Bug#1041810: librsvg: CVE-2023-38633
Salvatore Bonaccorso
carnil at debian.org
Sun Aug 27 15:52:07 BST 2023
Hi Simon,
On Sat, Aug 19, 2023 at 06:57:30PM +0200, Salvatore Bonaccorso wrote:
> Hi Simon,
>
> On Sun, Jul 30, 2023 at 09:48:57PM +0100, Simon McVittie wrote:
> > On Sun, 30 Jul 2023 at 22:04:24 +0200, Salvatore Bonaccorso wrote:
> > > For bullseye I think we should simply pick the upstream commit?
> >
> > Yes: we didn't keep up with upstream 2.50.x so there are a bunch of
> > unrelated fixes (2.50.4 up to .7) which would be out of scope for a
> > security update. If it was a package I knew better then I might be
> > advocating the new upstream release, but I can't really assess risk vs
> > benefit for librsvg, so cherry-picking the equivalent of .8 and .9 seems
> > more conservative.
> >
> > <https://salsa.debian.org/gnome-team/librsvg/-/merge_requests/20>
> > compiles successfully, I'll try it in a bullseye VM next.
>
> If you are happy with the results and coverage from unstable, would
> you be open to prepare/finalize next the respective updates for
> bookworm-security and bullseye-security?
>
> Thanks a lot for your work so far on it!
With some delays DSA released for it. In fact, I guess anybody running
e.g. a webservice converting untrusted svg files would sandbox anyway
such a service. Upstream correctly noted that in the upstream issue.
Thanks for your work and contributing the update!
Regards,
Salvatore
More information about the pkg-gnome-maintainers
mailing list