Librsvg: Arbitrary File Read — GLSA 202408-14

A vulnerability has been discovered in Librsvg, which can lead to arbitrary file reads.

Affected packages

gnome-base/librsvg on all architectures
Affected versions < 2.56.3
Unaffected versions >= 2.56.3

Background

Librsvg is a library to render SVG files using cairo as a rendering engine.

Description

A directory traversal problem in the URL decoder of librsvg could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.

Impact

Please review the referenced CVE identifier for details.

Workaround

There is no known workaround at this time.

Resolution

All Librsvg users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=gnome-base/librsvg-2.56.3"
 

References

Release date
August 09, 2024

Latest revision
August 09, 2024: 1

Severity
normal

Exploitable
local and remote

Bugzilla entries