From e7988c7060d7d8b137d18721ef773ef266114690 Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Thu, 28 Sep 2023 19:09:55 +0200 Subject: [PATCH] package/librsvg: security bump to version 2.50.9 Fix CVE-2023-38633: A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by href=".?../../../../../../../../../../etc/passwd" in an xi:include element. https://gitlab.gnome.org/GNOME/librsvg/-/blob/2.50.9/NEWS Signed-off-by: Fabrice Fontaine Signed-off-by: Yann E. MORIN --- package/librsvg/librsvg.hash | 4 ++-- package/librsvg/librsvg.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package/librsvg/librsvg.hash b/package/librsvg/librsvg.hash index c8da3354f5..4eab8cdfba 100644 --- a/package/librsvg/librsvg.hash +++ b/package/librsvg/librsvg.hash @@ -1,5 +1,5 @@ -# From https://download.gnome.org/sources/librsvg/2.50/librsvg-2.50.7.sha256sum -sha256 fffb61b08cd5282aaae147a02b305166a7426fad22a8b9427708f0f2fc426ebc librsvg-2.50.7.tar.xz +# From https://download.gnome.org/sources/librsvg/2.50/librsvg-2.50.9.sha256sum +sha256 518905fffa879b6c7f3db1aae961cf31333e0eadc7b4cdd4f531707868c54b53 librsvg-2.50.9.tar.xz # Locally computed sha256 dc626520dcd53a22f727af3ee42c770e56c97a64fe3adb063799d8ab032fe551 COPYING.LIB diff --git a/package/librsvg/librsvg.mk b/package/librsvg/librsvg.mk index df6559a858..81a6667817 100644 --- a/package/librsvg/librsvg.mk +++ b/package/librsvg/librsvg.mk @@ -5,7 +5,7 @@ ################################################################################ LIBRSVG_VERSION_MAJOR = 2.50 -LIBRSVG_VERSION = $(LIBRSVG_VERSION_MAJOR).7 +LIBRSVG_VERSION = $(LIBRSVG_VERSION_MAJOR).9 LIBRSVG_SITE = https://download.gnome.org/sources/librsvg/$(LIBRSVG_VERSION_MAJOR) LIBRSVG_SOURCE = librsvg-$(LIBRSVG_VERSION).tar.xz LIBRSVG_INSTALL_STAGING = YES