oss-sec mailing list archives

Re: CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters

From: Alan Coopersmith <alan.coopersmith () oracle com>
Date: Wed, 6 Sep 2023 13:00:05 -0700

On 7/27/23 13:36, Alan Coopersmith wrote:

I haven't seen this go by yet, so for those who haven't seen it:

https://gitlab.gnome.org/GNOME/librsvg/-/issues/996 reports:

CVE-2023-38633: Arbitrary file read when xinclude href has special characters

This was reported by Zac Sims.


Zac's writeup on how the bug was found is now available at:
https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/

It points to a root cause of mixing two different URL parsers, with one used to
validate the URL and a different one used to load the content from it.

--
        -Alan Coopersmith-                 alan.coopersmith () oracle com
         Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Current thread:

CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters Alan Coopersmith (Jul 27)
- Re: CVE-2023-38633 in librsvg: Arbitrary file read when xinclude href has special characters Alan Coopersmith (Sep 06)