Headline
RHSA-2023:4809: Red Hat Security Advisory: librsvg2 security update
An update for librsvg2 is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-38633: A directory traversal vulnerability was discovered in the URL decoder of Librsvg. This issue occurs when xinclude href has special characters; demonstrated by href=".?../…/…/…/…/…/…/…/…/…/etc/passwd" in an xi:include element, which can allow an attacker to send a specially crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system, affecting the data confidentiality.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Quarkus
Integration and Automation
All Products
Issued:
2023-08-29
Updated:
2023-08-29
RHSA-2023:4809 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: librsvg2 security update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for librsvg2 is now available for Red Hat Enterprise Linux 9.0 Extended Update Support.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
The librsvg2 packages provide a Scalable Vector Graphics (SVG) library based on the libart library.
Security Fix(es):
- librsvg: Arbitrary file read when xinclude href has special characters (CVE-2023-38633)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0 x86_64
- Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0 s390x
- Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0 ppc64le
- Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0 aarch64
- Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0 ppc64le
- Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0 x86_64
- Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.0 aarch64
- Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.0 s390x
Fixes
- BZ - 2224945 - CVE-2023-38633 librsvg: Arbitrary file read when xinclude href has special characters
Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.0
SRPM
librsvg2-2.50.7-1.el9_0.1.src.rpm
SHA-256: 8c8ce1515717f38c632d052e76718a9a330c2becfe07802685dd0051d4ca44cc
x86_64
librsvg2-2.50.7-1.el9_0.1.i686.rpm
SHA-256: 4e83acd4a6e4f4122d2426112ce2e271f316b342c63c4c4b5b5ec6fb23cf15b5
librsvg2-2.50.7-1.el9_0.1.x86_64.rpm
SHA-256: 7962621f9d62681f863c1756c37d5f6d9cb60c842358478309964914ce6b0966
librsvg2-debuginfo-2.50.7-1.el9_0.1.i686.rpm
SHA-256: 616c3fdbc818169867c5daaed49f3272d21f9803556ceac7a47008de1916679b
librsvg2-debuginfo-2.50.7-1.el9_0.1.x86_64.rpm
SHA-256: 2490718b1a6fee713af95de7753ea842b0e48ab4195bd560ac67ae4f43a60b8b
librsvg2-debugsource-2.50.7-1.el9_0.1.i686.rpm
SHA-256: 124f49c3a9dbeea1451c5cd4d6d42de604167803943b8bea887c5c77859dd1cd
librsvg2-debugsource-2.50.7-1.el9_0.1.x86_64.rpm
SHA-256: f3202148dbff0b4801439968a1287c9e0ecb64726a16b5cbaa6caf5dff33af53
librsvg2-devel-2.50.7-1.el9_0.1.i686.rpm
SHA-256: 30114ee862990c2036a624dc9503b32934a36a89c0c9a8d039a9cd2745e5d199
librsvg2-devel-2.50.7-1.el9_0.1.x86_64.rpm
SHA-256: 817446c77925a333b2fbc7057d16344abebf0c67e3fc7788294fb4badd9a8d1c
librsvg2-tools-2.50.7-1.el9_0.1.x86_64.rpm
SHA-256: 0bfafdfc0b32d0003d3845b684563db8bfcce3a38269ff442894be0952be9ac2
librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.i686.rpm
SHA-256: d20cce153e7c0b282225df8824bed6f81d0745591f7eb533f8af132515491b30
librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.x86_64.rpm
SHA-256: 04ec3e49b3afbb35cedc2beb2e63666901cd553d9b6334fb5dc23fcad41f4e0d
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.0
SRPM
librsvg2-2.50.7-1.el9_0.1.src.rpm
SHA-256: 8c8ce1515717f38c632d052e76718a9a330c2becfe07802685dd0051d4ca44cc
s390x
librsvg2-2.50.7-1.el9_0.1.s390x.rpm
SHA-256: e7aaa2f808dfd7f20ff500a5239463d3e1cbeaf60cd4d385350211f8910a8ed6
librsvg2-debuginfo-2.50.7-1.el9_0.1.s390x.rpm
SHA-256: 5618864fd1cf38eb5c6eb95b325fde11e9bd3c59d099c62770774ac7fbbf58f0
librsvg2-debugsource-2.50.7-1.el9_0.1.s390x.rpm
SHA-256: 682a82dea7b75bd86f9f01f7770c3ae89d0b560617b171c65fc6578261a5726a
librsvg2-devel-2.50.7-1.el9_0.1.s390x.rpm
SHA-256: c1cab3dda673f86a343c3a3e3450dee6c0b5120cc9e65934beb58a64cc1c28c2
librsvg2-tools-2.50.7-1.el9_0.1.s390x.rpm
SHA-256: 3d09e0f15ae4d5a41723939041e38f7e775b447ad556d8dafe7aafc53555e53b
librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.s390x.rpm
SHA-256: 0fda0bff62682604e5ea8beb0a11e3e69bea23cde18ad00f24c5fef8c25bf5c1
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.0
SRPM
librsvg2-2.50.7-1.el9_0.1.src.rpm
SHA-256: 8c8ce1515717f38c632d052e76718a9a330c2becfe07802685dd0051d4ca44cc
ppc64le
librsvg2-2.50.7-1.el9_0.1.ppc64le.rpm
SHA-256: f67a012cbae2c453dc2ed497fde292d7357111d1bc8966d72194a22d83bc680a
librsvg2-debuginfo-2.50.7-1.el9_0.1.ppc64le.rpm
SHA-256: e4b13b5df8ba2472b49e99f01ff8cfb8d7b1b5535c414ce311a36eb6338deb0f
librsvg2-debugsource-2.50.7-1.el9_0.1.ppc64le.rpm
SHA-256: 79d952b4d68ce9168e65a66e85af59de6de1c23e6dded296e2a7b4ab207a0269
librsvg2-devel-2.50.7-1.el9_0.1.ppc64le.rpm
SHA-256: 398bdc1c79298355bfc78ed09272cd053adc0cb9507433519d864925bf4cef39
librsvg2-tools-2.50.7-1.el9_0.1.ppc64le.rpm
SHA-256: c35f9f92649f34f7a7767a321be80d8e4e9a9302ffc8b6b45825ea3e969b2056
librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.ppc64le.rpm
SHA-256: 00572fe9f9b59d292b967978e5ce00f732df68779ca8ca8f950ec75bfebd28b4
Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.0
SRPM
librsvg2-2.50.7-1.el9_0.1.src.rpm
SHA-256: 8c8ce1515717f38c632d052e76718a9a330c2becfe07802685dd0051d4ca44cc
aarch64
librsvg2-2.50.7-1.el9_0.1.aarch64.rpm
SHA-256: e5d90f3ef06c08f62e8da2ce45e778b87607fa2f4609692484bdea188522d8ce
librsvg2-debuginfo-2.50.7-1.el9_0.1.aarch64.rpm
SHA-256: cd505ef839524bf13ac9fa0440b0597242cccd7525c1f57be48911f68590d15f
librsvg2-debugsource-2.50.7-1.el9_0.1.aarch64.rpm
SHA-256: d682f5a86fe1b36b7e0c1d5ef45ece9baf5b5f92182c5a07a425c7f82ad137be
librsvg2-devel-2.50.7-1.el9_0.1.aarch64.rpm
SHA-256: 7dc0759654103d2898f08b72d1aa9d929faed1adbb2723838a3c585e1f10127d
librsvg2-tools-2.50.7-1.el9_0.1.aarch64.rpm
SHA-256: 8ccafcf62524f9a98bdba5a615d625af0f8ae25f4c847d9e85c37ec8bc543bb4
librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.aarch64.rpm
SHA-256: d308c6b03c42fa2494f5827a95bc964f8d5077e48f601438d3c46b7612cddd3e
Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.0
SRPM
librsvg2-2.50.7-1.el9_0.1.src.rpm
SHA-256: 8c8ce1515717f38c632d052e76718a9a330c2becfe07802685dd0051d4ca44cc
ppc64le
librsvg2-2.50.7-1.el9_0.1.ppc64le.rpm
SHA-256: f67a012cbae2c453dc2ed497fde292d7357111d1bc8966d72194a22d83bc680a
librsvg2-debuginfo-2.50.7-1.el9_0.1.ppc64le.rpm
SHA-256: e4b13b5df8ba2472b49e99f01ff8cfb8d7b1b5535c414ce311a36eb6338deb0f
librsvg2-debugsource-2.50.7-1.el9_0.1.ppc64le.rpm
SHA-256: 79d952b4d68ce9168e65a66e85af59de6de1c23e6dded296e2a7b4ab207a0269
librsvg2-devel-2.50.7-1.el9_0.1.ppc64le.rpm
SHA-256: 398bdc1c79298355bfc78ed09272cd053adc0cb9507433519d864925bf4cef39
librsvg2-tools-2.50.7-1.el9_0.1.ppc64le.rpm
SHA-256: c35f9f92649f34f7a7767a321be80d8e4e9a9302ffc8b6b45825ea3e969b2056
librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.ppc64le.rpm
SHA-256: 00572fe9f9b59d292b967978e5ce00f732df68779ca8ca8f950ec75bfebd28b4
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.0
SRPM
librsvg2-2.50.7-1.el9_0.1.src.rpm
SHA-256: 8c8ce1515717f38c632d052e76718a9a330c2becfe07802685dd0051d4ca44cc
x86_64
librsvg2-2.50.7-1.el9_0.1.i686.rpm
SHA-256: 4e83acd4a6e4f4122d2426112ce2e271f316b342c63c4c4b5b5ec6fb23cf15b5
librsvg2-2.50.7-1.el9_0.1.x86_64.rpm
SHA-256: 7962621f9d62681f863c1756c37d5f6d9cb60c842358478309964914ce6b0966
librsvg2-debuginfo-2.50.7-1.el9_0.1.i686.rpm
SHA-256: 616c3fdbc818169867c5daaed49f3272d21f9803556ceac7a47008de1916679b
librsvg2-debuginfo-2.50.7-1.el9_0.1.x86_64.rpm
SHA-256: 2490718b1a6fee713af95de7753ea842b0e48ab4195bd560ac67ae4f43a60b8b
librsvg2-debugsource-2.50.7-1.el9_0.1.i686.rpm
SHA-256: 124f49c3a9dbeea1451c5cd4d6d42de604167803943b8bea887c5c77859dd1cd
librsvg2-debugsource-2.50.7-1.el9_0.1.x86_64.rpm
SHA-256: f3202148dbff0b4801439968a1287c9e0ecb64726a16b5cbaa6caf5dff33af53
librsvg2-devel-2.50.7-1.el9_0.1.i686.rpm
SHA-256: 30114ee862990c2036a624dc9503b32934a36a89c0c9a8d039a9cd2745e5d199
librsvg2-devel-2.50.7-1.el9_0.1.x86_64.rpm
SHA-256: 817446c77925a333b2fbc7057d16344abebf0c67e3fc7788294fb4badd9a8d1c
librsvg2-tools-2.50.7-1.el9_0.1.x86_64.rpm
SHA-256: 0bfafdfc0b32d0003d3845b684563db8bfcce3a38269ff442894be0952be9ac2
librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.i686.rpm
SHA-256: d20cce153e7c0b282225df8824bed6f81d0745591f7eb533f8af132515491b30
librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.x86_64.rpm
SHA-256: 04ec3e49b3afbb35cedc2beb2e63666901cd553d9b6334fb5dc23fcad41f4e0d
Red Hat Enterprise Linux Server for ARM 64 - 4 years of updates 9.0
SRPM
librsvg2-2.50.7-1.el9_0.1.src.rpm
SHA-256: 8c8ce1515717f38c632d052e76718a9a330c2becfe07802685dd0051d4ca44cc
aarch64
librsvg2-2.50.7-1.el9_0.1.aarch64.rpm
SHA-256: e5d90f3ef06c08f62e8da2ce45e778b87607fa2f4609692484bdea188522d8ce
librsvg2-debuginfo-2.50.7-1.el9_0.1.aarch64.rpm
SHA-256: cd505ef839524bf13ac9fa0440b0597242cccd7525c1f57be48911f68590d15f
librsvg2-debugsource-2.50.7-1.el9_0.1.aarch64.rpm
SHA-256: d682f5a86fe1b36b7e0c1d5ef45ece9baf5b5f92182c5a07a425c7f82ad137be
librsvg2-devel-2.50.7-1.el9_0.1.aarch64.rpm
SHA-256: 7dc0759654103d2898f08b72d1aa9d929faed1adbb2723838a3c585e1f10127d
librsvg2-tools-2.50.7-1.el9_0.1.aarch64.rpm
SHA-256: 8ccafcf62524f9a98bdba5a615d625af0f8ae25f4c847d9e85c37ec8bc543bb4
librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.aarch64.rpm
SHA-256: d308c6b03c42fa2494f5827a95bc964f8d5077e48f601438d3c46b7612cddd3e
Red Hat Enterprise Linux Server for IBM z Systems - 4 years of updates 9.0
SRPM
librsvg2-2.50.7-1.el9_0.1.src.rpm
SHA-256: 8c8ce1515717f38c632d052e76718a9a330c2becfe07802685dd0051d4ca44cc
s390x
librsvg2-2.50.7-1.el9_0.1.s390x.rpm
SHA-256: e7aaa2f808dfd7f20ff500a5239463d3e1cbeaf60cd4d385350211f8910a8ed6
librsvg2-debuginfo-2.50.7-1.el9_0.1.s390x.rpm
SHA-256: 5618864fd1cf38eb5c6eb95b325fde11e9bd3c59d099c62770774ac7fbbf58f0
librsvg2-debugsource-2.50.7-1.el9_0.1.s390x.rpm
SHA-256: 682a82dea7b75bd86f9f01f7770c3ae89d0b560617b171c65fc6578261a5726a
librsvg2-devel-2.50.7-1.el9_0.1.s390x.rpm
SHA-256: c1cab3dda673f86a343c3a3e3450dee6c0b5120cc9e65934beb58a64cc1c28c2
librsvg2-tools-2.50.7-1.el9_0.1.s390x.rpm
SHA-256: 3d09e0f15ae4d5a41723939041e38f7e775b447ad556d8dafe7aafc53555e53b
librsvg2-tools-debuginfo-2.50.7-1.el9_0.1.s390x.rpm
SHA-256: 0fda0bff62682604e5ea8beb0a11e3e69bea23cde18ad00f24c5fef8c25bf5c1
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
Gentoo Linux Security Advisory 202408-14 - A vulnerability has been discovered in Librsvg, which can lead to arbitrary file reads. Versions greater than or equal to 2.56.3 are affected.
Red Hat Security Advisory 2023-5081-01 - The librsvg2 packages provide a Scalable Vector Graphics library based on the libart library.
An update for librsvg2 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-38633: A directory traversal vulnerability was discovered in the URL decoder of Librsvg. This issue occurs when xinclude href has special characters; demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element, which can allow an attacker to send a specially crafted URL request containing "dot dot" sequences (/../) to vie...
Red Hat Security Advisory 2023-4809-01 - The librsvg2 packages provide a Scalable Vector Graphics library based on the libart library.
Debian Linux Security Advisory 5484-1 - Zac Sims discovered a directory traversal in the URL decoder of librsvg, a SAX-based renderer library for SVG files, which could result in read of arbitrary files when processing a specially crafted SVG file with an include element.
Ubuntu Security Notice 6266-1 - Zac Sims discovered that librsvg incorrectly handled decoding URLs. A remote attacker could possibly use this issue to read arbitrary files by using an include element.
A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element.