2224945 – (CVE-2023-38633) CVE-2023-38633 librsvg: Arbitrary file read when xinclude href has special characters

Bug 2224945 (CVE-2023-38633) - CVE-2023-38633 librsvg: Arbitrary file read when xinclude href has special characters

Summary: CVE-2023-38633 librsvg: Arbitrary file read when xinclude href has special ch...

Keywords:
Status:	NEW
Alias:	CVE-2023-38633
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2224946 2224947 2226689 2226690 2226691 2226692 2226693 2226694 2226695 2226696
Blocks:	2224948
TreeView+	depends on / blocked

Reported:	2023-07-24 03:16 UTC by Sandipan Roy
Modified:	2023-10-20 07:14 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A directory traversal vulnerability was discovered in the URL decoder of Librsvg. This issue occurs when xinclude href has special characters; demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element, which can allow an attacker to send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system, affecting the data confidentiality.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:4809	0	None	None	None	2023-08-29 09:20:46 UTC
Red Hat Product Errata	RHSA-2023:5081	0	None	None	None	2023-09-12 10:11:27 UTC

Description Sandipan Roy 2023-07-24 03:16:57 UTC

A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.

https://gitlab.gnome.org/GNOME/librsvg/-/releases/2.56.3
https://bugzilla.suse.com/show_bug.cgi?id=1213502
https://gitlab.gnome.org/GNOME/librsvg/-/issues/996

Comment 4 David King 2023-08-09 10:20:43 UTC

Based on https://gitlab.gnome.org/GNOME/librsvg/-/issues/996#note_1806622 it seems that this may not have been classified appropriately, and so should be downgraded to medium severity (a local file is required, not network access, as incorrectly mentioned in the CVE). Nevertheless, I am investigating backporting fixes to all applicable branches.

Comment 6 errata-xmlrpc 2023-08-29 09:20:45 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:4809 https://access.redhat.com/errata/RHSA-2023:4809

Comment 7 errata-xmlrpc 2023-09-12 10:11:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5081 https://access.redhat.com/errata/RHSA-2023:5081

Note You need to log in before you can comment on or make changes to this bug.