Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2023-38633

A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.

Related bugs and status

CVE-2023-38633 (Candidate) is related to these bugs:

Bug #1976259: librsvg ftbfs in the jammy release pocket

Summary				In	Importance	Status
	1976259	librsvg ftbfs in the jammy release pocket		librsvg (Ubuntu)	High	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: https://gitlab.gnome.o...
MISC: https://bugzilla.suse....
MISC: https://gitlab.gnome.o...
FULLDISC: 20230724 APPLE-SA-2023...
MLIST: [oss-security] 2023072...
FEDORA: FEDORA-2023-fc79ee273d
FEDORA: FEDORA-2023-0873c38acd
DEBIAN: DSA-5484
CONFIRM: https://security.netap...
MLIST: [oss-security] 2023090...
MISC: https://news.ycombinat...
MISC: https://www.canva.dev/...