Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH 1/1] package/librsvg: security bump to version 2.50.9
@ 2023-09-28 17:09 Fabrice Fontaine
  2023-09-28 21:00 ` Yann E. MORIN
  2023-10-01 18:28 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Fabrice Fontaine @ 2023-09-28 17:09 UTC (permalink / raw)
  To: buildroot; +Cc: Fabrice Fontaine

Fix CVE-2023-38633: A directory traversal problem in the URL decoder of
librsvg before 2.56.3 could be used by local or remote attackers to
disclose files (on the local filesystem outside of the expected area),
as demonstrated by href=".?../../../../../../../../../../etc/passwd" in
an xi:include element.

https://gitlab.gnome.org/GNOME/librsvg/-/blob/2.50.9/NEWS

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 package/librsvg/librsvg.hash | 4 ++--
 package/librsvg/librsvg.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/librsvg/librsvg.hash b/package/librsvg/librsvg.hash
index c8da3354f5..4eab8cdfba 100644
--- a/package/librsvg/librsvg.hash
+++ b/package/librsvg/librsvg.hash
@@ -1,5 +1,5 @@
-# From https://download.gnome.org/sources/librsvg/2.50/librsvg-2.50.7.sha256sum
-sha256  fffb61b08cd5282aaae147a02b305166a7426fad22a8b9427708f0f2fc426ebc  librsvg-2.50.7.tar.xz
+# From https://download.gnome.org/sources/librsvg/2.50/librsvg-2.50.9.sha256sum
+sha256  518905fffa879b6c7f3db1aae961cf31333e0eadc7b4cdd4f531707868c54b53  librsvg-2.50.9.tar.xz
 
 # Locally computed
 sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING.LIB
diff --git a/package/librsvg/librsvg.mk b/package/librsvg/librsvg.mk
index df6559a858..81a6667817 100644
--- a/package/librsvg/librsvg.mk
+++ b/package/librsvg/librsvg.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 LIBRSVG_VERSION_MAJOR = 2.50
-LIBRSVG_VERSION = $(LIBRSVG_VERSION_MAJOR).7
+LIBRSVG_VERSION = $(LIBRSVG_VERSION_MAJOR).9
 LIBRSVG_SITE = https://download.gnome.org/sources/librsvg/$(LIBRSVG_VERSION_MAJOR)
 LIBRSVG_SOURCE = librsvg-$(LIBRSVG_VERSION).tar.xz
 LIBRSVG_INSTALL_STAGING = YES
-- 
2.40.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/librsvg: security bump to version 2.50.9
  2023-09-28 17:09 [Buildroot] [PATCH 1/1] package/librsvg: security bump to version 2.50.9 Fabrice Fontaine
@ 2023-09-28 21:00 ` Yann E. MORIN
  2023-10-01 18:28 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Yann E. MORIN @ 2023-09-28 21:00 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: buildroot

Fabrice, All,

On 2023-09-28 19:09 +0200, Fabrice Fontaine spake thusly:
> Fix CVE-2023-38633: A directory traversal problem in the URL decoder of
> librsvg before 2.56.3 could be used by local or remote attackers to
> disclose files (on the local filesystem outside of the expected area),
> as demonstrated by href=".?../../../../../../../../../../etc/passwd" in
> an xi:include element.
> 
> https://gitlab.gnome.org/GNOME/librsvg/-/blob/2.50.9/NEWS
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/librsvg/librsvg.hash | 4 ++--
>  package/librsvg/librsvg.mk   | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/package/librsvg/librsvg.hash b/package/librsvg/librsvg.hash
> index c8da3354f5..4eab8cdfba 100644
> --- a/package/librsvg/librsvg.hash
> +++ b/package/librsvg/librsvg.hash
> @@ -1,5 +1,5 @@
> -# From https://download.gnome.org/sources/librsvg/2.50/librsvg-2.50.7.sha256sum
> -sha256  fffb61b08cd5282aaae147a02b305166a7426fad22a8b9427708f0f2fc426ebc  librsvg-2.50.7.tar.xz
> +# From https://download.gnome.org/sources/librsvg/2.50/librsvg-2.50.9.sha256sum
> +sha256  518905fffa879b6c7f3db1aae961cf31333e0eadc7b4cdd4f531707868c54b53  librsvg-2.50.9.tar.xz
>  
>  # Locally computed
>  sha256  dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551  COPYING.LIB
> diff --git a/package/librsvg/librsvg.mk b/package/librsvg/librsvg.mk
> index df6559a858..81a6667817 100644
> --- a/package/librsvg/librsvg.mk
> +++ b/package/librsvg/librsvg.mk
> @@ -5,7 +5,7 @@
>  ################################################################################
>  
>  LIBRSVG_VERSION_MAJOR = 2.50
> -LIBRSVG_VERSION = $(LIBRSVG_VERSION_MAJOR).7
> +LIBRSVG_VERSION = $(LIBRSVG_VERSION_MAJOR).9
>  LIBRSVG_SITE = https://download.gnome.org/sources/librsvg/$(LIBRSVG_VERSION_MAJOR)
>  LIBRSVG_SOURCE = librsvg-$(LIBRSVG_VERSION).tar.xz
>  LIBRSVG_INSTALL_STAGING = YES
> -- 
> 2.40.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/librsvg: security bump to version 2.50.9
  2023-09-28 17:09 [Buildroot] [PATCH 1/1] package/librsvg: security bump to version 2.50.9 Fabrice Fontaine
  2023-09-28 21:00 ` Yann E. MORIN
@ 2023-10-01 18:28 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2023-10-01 18:28 UTC (permalink / raw)
  To: Fabrice Fontaine; +Cc: buildroot

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > Fix CVE-2023-38633: A directory traversal problem in the URL decoder of
 > librsvg before 2.56.3 could be used by local or remote attackers to
 > disclose files (on the local filesystem outside of the expected area),
 > as demonstrated by href=".?../../../../../../../../../../etc/passwd" in
 > an xi:include element.

 > https://gitlab.gnome.org/GNOME/librsvg/-/blob/2.50.9/NEWS

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2023.02.x and 2023.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-10-01 18:28 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-28 17:09 [Buildroot] [PATCH 1/1] package/librsvg: security bump to version 2.50.9 Fabrice Fontaine
2023-09-28 21:00 ` Yann E. MORIN
2023-10-01 18:28 ` Peter Korsgaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox