, Jul 30, 2023 at 09:48:57PM +0100, Simon McVittie wrote:
> On Sun, 30 Jul 2023 at 22:04:24 +0200, Salvatore Bonaccorso wrote:
> > For bullseye I think we should simply pick the upstream commit?
> 
> Yes: we didn't keep up with upstream 2.50.x so there are a bunch of
> unrelated fixes (2.50.4 up to .7) which would be out of scope for a
> security update. If it was a package I knew better then I might be
> advocating the new upstream release, but I can't really assess risk vs
> benefit for librsvg, so cherry-picking the equivalent of .8 and .9 seems
> more conservative.
> 
> 
> compiles successfully, I'll try it in a bullseye VM next.

If you are happy with the results and coverage from unstable, would
you be open to prepare/finalize next the respective updates for
bookworm-security and bullseye-security?

Thanks a lot for your work so far on it!

Regards,
Salvatore

Bug#1041810: librsvg: CVE-2023-38633

2023-07-30 Thread Simon McVittie 
On Sun, 30 Jul 2023 at 22:04:24 +0200, Salvatore Bonaccorso wrote:
> For bullseye I think we should simply pick the upstream commit?

Yes: we didn't keep up with upstream 2.50.x so there are a bunch of
unrelated fixes (2.50.4 up to .7) which would be out of scope for a
security update. If it was a package I knew better then I might be
advocating the new upstream release, but I can't really assess risk vs
benefit for librsvg, so cherry-picking the equivalent of .8 and .9 seems
more conservative.


compiles successfully, I'll try it in a bullseye VM next.

smcv

Bug#1041810: librsvg: CVE-2023-38633

2023-07-30 Thread Salvatore Bonaccorso 
Hi Simon,

On Sun, Jul 30, 2023 at 04:07:50PM +0100, Simon McVittie wrote:
> On Sun, 23 Jul 2023 at 21:13:38 +0200, Salvatore Bonaccorso wrote:
> > The following vulnerability was published for librsvg.
> > 
> > CVE-2023-38633[0]:
> > | A directory traversal problem in the URL decoder of librsvg before
> > | 2.56.3 could be used by local or remote attackers to disclose files
> > | (on the local filesystem outside of the expected area), as
> > | demonstrated by href=".?../../../../../../../../../../etc/passwd" in
> > | an xi:include element.
> 
> I'm testing
> 
> to fix this in unstable. In addition to importing the new upstream
> release, we need to work around #1038447, otherwise there will be no
> fixed version for s390x and the package will be unable to migrate -
> I asked the porting teams for the big-endian architectures to debbisect
> this and find out which package triggered #1038447, but it appears this
> has not yet happened.

Ok thanks for this background information.

> 
> For stable, since librsvg has hardly changed since bookworm, I think
> the best route will be a 2.54.7+dfsg-1~deb12u1 rather than backporting
> individual changes (because we would have to backport the vast majority
> of the delta between bookworm and unstable to fix #1041810 and avoid
> FTBFSs anyway). #1038447 affects bookworm on s390x, so if the big-endian
> architectures' porting teams cannot help to diagnose it, we will have
> to work around it by skipping those tests and accepting that some SVGs
> will be mis-rendered on BE architectures. Similarly, #1038252 affects
> bookworm on i386, so we will have to work around that by skipping a
> couple of tests.
> 
> One change that happened between bookworm's 2.54.5+dfsg-1 and trixie's
> 2.54.5+dfsg-3 is that Sebastien Bacher did the trip through NEW to add a
> librsvg2-tests binary package and an autopkgtest that runs it:
> ,
> .
> This doesn't affect the contents of existing binary packages, it only
> adds a new binary package. Would the security team be OK with including
> that change for the sake of better test coverage and minimizing delta,
> or do we need to revert it for a bookworm update?

Sounds good with your plan to backport the unstable version to
bookworm, and no need to revert the librsvg2-tests additionas this
actually will help for running the autopkgtests.

Let's expose the version in unstable a bit, then move on to the lower
suites. 

For bullseye I think we should simply pick the upstream commit?

Regards,
Salvatore

Bug#1041810: librsvg: CVE-2023-38633

2023-07-30 Thread Simon McVittie 
On Sun, 23 Jul 2023 at 21:13:38 +0200, Salvatore Bonaccorso wrote:
> The following vulnerability was published for librsvg.
> 
> CVE-2023-38633[0]:
> | A directory traversal problem in the URL decoder of librsvg before
> | 2.56.3 could be used by local or remote attackers to disclose files
> | (on the local filesystem outside of the expected area), as
> | demonstrated by href=".?../../../../../../../../../../etc/passwd" in
> | an xi:include element.

I'm testing

to fix this in unstable. In addition to importing the new upstream
release, we need to work around #1038447, otherwise there will be no
fixed version for s390x and the package will be unable to migrate -
I asked the porting teams for the big-endian architectures to debbisect
this and find out which package triggered #1038447, but it appears this
has not yet happened.

For stable, since librsvg has hardly changed since bookworm, I think
the best route will be a 2.54.7+dfsg-1~deb12u1 rather than backporting
individual changes (because we would have to backport the vast majority
of the delta between bookworm and unstable to fix #1041810 and avoid
FTBFSs anyway). #1038447 affects bookworm on s390x, so if the big-endian
architectures' porting teams cannot help to diagnose it, we will have
to work around it by skipping those tests and accepting that some SVGs
will be mis-rendered on BE architectures. Similarly, #1038252 affects
bookworm on i386, so we will have to work around that by skipping a
couple of tests.

One change that happened between bookworm's 2.54.5+dfsg-1 and trixie's
2.54.5+dfsg-3 is that Sebastien Bacher did the trip through NEW to add a
librsvg2-tests binary package and an autopkgtest that runs it:
,
.
This doesn't affect the contents of existing binary packages, it only
adds a new binary package. Would the security team be OK with including
that change for the sake of better test coverage and minimizing delta,
or do we need to revert it for a bookworm update?

Thanks,
smcv

Bug#1041810: librsvg: CVE-2023-38633

2023-07-23 Thread Salvatore Bonaccorso 
Source: librsvg
Version: 2.54.5+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://gitlab.gnome.org/GNOME/librsvg/-/issues/996
X-Debbugs-Cc: car...@debian.org, Debian Security Team 

Hi,

The following vulnerability was published for librsvg.

CVE-2023-38633[0]:
| A directory traversal problem in the URL decoder of librsvg before
| 2.56.3 could be used by local or remote attackers to disclose files
| (on the local filesystem outside of the expected area), as
| demonstrated by href=".?../../../../../../../../../../etc/passwd" in
| an xi:include element.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-38633
https://www.cve.org/CVERecord?id=CVE-2023-38633
[1] https://gitlab.gnome.org/GNOME/librsvg/-/issues/996

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore