CVE-2013-1881
Published: 9 October 2013
GNOME libsvg before 2.39.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Notes
Author | Note |
---|---|
mdeslaur | fixing this also requires a change to gtk+ in raring and earlier |
Priority
Status
Package | Release | Status |
---|---|---|
librsvg Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
precise |
Released
(2.36.1-0ubuntu1.1)
|
|
quantal |
Released
(2.36.3-0ubuntu1.1)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Released
(2.36.4-2ubuntu0.1)
|
|
upstream |
Released
(2.40.0-1)
|
|
Patches: upstream: https://git.gnome.org/browse/librsvg/commit/?id=d83e426fff3f6d0fa6042d0930fb70357db24125 upstream: https://git.gnome.org/browse/librsvg/commit/?id=f01aded72c38f0e18bc7ff67dee800e380251c8e upstream: https://git.gnome.org/browse/gtk+/commit/?id=86ecf54139874e5e2eee8bfd55b93e28f969bf72 (regression bp) upstream: https://git.gnome.org/browse/gtk+/commit/?id=7b4f82ccc6c180b809cd3b7b6582394ce741a14e (regression fix) upstream: https://git.gnome.org/browse/gtk+/commit/?id=3d602f5b0a67a7b515dc5add504e02e486aad70c (regression fix) |