From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/librsvg: security bump to version 2.50.9
Date: Thu, 28 Sep 2023 23:00:17 +0200 [thread overview]
Message-ID: <20230928210017.GD14593@scaer> (raw)
In-Reply-To: <20230928170955.347663-1-fontaine.fabrice@gmail.com>
Fabrice, All,
On 2023-09-28 19:09 +0200, Fabrice Fontaine spake thusly:
> Fix CVE-2023-38633: A directory traversal problem in the URL decoder of
> librsvg before 2.56.3 could be used by local or remote attackers to
> disclose files (on the local filesystem outside of the expected area),
> as demonstrated by href=".?../../../../../../../../../../etc/passwd" in
> an xi:include element.
>
> https://gitlab.gnome.org/GNOME/librsvg/-/blob/2.50.9/NEWS
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> package/librsvg/librsvg.hash | 4 ++--
> package/librsvg/librsvg.mk | 2 +-
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/package/librsvg/librsvg.hash b/package/librsvg/librsvg.hash
> index c8da3354f5..4eab8cdfba 100644
> --- a/package/librsvg/librsvg.hash
> +++ b/package/librsvg/librsvg.hash
> @@ -1,5 +1,5 @@
> -# From https://download.gnome.org/sources/librsvg/2.50/librsvg-2.50.7.sha256sum
> -sha256 fffb61b08cd5282aaae147a02b305166a7426fad22a8b9427708f0f2fc426ebc librsvg-2.50.7.tar.xz
> +# From https://download.gnome.org/sources/librsvg/2.50/librsvg-2.50.9.sha256sum
> +sha256 518905fffa879b6c7f3db1aae961cf31333e0eadc7b4cdd4f531707868c54b53 librsvg-2.50.9.tar.xz
>
> # Locally computed
> sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LIB
> diff --git a/package/librsvg/librsvg.mk b/package/librsvg/librsvg.mk
> index df6559a858..81a6667817 100644
> --- a/package/librsvg/librsvg.mk
> +++ b/package/librsvg/librsvg.mk
> @@ -5,7 +5,7 @@
> ################################################################################
>
> LIBRSVG_VERSION_MAJOR = 2.50
> -LIBRSVG_VERSION = $(LIBRSVG_VERSION_MAJOR).7
> +LIBRSVG_VERSION = $(LIBRSVG_VERSION_MAJOR).9
> LIBRSVG_SITE = https://download.gnome.org/sources/librsvg/$(LIBRSVG_VERSION_MAJOR)
> LIBRSVG_SOURCE = librsvg-$(LIBRSVG_VERSION).tar.xz
> LIBRSVG_INSTALL_STAGING = YES
> --
> 2.40.1
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2023-09-28 21:00 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-28 17:09 [Buildroot] [PATCH 1/1] package/librsvg: security bump to version 2.50.9 Fabrice Fontaine
2023-09-28 21:00 ` Yann E. MORIN [this message]
2023-10-01 18:28 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230928210017.GD14593@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@buildroot.org \
--cc=fontaine.fabrice@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.