From ${URL} : Description Positive Technologies has reported a vulnerability in librsvg, which can be exploited by malicious people to potentially disclose sensitive information. The vulnerability is caused due to an error when parsing XML entities, which can potentially be exploited to e.g. disclose contents of certain local files by tricking a user into opening a specially crafted XML document including external entity references. The vulnerability is reported in versions prior to 2.39. Solution: Update to version 2.39. Provided and/or discovered by: Timur Yunusov and Alexey Osipov, Positive Technologies. Original Advisory: librsvg: http://ftp.gnome.org/pub/GNOME/sources/librsvg/2.39/librsvg-2.39.0.changes PT-2013-01: http://en.securitylab.ru/lab/PT-2013-01 @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
+*librsvg-2.36.4-r1 (01 Oct 2013) + + 01 Oct 2013; Alexandre Rostovtsev <tetromino@gentoo.org> + +librsvg-2.36.4-r1.ebuild, -librsvg-2.37.0.ebuild, + +files/librsvg-2.36.4-resource-uri-1.patch, + +files/librsvg-2.36.4-resource-uri-2.patch, + +files/librsvg-2.36.4-resource-uri-3.patch: + Fix information disclosure vulnerability (CVE-2013-1881, bug #486600, thanks + to Agostino Sarubbo). Drop vulnerable version. Thanks for letting us know; fixed in 2.36.4-r1 and 2.39.0 =gnome-base/librsvg-2.36.4-r1 should be stabilized.
Arches, please test and mark stable: =gnome-base/librsvg-2.36.4-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Stable for HPPA.
amd64 stable
x86 stable
ia64 stable
alpha stable
ppc stable
arm stable
ppc64 stable
sparc stable
CVE-2013-1881 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1881): GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Thanks, everyone GLSA vote: no
GLSA vote: no. Closing noglsa.
