Ubuntu
librsvg package

Merge with Debian's 2.54.7

Bug #2031086 reported by Nathan Teodosio
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
librsvg (Ubuntu)
Won't Fix
Wishlist
Nathan Teodosio

Bug Description

CVE-2023-38633.patch applied upstream, dropped.

Builds succeed[1] dropping delta on debian/rules; Debian's changes suffice.

Also keeping Debian's hunk refreshes on patches.

[1] https://launchpad.net/~nteodosio/+archive/ubuntu/rebuilds/+sourcepub/15066607/+listing-archive-extra

Revision history for this message
Nathan Teodosio (nteodosio) wrote : Debdiffs
tags: added: patch
Revision history for this message
Brian Murray (brian-murray) wrote :

While the merge looks great from a sponsoring perspective I'm curious about what is the reasoning behind doing this merge? From what I can tell the new version has multiple tests disabled and does not include any changes which would benefit users or developers. (Our version of librsvg already has the security fix included.) In my opinion holding off until Debian bug 1038447 is fixed would make sense.

diff -Nru librsvg-2.54.5+dfsg/NEWS librsvg-2.54.7+dfsg/NEWS
--- librsvg-2.54.5+dfsg/NEWS 2022-08-26 21:06:23.000000000 +0200
+++ librsvg-2.54.7+dfsg/NEWS 2023-07-23 01:48:21.000000000 +0200
@@ -1,3 +1,15 @@
+Version 2.54.7
+==============
+
+- Fix compilation on rustc < 1.58.
+
+Version 2.54.6
+==============
+
+This is a security release for bug #996.
+
+- #996 - Fix arbitrary file read when href has special characters.
+

...

Changed in librsvg (Ubuntu):
status: New → Incomplete
Revision history for this message
Nathan Teodosio (nteodosio) wrote :

Hmm that's true.

Changed in librsvg (Ubuntu):
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.