Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:4809: Red Hat Security Advisory: librsvg2 security update

An update for librsvg2 is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-38633: A directory traversal vulnerability was discovered in the URL decoder of Librsvg. This issue occurs when xinclude href has special characters; demonstrated by href=".?../…/…/…/…/…/…/…/…/…/etc/passwd" in an xi:include element, which can allow an attacker to send a specially crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system, affecting the data confidentiality.
Red Hat Security Data
Open in Source
#vulnerability#web#linux#red_hat#nodejs#js#kubernetes#aws#ibm#sap

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

All Products

Issued:

2023-08-29

Updated:

2023-08-29

RHSA-2023:4809 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: librsvg2 security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for librsvg2 is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The librsvg2 packages provide a Scalable Vector Graphics (SVG) library based on the libart library.

Security Fix(es):

  • librsvg: Arbitrary file read when xinclude href has special characters (CVE-2023-38633)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0 x86_64
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0 s390x
  • Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0 ppc64le
  • Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0 aarch64
  • Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le
  • Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64
  • Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.0 aarch64
  • Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.0 s390x

Fixes

  • BZ - 2224945 - CVE-2023-38633 librsvg: Arbitrary file read when xinclude href has special characters

Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0

SRPM

librsvg2-2.50.7-1.el9_0.1.src.rpm

SHA-256: 8c8ce1515717f38c632d052e76718a9a330c2becfe07802685dd0051d4ca44cc

x86_64

librsvg2-2.50.7-1.el9_0.1.i686.rpm

SHA-256: 4e83acd4a6e4f4122d2426112ce2e271f316b342c63c4c4b5b5ec6fb23cf15b5

librsvg2-2.50.7-1.el9_0.1.x86_64.rpm

SHA-256: 7962621f9d62681f863c1756c37d5f6d9cb60c842358478309964914ce6b0966

librsvg2-debuginfo-2.50.7-1.el9_0.1.i686.rpm

SHA-256: 616c3fdbc818169867c5daaed49f3272d21f9803556ceac7a47008de1916679b

librsvg2-debuginfo-2.50.7-1.el9_0.1.x86_64.rpm

SHA-256: 2490718b1a6fee713af95de7753ea842b0e48ab4195bd560ac67ae4f43a60b8b

librsvg2-debugsource-2.50.7-1.el9_0.1.i686.rpm

SHA-256: 124f49c3a9dbeea1451c5cd4d6d42de604167803943b8bea887c5c77859dd1cd

librsvg2-debugsource-2.50.7-1.el9_0.1.x86_64.rpm

SHA-256: f3202148dbff0b4801439968a1287c9e0ecb64726a16b5cbaa6caf5dff33af53

librsvg2-devel-2.50.7-1.el9_0.1.i686.rpm

SHA-256: 30114ee862990c2036a624dc9503b32934a36a89c0c9a8d039a9cd2745e5d199

librsvg2-devel-2.50.7-1.el9_0.1.x86_64.rpm

SHA-256: 817446c77925a333b2fbc7057d16344abebf0c67e3fc7788294fb4badd9a8d1c

librsvg2-tools-2.50.7-1.el9_0.1.x86_64.rpm

SHA-256: 0bfafdfc0b32d0003d3845b684563db8bfcce3a38269ff442894be0952be9ac2

librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.i686.rpm

SHA-256: d20cce153e7c0b282225df8824bed6f81d0745591f7eb533f8af132515491b30

librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.x86_64.rpm

SHA-256: 04ec3e49b3afbb35cedc2beb2e63666901cd553d9b6334fb5dc23fcad41f4e0d

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0

SRPM

librsvg2-2.50.7-1.el9_0.1.src.rpm

SHA-256: 8c8ce1515717f38c632d052e76718a9a330c2becfe07802685dd0051d4ca44cc

s390x

librsvg2-2.50.7-1.el9_0.1.s390x.rpm

SHA-256: e7aaa2f808dfd7f20ff500a5239463d3e1cbeaf60cd4d385350211f8910a8ed6

librsvg2-debuginfo-2.50.7-1.el9_0.1.s390x.rpm

SHA-256: 5618864fd1cf38eb5c6eb95b325fde11e9bd3c59d099c62770774ac7fbbf58f0

librsvg2-debugsource-2.50.7-1.el9_0.1.s390x.rpm

SHA-256: 682a82dea7b75bd86f9f01f7770c3ae89d0b560617b171c65fc6578261a5726a

librsvg2-devel-2.50.7-1.el9_0.1.s390x.rpm

SHA-256: c1cab3dda673f86a343c3a3e3450dee6c0b5120cc9e65934beb58a64cc1c28c2

librsvg2-tools-2.50.7-1.el9_0.1.s390x.rpm

SHA-256: 3d09e0f15ae4d5a41723939041e38f7e775b447ad556d8dafe7aafc53555e53b

librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.s390x.rpm

SHA-256: 0fda0bff62682604e5ea8beb0a11e3e69bea23cde18ad00f24c5fef8c25bf5c1

Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0

SRPM

librsvg2-2.50.7-1.el9_0.1.src.rpm

SHA-256: 8c8ce1515717f38c632d052e76718a9a330c2becfe07802685dd0051d4ca44cc

ppc64le

librsvg2-2.50.7-1.el9_0.1.ppc64le.rpm

SHA-256: f67a012cbae2c453dc2ed497fde292d7357111d1bc8966d72194a22d83bc680a

librsvg2-debuginfo-2.50.7-1.el9_0.1.ppc64le.rpm

SHA-256: e4b13b5df8ba2472b49e99f01ff8cfb8d7b1b5535c414ce311a36eb6338deb0f

librsvg2-debugsource-2.50.7-1.el9_0.1.ppc64le.rpm

SHA-256: 79d952b4d68ce9168e65a66e85af59de6de1c23e6dded296e2a7b4ab207a0269

librsvg2-devel-2.50.7-1.el9_0.1.ppc64le.rpm

SHA-256: 398bdc1c79298355bfc78ed09272cd053adc0cb9507433519d864925bf4cef39

librsvg2-tools-2.50.7-1.el9_0.1.ppc64le.rpm

SHA-256: c35f9f92649f34f7a7767a321be80d8e4e9a9302ffc8b6b45825ea3e969b2056

librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.ppc64le.rpm

SHA-256: 00572fe9f9b59d292b967978e5ce00f732df68779ca8ca8f950ec75bfebd28b4

Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0

SRPM

librsvg2-2.50.7-1.el9_0.1.src.rpm

SHA-256: 8c8ce1515717f38c632d052e76718a9a330c2becfe07802685dd0051d4ca44cc

aarch64

librsvg2-2.50.7-1.el9_0.1.aarch64.rpm

SHA-256: e5d90f3ef06c08f62e8da2ce45e778b87607fa2f4609692484bdea188522d8ce

librsvg2-debuginfo-2.50.7-1.el9_0.1.aarch64.rpm

SHA-256: cd505ef839524bf13ac9fa0440b0597242cccd7525c1f57be48911f68590d15f

librsvg2-debugsource-2.50.7-1.el9_0.1.aarch64.rpm

SHA-256: d682f5a86fe1b36b7e0c1d5ef45ece9baf5b5f92182c5a07a425c7f82ad137be

librsvg2-devel-2.50.7-1.el9_0.1.aarch64.rpm

SHA-256: 7dc0759654103d2898f08b72d1aa9d929faed1adbb2723838a3c585e1f10127d

librsvg2-tools-2.50.7-1.el9_0.1.aarch64.rpm

SHA-256: 8ccafcf62524f9a98bdba5a615d625af0f8ae25f4c847d9e85c37ec8bc543bb4

librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.aarch64.rpm

SHA-256: d308c6b03c42fa2494f5827a95bc964f8d5077e48f601438d3c46b7612cddd3e

Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0

SRPM

librsvg2-2.50.7-1.el9_0.1.src.rpm

SHA-256: 8c8ce1515717f38c632d052e76718a9a330c2becfe07802685dd0051d4ca44cc

ppc64le

librsvg2-2.50.7-1.el9_0.1.ppc64le.rpm

SHA-256: f67a012cbae2c453dc2ed497fde292d7357111d1bc8966d72194a22d83bc680a

librsvg2-debuginfo-2.50.7-1.el9_0.1.ppc64le.rpm

SHA-256: e4b13b5df8ba2472b49e99f01ff8cfb8d7b1b5535c414ce311a36eb6338deb0f

librsvg2-debugsource-2.50.7-1.el9_0.1.ppc64le.rpm

SHA-256: 79d952b4d68ce9168e65a66e85af59de6de1c23e6dded296e2a7b4ab207a0269

librsvg2-devel-2.50.7-1.el9_0.1.ppc64le.rpm

SHA-256: 398bdc1c79298355bfc78ed09272cd053adc0cb9507433519d864925bf4cef39

librsvg2-tools-2.50.7-1.el9_0.1.ppc64le.rpm

SHA-256: c35f9f92649f34f7a7767a321be80d8e4e9a9302ffc8b6b45825ea3e969b2056

librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.ppc64le.rpm

SHA-256: 00572fe9f9b59d292b967978e5ce00f732df68779ca8ca8f950ec75bfebd28b4

Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0

SRPM

librsvg2-2.50.7-1.el9_0.1.src.rpm

SHA-256: 8c8ce1515717f38c632d052e76718a9a330c2becfe07802685dd0051d4ca44cc

x86_64

librsvg2-2.50.7-1.el9_0.1.i686.rpm

SHA-256: 4e83acd4a6e4f4122d2426112ce2e271f316b342c63c4c4b5b5ec6fb23cf15b5

librsvg2-2.50.7-1.el9_0.1.x86_64.rpm

SHA-256: 7962621f9d62681f863c1756c37d5f6d9cb60c842358478309964914ce6b0966

librsvg2-debuginfo-2.50.7-1.el9_0.1.i686.rpm

SHA-256: 616c3fdbc818169867c5daaed49f3272d21f9803556ceac7a47008de1916679b

librsvg2-debuginfo-2.50.7-1.el9_0.1.x86_64.rpm

SHA-256: 2490718b1a6fee713af95de7753ea842b0e48ab4195bd560ac67ae4f43a60b8b

librsvg2-debugsource-2.50.7-1.el9_0.1.i686.rpm

SHA-256: 124f49c3a9dbeea1451c5cd4d6d42de604167803943b8bea887c5c77859dd1cd

librsvg2-debugsource-2.50.7-1.el9_0.1.x86_64.rpm

SHA-256: f3202148dbff0b4801439968a1287c9e0ecb64726a16b5cbaa6caf5dff33af53

librsvg2-devel-2.50.7-1.el9_0.1.i686.rpm

SHA-256: 30114ee862990c2036a624dc9503b32934a36a89c0c9a8d039a9cd2745e5d199

librsvg2-devel-2.50.7-1.el9_0.1.x86_64.rpm

SHA-256: 817446c77925a333b2fbc7057d16344abebf0c67e3fc7788294fb4badd9a8d1c

librsvg2-tools-2.50.7-1.el9_0.1.x86_64.rpm

SHA-256: 0bfafdfc0b32d0003d3845b684563db8bfcce3a38269ff442894be0952be9ac2

librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.i686.rpm

SHA-256: d20cce153e7c0b282225df8824bed6f81d0745591f7eb533f8af132515491b30

librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.x86_64.rpm

SHA-256: 04ec3e49b3afbb35cedc2beb2e63666901cd553d9b6334fb5dc23fcad41f4e0d

Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.0

SRPM

librsvg2-2.50.7-1.el9_0.1.src.rpm

SHA-256: 8c8ce1515717f38c632d052e76718a9a330c2becfe07802685dd0051d4ca44cc

aarch64

librsvg2-2.50.7-1.el9_0.1.aarch64.rpm

SHA-256: e5d90f3ef06c08f62e8da2ce45e778b87607fa2f4609692484bdea188522d8ce

librsvg2-debuginfo-2.50.7-1.el9_0.1.aarch64.rpm

SHA-256: cd505ef839524bf13ac9fa0440b0597242cccd7525c1f57be48911f68590d15f

librsvg2-debugsource-2.50.7-1.el9_0.1.aarch64.rpm

SHA-256: d682f5a86fe1b36b7e0c1d5ef45ece9baf5b5f92182c5a07a425c7f82ad137be

librsvg2-devel-2.50.7-1.el9_0.1.aarch64.rpm

SHA-256: 7dc0759654103d2898f08b72d1aa9d929faed1adbb2723838a3c585e1f10127d

librsvg2-tools-2.50.7-1.el9_0.1.aarch64.rpm

SHA-256: 8ccafcf62524f9a98bdba5a615d625af0f8ae25f4c847d9e85c37ec8bc543bb4

librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.aarch64.rpm

SHA-256: d308c6b03c42fa2494f5827a95bc964f8d5077e48f601438d3c46b7612cddd3e

Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.0

SRPM

librsvg2-2.50.7-1.el9_0.1.src.rpm

SHA-256: 8c8ce1515717f38c632d052e76718a9a330c2becfe07802685dd0051d4ca44cc

s390x

librsvg2-2.50.7-1.el9_0.1.s390x.rpm

SHA-256: e7aaa2f808dfd7f20ff500a5239463d3e1cbeaf60cd4d385350211f8910a8ed6

librsvg2-debuginfo-2.50.7-1.el9_0.1.s390x.rpm

SHA-256: 5618864fd1cf38eb5c6eb95b325fde11e9bd3c59d099c62770774ac7fbbf58f0

librsvg2-debugsource-2.50.7-1.el9_0.1.s390x.rpm

SHA-256: 682a82dea7b75bd86f9f01f7770c3ae89d0b560617b171c65fc6578261a5726a

librsvg2-devel-2.50.7-1.el9_0.1.s390x.rpm

SHA-256: c1cab3dda673f86a343c3a3e3450dee6c0b5120cc9e65934beb58a64cc1c28c2

librsvg2-tools-2.50.7-1.el9_0.1.s390x.rpm

SHA-256: 3d09e0f15ae4d5a41723939041e38f7e775b447ad556d8dafe7aafc53555e53b

librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.s390x.rpm

SHA-256: 0fda0bff62682604e5ea8beb0a11e3e69bea23cde18ad00f24c5fef8c25bf5c1

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Gentoo Linux Security Advisory 202408-14

Gentoo Linux Security Advisory 202408-14 - A vulnerability has been discovered in Librsvg, which can lead to arbitrary file reads. Versions greater than or equal to 2.56.3 are affected.

Red Hat Security Advisory 2023-5081-01

Red Hat Security Advisory 2023-5081-01 - The librsvg2 packages provide a Scalable Vector Graphics library based on the libart library.

RHSA-2023:5081: Red Hat Security Advisory: librsvg2 security update

An update for librsvg2 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-38633: A directory traversal vulnerability was discovered in the URL decoder of Librsvg. This issue occurs when xinclude href has special characters; demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element, which can allow an attacker to send a specially crafted URL request containing "dot dot" sequences (/../) to vie...

Red Hat Security Advisory 2023-4809-01

Red Hat Security Advisory 2023-4809-01 - The librsvg2 packages provide a Scalable Vector Graphics library based on the libart library.

Debian Security Advisory 5484-1

Debian Linux Security Advisory 5484-1 - Zac Sims discovered a directory traversal in the URL decoder of librsvg, a SAX-based renderer library for SVG files, which could result in read of arbitrary files when processing a specially crafted SVG file with an include element.

Ubuntu Security Notice USN-6266-1

Ubuntu Security Notice 6266-1 - Zac Sims discovered that librsvg incorrectly handled decoding URLs. A remote attacker could possibly use this issue to read arbitrary files by using an include element.

CVE-2023-38633: 2.56.3 - stable · GNOME / librsvg · GitLab

A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.

Red Hat Security Data: Latest News

RHSA-2023:5627: Red Hat Security Advisory: kernel security, bug fix, and enhancement update
Red Hat Security Data