Debian Package Tracker

general

source: librsvg (main)
version: 2.46.4-1
maintainer: Debian GNOME Maintainers (archive) (DMD)
uploaders: Tim Lunn [DMD] [DM] – Jeremy Bicha [DMD] – Emilio Pozuelo Monfort [DMD] – Michael Biebl [DMD]
arch: all any
std-ver: 4.4.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.40.5-1+deb8u2
o-o-sec: 2.40.5-1+deb8u2
oldstable: 2.40.16-1
stable: 2.44.10-2.1
testing: 2.46.4-1
unstable: 2.46.4-1

versioned links

2.40.5-1+deb8u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.40.16-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.44.10-2.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.46.4-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

gir1.2-rsvg-2.0
librsvg2-2 (9 bugs: 0, 9, 0, 0)
librsvg2-bin (8 bugs: 0, 5, 3, 0)
librsvg2-common (3 bugs: 0, 3, 0, 0)
librsvg2-dev
librsvg2-doc

action needed

1 security issue in buster high

There is 1 open security issue in buster.

1 important issue:

CVE-2019-20446: In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.

Please fix it.

Created: 2020-02-02 Last update: 2020-02-18 15:00

2 security issues in stretch high

There are 2 open security issues in stretch.

1 important issue:

CVE-2019-20446: In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.

1 issue skipped by the security teams:

CVE-2017-11464: A SIGFPE is raised in the function box_blur_line of rsvg-filter.c in GNOME librsvg 2.40.17 during an attempted parse of a crafted SVG file, because of incorrect protection against division by zero.

Please fix them.

Created: 2017-07-20 Last update: 2020-02-18 15:00

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2020-02-18 Last update: 2020-02-21 18:33

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 2.46.4-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit b8d2e3cdd5eb3780451881bc84c2640e5e0efe97
Author: Simon McVittie <smcv@debian.org>
Date:   Mon Dec 23 13:03:52 2019 +0000

    d/tests: Mark tests as superficial

commit 1ca2d8e51a58e973bcc05ad22ec1599b28d5d2c6
Author: Simon McVittie <smcv@debian.org>
Date:   Mon Dec 23 13:02:34 2019 +0000

    d/tests/build: Use correct compiler for proposed autopkgtest cross-architecture testing support

commit 0f1e8be1b9b57363f7f7bd1bafe6544b24b86054
Author: Simon McVittie <smcv@debian.org>
Date:   Mon Dec 23 13:01:21 2019 +0000

    d/tests: Remove support for ancient autopkgtest versions
    
    AUTOPKGTEST_TMP is now required to be set, and we do not fall back to
    the deprecated ADTTMP.

commit 7592ddd7526a42a74ed5a9fe7d159371839b7ee2
Author: Simon McVittie <smcv@debian.org>
Date:   Mon Dec 23 12:59:47 2019 +0000

    d/tests/build: Silence a shellcheck warning

Created: 2019-12-26 Last update: 2020-02-19 21:36

2 ignored security issues in jessie low

There are 2 open security issues in jessie.

2 issues skipped by the security teams:

CVE-2016-6163: The rsvg_pattern_fix_fallback function in rsvg-paint_server.c in librsvg2 2.40.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted svg file.
CVE-2019-20446: In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nested patterns can cause denial of service when passed to the library for processing. The attacker constructs pattern elements so that the number of final rendered objects grows exponentially.

Please fix them.

Created: 2016-07-06 Last update: 2020-02-18 15:00

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2018-11-03 Last update: 2018-11-03 22:18

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.5.0 instead of 4.4.1).

Created: 2020-01-21 Last update: 2020-01-21 05:06

news

[rss feed]

[2019-12-24] librsvg 2.46.4-1 MIGRATED to testing (Debian testing watch)
[2019-11-29] Accepted librsvg 2.46.4-1 (source) into unstable (Olivier Tilloy) (signed by: Sebastien Bacher)
[2019-10-07] Accepted librsvg 2.44.15-1 (source) into unstable (Simon McVittie)
[2019-08-14] librsvg 2.44.14-1 MIGRATED to testing (Debian testing watch)
[2019-08-14] librsvg 2.44.14-1 MIGRATED to testing (Debian testing watch)
[2019-08-12] Accepted librsvg 2.44.14-1 (source) into unstable (Simon McVittie)
[2019-05-01] librsvg 2.44.10-2.1 MIGRATED to testing (Debian testing watch)
[2019-04-28] Accepted librsvg 2.44.10-2.1 (source) into unstable (Boyuan Yang)
[2019-04-16] librsvg 2.44.10-2 MIGRATED to testing (Debian testing watch)
[2019-04-11] Accepted librsvg 2.44.10-2 (source) into unstable (Olivier Tilloy) (signed by: Iain Lane)
[2018-12-17] librsvg 2.44.10-1 MIGRATED to testing (Debian testing watch)
[2018-12-11] Accepted librsvg 2.44.10-1 (source) into unstable (Jeremy Bicha)
[2018-11-21] librsvg 2.44.9-1 MIGRATED to testing (Debian testing watch)
[2018-11-18] librsvg 2.44.8-3 MIGRATED to testing (Debian testing watch)
[2018-11-17] Accepted librsvg 2.44.9-1 (source) into unstable (Jeremy Bicha)
[2018-11-03] Accepted librsvg 2.44.8-3 (source) into unstable (Jeremy Bicha)
[2018-11-03] Accepted librsvg 2.44.8-2 (source) into experimental (Jeremy Bicha)
[2018-11-02] Accepted librsvg 2.44.8-1 (source) into experimental (Simon McVittie)
[2018-09-02] Accepted librsvg 2.44.2-1 (source) into experimental (Simon McVittie)
[2018-09-01] librsvg 2.40.20-3 MIGRATED to testing (Debian testing watch)
[2018-08-29] Accepted librsvg 2.44.1-1 (source) into experimental (Simon McVittie)
[2018-08-26] Accepted librsvg 2.40.20-3 (source) into unstable (Simon McVittie)
[2018-04-01] Accepted librsvg 2.42.3-1 (source) into experimental (Tim Lunn)
[2018-02-12] Accepted librsvg 2.36.1-2+deb7u3 (source all amd64) into oldoldstable (Chris Lamb)
[2018-01-05] librsvg 2.40.20-2 MIGRATED to testing (Debian testing watch)
[2018-01-05] librsvg 2.40.20-2 MIGRATED to testing (Debian testing watch)
[2017-12-31] Accepted librsvg 2.40.20-2 (source) into unstable (Simon McVittie)
[2017-12-20] Accepted librsvg 2.40.20-1 (source) into unstable (Jeremy Bicha)
[2017-12-19] Accepted librsvg 2.40.18-3 (source) into unstable (Jeremy Bicha)
[2017-10-26] librsvg 2.40.18-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 23 24
RC: 0
I&N: 18 19
M&W: 5
F&P: 0
patch: 1

links

homepage
buildd: logs, checks, clang, reproducibility, cross
popcon
browse source code
edit tags
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.46.4-1ubuntu1
33 bugs (1 patch)
patches for 2.46.4-1ubuntu1