Version in base suite: 2.54.5+dfsg-1 Base version: librsvg_2.54.5+dfsg-1 Target version: librsvg_2.54.7+dfsg-1~deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libr/librsvg/librsvg_2.54.5+dfsg-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libr/librsvg/librsvg_2.54.7+dfsg-1~deb12u1.dsc /srv/release.debian.org/tmp/_p4AnTinXT/librsvg-2.54.7+dfsg/tests/fixtures/reftests/filter-morphology-from-reference-page-ref.png |binary librsvg-2.54.7+dfsg/Cargo.lock | 2 librsvg-2.54.7+dfsg/Cargo.toml | 2 librsvg-2.54.7+dfsg/NEWS | 12 librsvg-2.54.7+dfsg/configure | 22 - librsvg-2.54.7+dfsg/configure.ac | 2 librsvg-2.54.7+dfsg/debian/changelog | 42 ++ librsvg-2.54.7+dfsg/debian/control | 14 librsvg-2.54.7+dfsg/debian/control.in | 12 librsvg-2.54.7+dfsg/debian/gbp.conf | 4 librsvg-2.54.7+dfsg/debian/librsvg2-tests.control | 13 librsvg-2.54.7+dfsg/debian/librsvg2-tests.install | 1 librsvg-2.54.7+dfsg/debian/not-installed | 2 librsvg-2.54.7+dfsg/debian/patches/10_rsvg-gz.patch | 4 librsvg-2.54.7+dfsg/debian/patches/Link-librsvg-with-libpthread-fixing-a-link-failure.patch | 2 librsvg-2.54.7+dfsg/debian/patches/debian/tests-Skip-known-failing-tests-on-i386.patch | 33 + librsvg-2.54.7+dfsg/debian/patches/series | 1 librsvg-2.54.7+dfsg/debian/patches/thin-lto.patch | 4 librsvg-2.54.7+dfsg/debian/rules | 31 + librsvg-2.54.7+dfsg/debian/tests/control | 4 librsvg-2.54.7+dfsg/debian/tests/librsvg2-tests.control | 5 librsvg-2.54.7+dfsg/doc/librsvg.toml | 2 librsvg-2.54.7+dfsg/include/librsvg/rsvg-version.h | 4 librsvg-2.54.7+dfsg/include/librsvg/rsvg.h | 12 librsvg-2.54.7+dfsg/src/error.rs | 27 - librsvg-2.54.7+dfsg/src/lib.rs | 12 librsvg-2.54.7+dfsg/src/url_resolver.rs | 183 +++++++--- librsvg-2.54.7+dfsg/tests/Makefile.am | 2 librsvg-2.54.7+dfsg/tests/Makefile.in | 2 librsvg-2.54.7+dfsg/tests/fixtures/loading/bar.svg | 1 librsvg-2.54.7+dfsg/tests/fixtures/loading/disallowed-996-ref.svg | 10 librsvg-2.54.7+dfsg/tests/fixtures/loading/disallowed-996.svg | 12 librsvg-2.54.7+dfsg/tests/fixtures/loading/foo.svg | 1 librsvg-2.54.7+dfsg/tests/fixtures/loading/subdir/baz.svg | 1 librsvg-2.54.7+dfsg/tests/fixtures/reftests/filter-morphology-from-reference-page.svg | 37 -- librsvg-2.54.7+dfsg/tests/src/loading_disallowed.rs | 7 librsvg-2.54.7+dfsg/tests/src/main.rs | 3 librsvg-2.54.7+dfsg/win32/config-msvc.mak | 2 librsvg-2.54.7+dfsg/win32/config.h.win32 | 6 39 files changed, 392 insertions(+), 144 deletions(-) diff -Nru librsvg-2.54.5+dfsg/Cargo.lock librsvg-2.54.7+dfsg/Cargo.lock --- librsvg-2.54.5+dfsg/Cargo.lock 2022-08-26 19:06:23.000000000 +0000 +++ librsvg-2.54.7+dfsg/Cargo.lock 2023-07-22 23:48:49.000000000 +0000 @@ -880,7 +880,7 @@ [[package]] name = "librsvg" -version = "2.54.5" +version = "2.54.7" dependencies = [ "anyhow", "assert_cmd", diff -Nru librsvg-2.54.5+dfsg/Cargo.toml librsvg-2.54.7+dfsg/Cargo.toml --- librsvg-2.54.5+dfsg/Cargo.toml 2022-08-26 19:06:23.000000000 +0000 +++ librsvg-2.54.7+dfsg/Cargo.toml 2023-07-22 23:48:49.000000000 +0000 @@ -1,6 +1,6 @@ [package] name = "librsvg" -version = "2.54.5" +version = "2.54.7" authors = ["Federico Mena Quintero "] build = "build.rs" edition = "2021" diff -Nru librsvg-2.54.5+dfsg/NEWS librsvg-2.54.7+dfsg/NEWS --- librsvg-2.54.5+dfsg/NEWS 2022-08-26 19:06:23.000000000 +0000 +++ librsvg-2.54.7+dfsg/NEWS 2023-07-22 23:48:21.000000000 +0000 @@ -1,3 +1,15 @@ +Version 2.54.7 +============== + +- Fix compilation on rustc < 1.58. + +Version 2.54.6 +============== + +This is a security release for bug #996. + +- #996 - Fix arbitrary file read when href has special characters. + Version 2.54.5 ============== diff -Nru librsvg-2.54.5+dfsg/configure librsvg-2.54.7+dfsg/configure --- librsvg-2.54.5+dfsg/configure 2022-08-26 19:06:45.000000000 +0000 +++ librsvg-2.54.7+dfsg/configure 2023-07-22 23:51:49.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for RSVG 2.54.5. +# Generated by GNU Autoconf 2.71 for RSVG 2.54.7. # # Report bugs to . # @@ -621,8 +621,8 @@ # Identity of this package. PACKAGE_NAME='RSVG' PACKAGE_TARNAME='librsvg' -PACKAGE_VERSION='2.54.5' -PACKAGE_STRING='RSVG 2.54.5' +PACKAGE_VERSION='2.54.7' +PACKAGE_STRING='RSVG 2.54.7' PACKAGE_BUGREPORT='https://gitlab.gnome.org/GNOME/librsvg/issues' PACKAGE_URL='' @@ -1465,7 +1465,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures RSVG 2.54.5 to adapt to many kinds of systems. +\`configure' configures RSVG 2.54.7 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1536,7 +1536,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of RSVG 2.54.5:";; + short | recursive ) echo "Configuration of RSVG 2.54.7:";; esac cat <<\_ACEOF @@ -1690,7 +1690,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -RSVG configure 2.54.5 +RSVG configure 2.54.7 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -1989,7 +1989,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by RSVG $as_me 2.54.5, which was +It was created by RSVG $as_me 2.54.7, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3264,7 +3264,7 @@ # Define the identity of the package. PACKAGE='librsvg' - VERSION='2.54.5' + VERSION='2.54.7' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -3570,7 +3570,7 @@ LIBRSVG_MINOR_VERSION=54 -LIBRSVG_MICRO_VERSION=5 +LIBRSVG_MICRO_VERSION=7 CAIRO_REQUIRED=1.16.0 @@ -16620,7 +16620,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by RSVG $as_me 2.54.5, which was +This file was extended by RSVG $as_me 2.54.7, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -16688,7 +16688,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -RSVG config.status 2.54.5 +RSVG config.status 2.54.7 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" diff -Nru librsvg-2.54.5+dfsg/configure.ac librsvg-2.54.7+dfsg/configure.ac --- librsvg-2.54.5+dfsg/configure.ac 2022-08-26 19:06:23.000000000 +0000 +++ librsvg-2.54.7+dfsg/configure.ac 2023-07-22 23:48:42.000000000 +0000 @@ -3,7 +3,7 @@ # Package version, the "human readable" version m4_define([rsvg_major_version],[2]) m4_define([rsvg_minor_version],[54]) -m4_define([rsvg_micro_version],[5]) # Keep this in sync with Cargo.toml and doc/librsvg.toml +m4_define([rsvg_micro_version],[7]) # Keep this in sync with Cargo.toml and doc/librsvg.toml m4_define([rsvg_version],[rsvg_major_version.rsvg_minor_version.rsvg_micro_version]) # Library version information. To make a release: diff -Nru librsvg-2.54.5+dfsg/debian/changelog librsvg-2.54.7+dfsg/debian/changelog --- librsvg-2.54.5+dfsg/debian/changelog 2022-09-22 21:00:54.000000000 +0000 +++ librsvg-2.54.7+dfsg/debian/changelog 2023-07-30 16:13:13.000000000 +0000 @@ -1,3 +1,45 @@ +librsvg (2.54.7+dfsg-1~deb12u1) bookworm-security; urgency=medium + + * Team upload + * Rebuild for bookworm-security + + -- Simon McVittie Sun, 30 Jul 2023 17:13:13 +0100 + +librsvg (2.54.7+dfsg-1) unstable; urgency=high + + * Team upload + * New upstream stable release 2.54.6 + - Fix a directory traversal vulnerability + (Closes: #1041810, CVE-2023-38633) + - Drop a redundant test-case that frequently regressed as a result of + non-problematic font rendering changes + * New upstream stable release 2.54.7 + - Fix compilation of 2.54.6 on rustc < 1.58 + * d/rules: Skip several known-failing reftests on big-endian architectures. + These succeeded when librsvg_2.54.5+dfsg-1 was uploaded in September + 2022, but regressed sometime between then and the bookworm release, + presumably as a result of changes in some other package. + (Mitigates: #1038447) + + -- Simon McVittie Sun, 30 Jul 2023 15:13:38 +0100 + +librsvg (2.54.5+dfsg-3) unstable; urgency=medium + + * Team upload + * d/p/debian/tests-Skip-known-failing-tests-on-i386.patch: + Skip two tests that have started failing on i386 since October 2022 + (Mitigates: #1038252) + + -- Simon McVittie Sun, 18 Jun 2023 18:53:35 +0100 + +librsvg (2.54.5+dfsg-2) unstable; urgency=medium + + * Restore the librsvg2-tests build and corresponding autopkgtests + which were set up a while ago but disabled to avoid having the upload + blocked in the Debian NEW queue. Include the svg needed for the tests. + + -- Sebastien Bacher Tue, 13 Jun 2023 17:25:43 +0200 + librsvg (2.54.5+dfsg-1) unstable; urgency=medium * New upstream release diff -Nru librsvg-2.54.5+dfsg/debian/control librsvg-2.54.7+dfsg/debian/control --- librsvg-2.54.5+dfsg/debian/control 2022-09-22 21:00:54.000000000 +0000 +++ librsvg-2.54.7+dfsg/debian/control 2023-07-30 16:13:13.000000000 +0000 @@ -6,7 +6,7 @@ Section: libs Priority: optional Maintainer: Debian GNOME Maintainers -Uploaders: Emilio Pozuelo Monfort , Iain Lane , Laurent Bigonville , Michael Biebl , Tim Lunn +Uploaders: Emilio Pozuelo Monfort , Jeremy Bicha , Laurent Bigonville , Michael Biebl , Tim Lunn Build-Depends: debhelper-compat (= 13), cargo, dh-sequence-gir, @@ -99,6 +99,18 @@ This package includes a command-line utility to convert the SVG files to the PNG format. +Package: librsvg2-tests +Section: misc +Architecture: any +Depends: ${misc:Depends}, + ${shlibs:Depends} +Description: automated tests for RSVG library + The rsvg library is an efficient renderer for Scalable Vector Graphics + (SVG) pictures. + . + This package contains automated tests, which can be run with + gnome-desktop-testing or autopkgtest. + Package: gir1.2-rsvg-2.0 Section: introspection Architecture: any diff -Nru librsvg-2.54.5+dfsg/debian/control.in librsvg-2.54.7+dfsg/debian/control.in --- librsvg-2.54.5+dfsg/debian/control.in 2022-09-22 21:00:54.000000000 +0000 +++ librsvg-2.54.7+dfsg/debian/control.in 2023-07-30 16:13:13.000000000 +0000 @@ -95,6 +95,18 @@ This package includes a command-line utility to convert the SVG files to the PNG format. +Package: librsvg2-tests +Section: misc +Architecture: any +Depends: ${misc:Depends}, + ${shlibs:Depends} +Description: automated tests for RSVG library + The rsvg library is an efficient renderer for Scalable Vector Graphics + (SVG) pictures. + . + This package contains automated tests, which can be run with + gnome-desktop-testing or autopkgtest. + Package: gir1.2-rsvg-2.0 Section: introspection Architecture: any diff -Nru librsvg-2.54.5+dfsg/debian/gbp.conf librsvg-2.54.7+dfsg/debian/gbp.conf --- librsvg-2.54.5+dfsg/debian/gbp.conf 2022-09-22 21:00:54.000000000 +0000 +++ librsvg-2.54.7+dfsg/debian/gbp.conf 2023-07-30 16:13:13.000000000 +0000 @@ -1,7 +1,7 @@ [DEFAULT] pristine-tar = True -debian-branch = debian/master -upstream-branch = upstream/latest +debian-branch = debian/bookworm +upstream-branch = upstream/2.54.x [buildpackage] sign-tags = True diff -Nru librsvg-2.54.5+dfsg/debian/librsvg2-tests.control librsvg-2.54.7+dfsg/debian/librsvg2-tests.control --- librsvg-2.54.5+dfsg/debian/librsvg2-tests.control 2022-09-22 21:00:54.000000000 +0000 +++ librsvg-2.54.7+dfsg/debian/librsvg2-tests.control 1970-01-01 00:00:00.000000000 +0000 @@ -1,13 +0,0 @@ -# TODO: Move this back into d/control.in when librsvg2-tests has been -# through the NEW queue -Package: librsvg2-tests -Section: misc -Architecture: any -Depends: ${misc:Depends}, - ${shlibs:Depends} -Description: automated tests for RSVG library - The rsvg library is an efficient renderer for Scalable Vector Graphics - (SVG) pictures. - . - This package contains automated tests, which can be run with - gnome-desktop-testing or autopkgtest. diff -Nru librsvg-2.54.5+dfsg/debian/librsvg2-tests.install librsvg-2.54.7+dfsg/debian/librsvg2-tests.install --- librsvg-2.54.5+dfsg/debian/librsvg2-tests.install 2022-09-22 21:00:54.000000000 +0000 +++ librsvg-2.54.7+dfsg/debian/librsvg2-tests.install 2023-07-30 16:13:13.000000000 +0000 @@ -1,2 +1,3 @@ usr/libexec/installed-tests usr/share/installed-tests +tests/fixtures/ usr/libexec/installed-tests/RSVG/ diff -Nru librsvg-2.54.5+dfsg/debian/not-installed librsvg-2.54.7+dfsg/debian/not-installed --- librsvg-2.54.5+dfsg/debian/not-installed 2022-09-22 21:00:54.000000000 +0000 +++ librsvg-2.54.7+dfsg/debian/not-installed 1970-01-01 00:00:00.000000000 +0000 @@ -1,2 +0,0 @@ -usr/libexec/installed-tests -usr/share/installed-tests diff -Nru librsvg-2.54.5+dfsg/debian/patches/10_rsvg-gz.patch librsvg-2.54.7+dfsg/debian/patches/10_rsvg-gz.patch --- librsvg-2.54.5+dfsg/debian/patches/10_rsvg-gz.patch 2022-09-22 21:00:54.000000000 +0000 +++ librsvg-2.54.7+dfsg/debian/patches/10_rsvg-gz.patch 2023-07-30 16:13:13.000000000 +0000 @@ -30,7 +30,7 @@ pub unsafe extern "C" fn rsvg_handle_new_with_flags(flags: RsvgHandleFlags) -> *const RsvgHandle { let obj = glib::Object::new::(&[("flags", &HandleFlags::from_bits_truncate(flags))]) diff --git a/tests/api.c b/tests/api.c -index 8e73c0c..ea6939d 100644 +index 5c494a4..3c87c48 100644 --- a/tests/api.c +++ b/tests/api.c @@ -20,6 +20,9 @@ @@ -74,7 +74,7 @@ static void handle_read_stream_sync (void) { -@@ -1663,6 +1690,7 @@ add_api_tests (void) +@@ -1670,6 +1697,7 @@ add_api_tests (void) g_test_add_func ("/api/handle_new_from_data", handle_new_from_data); g_test_add_func ("/api/handle_new_from_gfile_sync", handle_new_from_gfile_sync); g_test_add_func ("/api/handle_new_from_stream_sync", handle_new_from_stream_sync); diff -Nru librsvg-2.54.5+dfsg/debian/patches/Link-librsvg-with-libpthread-fixing-a-link-failure.patch librsvg-2.54.7+dfsg/debian/patches/Link-librsvg-with-libpthread-fixing-a-link-failure.patch --- librsvg-2.54.5+dfsg/debian/patches/Link-librsvg-with-libpthread-fixing-a-link-failure.patch 2022-09-22 21:00:54.000000000 +0000 +++ librsvg-2.54.7+dfsg/debian/patches/Link-librsvg-with-libpthread-fixing-a-link-failure.patch 2023-07-30 16:13:13.000000000 +0000 @@ -7,7 +7,7 @@ 1 file changed, 1 insertion(+) diff --git a/Makefile.am b/Makefile.am -index 83e73c3..ade8c6c 100644 +index a491579..60e51ca 100644 --- a/Makefile.am +++ b/Makefile.am @@ -209,6 +209,7 @@ librsvg_@RSVG_API_MAJOR_VERSION@_la_LIBADD = \ diff -Nru librsvg-2.54.5+dfsg/debian/patches/debian/tests-Skip-known-failing-tests-on-i386.patch librsvg-2.54.7+dfsg/debian/patches/debian/tests-Skip-known-failing-tests-on-i386.patch --- librsvg-2.54.5+dfsg/debian/patches/debian/tests-Skip-known-failing-tests-on-i386.patch 1970-01-01 00:00:00.000000000 +0000 +++ librsvg-2.54.7+dfsg/debian/patches/debian/tests-Skip-known-failing-tests-on-i386.patch 2023-07-30 16:13:13.000000000 +0000 @@ -0,0 +1,33 @@ +From: Simon McVittie +Date: Sun, 18 Jun 2023 18:52:32 +0100 +Subject: tests: Skip known-failing tests on i386 + +These seem to have regressed sometime between October 2022 and now, +possibly as a result of upgrading rustc from 1.61 to 1.63. + +Bug-Debian: https://bugs.debian.org/1038252 +Forwarded: not-needed, Debian-specific workaround +--- + src/transform.rs | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/transform.rs b/src/transform.rs +index 6826d90..c32c268 100644 +--- a/src/transform.rs ++++ b/src/transform.rs +@@ -770,6 +770,7 @@ mod tests { + } + + #[test] ++ #[cfg(not(target_arch = "x86"))] + fn parses_valid_transform() { + let t = Transform::new_unchecked(1.0, 0.0, 0.0, 1.0, 20.0, 30.0); + let s = Transform::new_unchecked(10.0, 0.0, 0.0, 10.0, 0.0, 0.0); +@@ -885,6 +886,7 @@ mod tests { + } + + #[test] ++ #[cfg(not(target_arch = "x86"))] + fn parses_transform_list() { + let t = Transform::new_unchecked(1.0, 0.0, 0.0, 1.0, 20.0, 30.0); + let s = Transform::new_unchecked(10.0, 0.0, 0.0, 10.0, 0.0, 0.0); diff -Nru librsvg-2.54.5+dfsg/debian/patches/series librsvg-2.54.7+dfsg/debian/patches/series --- librsvg-2.54.5+dfsg/debian/patches/series 2022-09-22 21:00:54.000000000 +0000 +++ librsvg-2.54.7+dfsg/debian/patches/series 2023-07-30 16:13:13.000000000 +0000 @@ -3,3 +3,4 @@ Skip-invalid_viewbox-test-on-32-bit-x86.patch debian/tests-Replace-a-CC-BY-SA-2.0-test-image-with-a-simpler-on.patch Link-librsvg-with-libpthread-fixing-a-link-failure.patch +debian/tests-Skip-known-failing-tests-on-i386.patch diff -Nru librsvg-2.54.5+dfsg/debian/patches/thin-lto.patch librsvg-2.54.7+dfsg/debian/patches/thin-lto.patch --- librsvg-2.54.5+dfsg/debian/patches/thin-lto.patch 2022-09-22 21:00:54.000000000 +0000 +++ librsvg-2.54.7+dfsg/debian/patches/thin-lto.patch 2023-07-30 16:13:13.000000000 +0000 @@ -9,10 +9,10 @@ 1 file changed, 3 insertions(+) diff --git a/Cargo.toml b/Cargo.toml -index 45f7d62..5d763db 100644 +index 8fb4a86..20902fc 100644 --- a/Cargo.toml +++ b/Cargo.toml -@@ -131,3 +131,6 @@ harness = false +@@ -134,3 +134,6 @@ harness = false [[bench]] name = "surface_from_pixbuf" harness = false diff -Nru librsvg-2.54.5+dfsg/debian/rules librsvg-2.54.7+dfsg/debian/rules --- librsvg-2.54.5+dfsg/debian/rules 2022-09-22 21:00:54.000000000 +0000 +++ librsvg-2.54.7+dfsg/debian/rules 2023-07-30 16:13:13.000000000 +0000 @@ -63,6 +63,37 @@ rm -f tests/fixtures/reftests/svg1.1/filters-composite-02-b.svg rm -f tests/fixtures/reftests/svg1.1/filters-composite-02-b-ref.png endif +ifeq ($(DEB_HOST_ARCH_ENDIAN),big) + # Several tests regressed on big-endian architectures sometime between + # September 2022 and June 2023 as a result of changes in some other + # package. + # https://bugs.debian.org/1038447, GNOME/librsvg#972 + rm -f tests/fixtures/reftests/svg1.1/coords-viewattr-02-b.svg + # https://bugs.debian.org/1038447, GNOME/librsvg#973 + rm -f tests/fixtures/reftests/filter-kernel-unit-length.svg + # https://bugs.debian.org/1038447, GNOME/librsvg#974 + rm -f tests/fixtures/reftests/svg1.1/filters-composite-04-f.svg + # https://bugs.debian.org/1038447, GNOME/librsvg#975 + rm -f tests/fixtures/reftests/svg1.1/filters-conv-02-f.svg + # https://bugs.debian.org/1038447, GNOME/librsvg#976 + rm -f tests/fixtures/reftests/svg1.1/filters-conv-03-f.svg + # https://bugs.debian.org/1038447, GNOME/librsvg#977 + rm -f tests/fixtures/reftests/svg1.1/filters-conv-04-f.svg + # https://bugs.debian.org/1038447, GNOME/librsvg#978 + rm -f tests/fixtures/reftests/svg1.1/filters-image-01-b.svg + # https://bugs.debian.org/1038447, GNOME/librsvg#979 + rm -f tests/fixtures/reftests/svg1.1/filters-image-02-b.svg + # https://bugs.debian.org/1038447, GNOME/librsvg#980 + rm -f tests/fixtures/reftests/svg1.1/filters-image-03-f.svg + # https://bugs.debian.org/1038447, GNOME/librsvg#981 + rm -f tests/fixtures/reftests/svg1.1/filters-image-05-f.svg + # https://bugs.debian.org/1038447, GNOME/librsvg#982 + rm -f tests/fixtures/reftests/svg1.1/pservers-grad-05-b.svg + # https://bugs.debian.org/1038447, GNOME/librsvg#983 + rm -f tests/fixtures/reftests/svg1.1/pservers-grad-06-b.svg + # https://bugs.debian.org/1038447, GNOME/librsvg#984 + rm -f tests/fixtures/reftests/svg1.1/struct-symbol-01-b.svg +endif rm -f tests/fixtures/reftests/bugs/730-font-scaling-ref.png rm -f tests/fixtures/reftests/bugs/730-font-scaling.svg rm -f tests/fixtures/reftests/svg1.1/text-text-03-b-ref.png diff -Nru librsvg-2.54.5+dfsg/debian/tests/control librsvg-2.54.7+dfsg/debian/tests/control --- librsvg-2.54.5+dfsg/debian/tests/control 2022-09-22 21:00:54.000000000 +0000 +++ librsvg-2.54.7+dfsg/debian/tests/control 2023-07-30 16:13:13.000000000 +0000 @@ -5,3 +5,7 @@ Tests: convert Depends: file, librsvg2-bin Restrictions: allow-stderr, superficial + +Tests: gnome-desktop-testing +Depends: gnome-desktop-testing, librsvg2-tests +Restrictions: allow-stderr diff -Nru librsvg-2.54.5+dfsg/debian/tests/librsvg2-tests.control librsvg-2.54.7+dfsg/debian/tests/librsvg2-tests.control --- librsvg-2.54.5+dfsg/debian/tests/librsvg2-tests.control 2022-09-22 21:00:54.000000000 +0000 +++ librsvg-2.54.7+dfsg/debian/tests/librsvg2-tests.control 1970-01-01 00:00:00.000000000 +0000 @@ -1,5 +0,0 @@ -# TODO: Move this back into d/tests/control when librsvg2-tests has been -# through the NEW queue -Tests: gnome-desktop-testing -Depends: gnome-desktop-testing, librsvg2-tests -Restrictions: allow-stderr diff -Nru librsvg-2.54.5+dfsg/doc/librsvg.toml librsvg-2.54.7+dfsg/doc/librsvg.toml --- librsvg-2.54.5+dfsg/doc/librsvg.toml 2022-08-26 19:06:23.000000000 +0000 +++ librsvg-2.54.7+dfsg/doc/librsvg.toml 2023-07-22 23:48:55.000000000 +0000 @@ -1,5 +1,5 @@ [library] -version = "2.54.5" +version = "2.54.7" description = "Librsvg - load and render SVG documents" authors = "Librsvg developers" license = "LGPL-2.1-or-later" diff -Nru librsvg-2.54.5+dfsg/include/librsvg/rsvg-version.h librsvg-2.54.7+dfsg/include/librsvg/rsvg-version.h --- librsvg-2.54.5+dfsg/include/librsvg/rsvg-version.h 2022-08-26 19:06:53.000000000 +0000 +++ librsvg-2.54.7+dfsg/include/librsvg/rsvg-version.h 2023-07-22 23:51:51.000000000 +0000 @@ -7,7 +7,7 @@ #define LIBRSVG_MAJOR_VERSION (2) #define LIBRSVG_MINOR_VERSION (54) -#define LIBRSVG_MICRO_VERSION (5) -#define LIBRSVG_VERSION "2.54.5" +#define LIBRSVG_MICRO_VERSION (7) +#define LIBRSVG_VERSION "2.54.7" #endif diff -Nru librsvg-2.54.5+dfsg/include/librsvg/rsvg.h librsvg-2.54.7+dfsg/include/librsvg/rsvg.h --- librsvg-2.54.5+dfsg/include/librsvg/rsvg.h 2022-08-26 19:06:23.000000000 +0000 +++ librsvg-2.54.7+dfsg/include/librsvg/rsvg.h 2023-07-20 02:02:15.000000000 +0000 @@ -132,28 +132,30 @@ * 1. All `data:` URLs may be loaded. These are sometimes used * to include raster image data, encoded as base-64, directly in an SVG file. * - * 2. All other URL schemes in references require a base URL. For + * 2. URLs with queries ("?") or fragment identifiers ("#") are not allowed. + * + * 3. All URL schemes other than data: in references require a base URL. For * example, this means that if you load an SVG with * [ctor@Rsvg.Handle.new_from_data] without calling [method@Rsvg.Handle.set_base_uri], * then any referenced files will not be allowed (e.g. raster images to be * loaded from other files will not work). * - * 3. If referenced URLs are absolute, rather than relative, then they must + * 4. If referenced URLs are absolute, rather than relative, then they must * have the same scheme as the base URL. For example, if the base URL has a * `file` scheme, then all URL references inside the SVG must * also have the `file` scheme, or be relative references which * will be resolved against the base URL. * - * 4. If referenced URLs have a `resource` scheme, that is, + * 5. If referenced URLs have a `resource` scheme, that is, * if they are included into your binary program with GLib's resource * mechanism, they are allowed to be loaded (provided that the base URL is * also a `resource`, per the previous rule). * - * 5. Otherwise, non-`file` schemes are not allowed. For + * 6. Otherwise, non-`file` schemes are not allowed. For * example, librsvg will not load `http` resources, to keep * malicious SVG data from "phoning home". * - * 6. A relative URL must resolve to the same directory as the base URL, or to + * 7. A relative URL must resolve to the same directory as the base URL, or to * one of its subdirectories. Librsvg will canonicalize filenames, by * removing ".." path components and resolving symbolic links, to decide whether * files meet these conditions. diff -Nru librsvg-2.54.5+dfsg/src/error.rs librsvg-2.54.7+dfsg/src/error.rs --- librsvg-2.54.5+dfsg/src/error.rs 2022-08-26 19:06:23.000000000 +0000 +++ librsvg-2.54.7+dfsg/src/error.rs 2023-07-22 23:45:45.000000000 +0000 @@ -313,6 +313,12 @@ /// or in one directory below the base file. NotSiblingOrChildOfBaseFile, + /// Loaded file:// URLs cannot have a query part, e.g. `file:///foo?blah` + NoQueriesAllowed, + + /// URLs may not have fragment identifiers at this stage + NoFragmentIdentifierAllowed, + /// Error when obtaining the file path or the base file path InvalidPath, @@ -325,17 +331,18 @@ impl fmt::Display for AllowedUrlError { fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { + use AllowedUrlError::*; match *self { - AllowedUrlError::UrlParseError(e) => write!(f, "URL parse error: {}", e), - AllowedUrlError::BaseRequired => write!(f, "base required"), - AllowedUrlError::DifferentUriSchemes => write!(f, "different URI schemes"), - AllowedUrlError::DisallowedScheme => write!(f, "disallowed scheme"), - AllowedUrlError::NotSiblingOrChildOfBaseFile => { - write!(f, "not sibling or child of base file") - } - AllowedUrlError::InvalidPath => write!(f, "invalid path"), - AllowedUrlError::BaseIsRoot => write!(f, "base is root"), - AllowedUrlError::CanonicalizationError => write!(f, "canonicalization error"), + UrlParseError(e) => write!(f, "URL parse error: {}", e), + BaseRequired => write!(f, "base required"), + DifferentUriSchemes => write!(f, "different URI schemes"), + DisallowedScheme => write!(f, "disallowed scheme"), + NotSiblingOrChildOfBaseFile => write!(f, "not sibling or child of base file"), + NoQueriesAllowed => write!(f, "no queries allowed"), + NoFragmentIdentifierAllowed => write!(f, "no fragment identifier allowed"), + InvalidPath => write!(f, "invalid path"), + BaseIsRoot => write!(f, "base is root"), + CanonicalizationError => write!(f, "canonicalization error"), } } } diff -Nru librsvg-2.54.5+dfsg/src/lib.rs librsvg-2.54.7+dfsg/src/lib.rs --- librsvg-2.54.5+dfsg/src/lib.rs 2022-08-26 19:06:23.000000000 +0000 +++ librsvg-2.54.7+dfsg/src/lib.rs 2023-07-20 02:02:15.000000000 +0000 @@ -105,28 +105,30 @@ //! include raster image data, encoded as base-64, directly in an SVG //! file. //! -//! 2. All other URL schemes in references require a base URL. For +//! 2. URLs with queries ("?") or fragment identifiers ("#") are not allowed. +//! +//! 3. All URL schemes other than data: in references require a base URL. For //! example, this means that if you load an SVG with [`Loader::read_stream`] //! without providing a `base_file`, then any referenced files will not //! be allowed (e.g. raster images to be loaded from other files will //! not work). //! -//! 3. If referenced URLs are absolute, rather than relative, then +//! 4. If referenced URLs are absolute, rather than relative, then //! they must have the same scheme as the base URL. For example, if //! the base URL has a "`file`" scheme, then all URL references inside //! the SVG must also have the "`file`" scheme, or be relative //! references which will be resolved against the base URL. //! -//! 4. If referenced URLs have a "`resource`" scheme, that is, if they +//! 5. If referenced URLs have a "`resource`" scheme, that is, if they //! are included into your binary program with GLib's resource //! mechanism, they are allowed to be loaded (provided that the base //! URL is also a "`resource`", per the previous rule). //! -//! 5. Otherwise, non-`file` schemes are not allowed. For example, +//! 6. Otherwise, non-`file` schemes are not allowed. For example, //! librsvg will not load `http` resources, to keep malicious SVG data //! from "phoning home". //! -//! 6. A relative URL must resolve to the same directory as the base +//! 7. A relative URL must resolve to the same directory as the base //! URL, or to one of its subdirectories. Librsvg will canonicalize //! filenames, by removing "`..`" path components and resolving symbolic //! links, to decide whether files meet these conditions. diff -Nru librsvg-2.54.5+dfsg/src/url_resolver.rs librsvg-2.54.7+dfsg/src/url_resolver.rs --- librsvg-2.54.5+dfsg/src/url_resolver.rs 2022-08-26 19:06:23.000000000 +0000 +++ librsvg-2.54.7+dfsg/src/url_resolver.rs 2023-07-20 02:02:15.000000000 +0000 @@ -1,13 +1,13 @@ //! Determine which URLs are allowed for loading. use std::fmt; -use std::io; use std::ops::Deref; -use std::path::{Path, PathBuf}; use url::Url; use crate::error::AllowedUrlError; +/// Decides which URLs are allowed to be loaded. +/// /// Currently only contains the base URL. /// /// The plan is to add: @@ -29,6 +29,11 @@ UrlResolver { base_url } } + /// Decides which URLs are allowed to be loaded based on the presence of a base URL. + /// + /// This function implements the policy described in "Security and locations of + /// referenced files" in the [crate + /// documentation](index.html#security-and-locations-of-referenced-files). pub fn resolve_href(&self, href: &str) -> Result { let url = Url::options() .base_url(self.base_url.as_ref()) @@ -40,6 +45,17 @@ return Ok(AllowedUrl(url)); } + // Queries are not allowed. + if url.query().is_some() { + return Err(AllowedUrlError::NoQueriesAllowed); + } + + // Fragment identifiers are not allowed. They should have been stripped + // upstream, by NodeId. + if url.fragment().is_some() { + return Err(AllowedUrlError::NoFragmentIdentifierAllowed); + } + // All other sources require a base url if self.base_url.is_none() { return Err(AllowedUrlError::BaseRequired); @@ -62,6 +78,26 @@ return Err(AllowedUrlError::DisallowedScheme); } + // The rest of this function assumes file: URLs; guard against + // incorrect refactoring. + assert!(url.scheme() == "file"); + + // If we have a base_uri of "file:///foo/bar.svg", and resolve an href of ".", + // Url.parse() will give us "file:///foo/". We don't want that, so check + // if the last path segment is empty - it will not be empty for a normal file. + + if let Some(segments) = url.path_segments() { + if segments + .last() + .expect("URL path segments always contain at last 1 element") + .is_empty() + { + return Err(AllowedUrlError::NotSiblingOrChildOfBaseFile); + } + } else { + unreachable!("the file: URL cannot have an empty path"); + } + // We have two file: URIs. Now canonicalize them (remove .. and symlinks, etc.) // and see if the directories match @@ -79,13 +115,17 @@ let base_parent = base_parent.unwrap(); - let url_canon = - canonicalize(&url_path).map_err(|_| AllowedUrlError::CanonicalizationError)?; - let parent_canon = - canonicalize(&base_parent).map_err(|_| AllowedUrlError::CanonicalizationError)?; - - if url_canon.starts_with(parent_canon) { - Ok(AllowedUrl(url)) + let path_canon = url_path + .canonicalize() + .map_err(|_| AllowedUrlError::CanonicalizationError)?; + let parent_canon = base_parent + .canonicalize() + .map_err(|_| AllowedUrlError::CanonicalizationError)?; + + if path_canon.starts_with(parent_canon) { + // Finally, convert the canonicalized path back to a URL. + let path_to_url = Url::from_file_path(path_canon).unwrap(); + Ok(AllowedUrl(path_to_url)) } else { Err(AllowedUrlError::NotSiblingOrChildOfBaseFile) } @@ -116,21 +156,12 @@ } } -// For tests, we don't want to touch the filesystem. In that case, -// assume that we are being passed canonical file names. -#[cfg(not(test))] -fn canonicalize>(path: P) -> Result { - path.as_ref().canonicalize() -} -#[cfg(test)] -fn canonicalize>(path: P) -> Result { - Ok(path.as_ref().to_path_buf()) -} - #[cfg(test)] mod tests { use super::*; + use std::path::PathBuf; + #[test] fn disallows_relative_file_with_no_base_file() { let url_resolver = UrlResolver::new(None); @@ -191,48 +222,124 @@ ); } + fn url_from_test_fixtures(filename_relative_to_librsvg_srcdir: &str) -> Url { + let path = PathBuf::from(filename_relative_to_librsvg_srcdir); + let absolute = path + .canonicalize() + .expect("files from test fixtures are supposed to canonicalize"); + Url::from_file_path(absolute).unwrap() + } + #[test] fn allows_relative() { - let url_resolver = UrlResolver::new(Some( - Url::parse(&make_file_uri("/example/bar.svg")).unwrap(), - )); + let base_url = url_from_test_fixtures("tests/fixtures/loading/bar.svg"); + let url_resolver = UrlResolver::new(Some(base_url)); + let resolved = url_resolver.resolve_href("foo.svg").unwrap(); - let expected = make_file_uri("/example/foo.svg"); - assert_eq!(resolved.as_ref(), expected); + let resolved_str = resolved.as_str(); + assert!(resolved_str.ends_with("/loading/foo.svg")); } #[test] fn allows_sibling() { - let url_resolver = UrlResolver::new(Some( - Url::parse(&make_file_uri("/example/bar.svg")).unwrap(), - )); + let url_resolver = UrlResolver::new(Some(url_from_test_fixtures( + "tests/fixtures/loading/bar.svg", + ))); let resolved = url_resolver - .resolve_href(&make_file_uri("/example/foo.svg")) + .resolve_href(url_from_test_fixtures("tests/fixtures/loading/foo.svg").as_str()) .unwrap(); - let expected = make_file_uri("/example/foo.svg"); - assert_eq!(resolved.as_ref(), expected); + + let resolved_str = resolved.as_str(); + assert!(resolved_str.ends_with("/loading/foo.svg")); } #[test] fn allows_child_of_sibling() { - let url_resolver = UrlResolver::new(Some( - Url::parse(&make_file_uri("/example/bar.svg")).unwrap(), - )); + let url_resolver = UrlResolver::new(Some(url_from_test_fixtures( + "tests/fixtures/loading/bar.svg", + ))); let resolved = url_resolver - .resolve_href(&make_file_uri("/example/subdir/foo.svg")) + .resolve_href(url_from_test_fixtures("tests/fixtures/loading/subdir/baz.svg").as_str()) .unwrap(); - let expected = make_file_uri("/example/subdir/foo.svg"); - assert_eq!(resolved.as_ref(), expected); + + let resolved_str = resolved.as_str(); + assert!(resolved_str.ends_with("/loading/subdir/baz.svg")); } + // Ignore on Windows since we test for /etc/passwd + #[cfg(unix)] #[test] fn disallows_non_sibling() { + let url_resolver = UrlResolver::new(Some(url_from_test_fixtures( + "tests/fixtures/loading/bar.svg", + ))); + assert!(matches!( + url_resolver.resolve_href(&make_file_uri("/etc/passwd")), + Err(AllowedUrlError::NotSiblingOrChildOfBaseFile) + )); + } + + #[test] + fn disallows_queries() { let url_resolver = UrlResolver::new(Some( Url::parse(&make_file_uri("/example/bar.svg")).unwrap(), )); assert!(matches!( - url_resolver.resolve_href(&make_file_uri("/etc/passwd")), + url_resolver.resolve_href(".?../../../../../../../../../../etc/passwd"), + Err(AllowedUrlError::NoQueriesAllowed) + )); + } + + #[test] + fn disallows_weird_relative_uris() { + let url_resolver = UrlResolver::new(Some( + Url::parse(&make_file_uri("/example/bar.svg")).unwrap(), + )); + + assert!(url_resolver + .resolve_href(".@../../../../../../../../../../etc/passwd") + .is_err()); + assert!(url_resolver + .resolve_href(".$../../../../../../../../../../etc/passwd") + .is_err()); + assert!(url_resolver + .resolve_href(".%../../../../../../../../../../etc/passwd") + .is_err()); + assert!(url_resolver + .resolve_href(".*../../../../../../../../../../etc/passwd") + .is_err()); + assert!(url_resolver + .resolve_href("~/../../../../../../../../../../etc/passwd") + .is_err()); + } + + #[test] + fn disallows_dot_sibling() { + let url_resolver = UrlResolver::new(Some( + Url::parse(&make_file_uri("/example/bar.svg")).unwrap(), + )); + + assert!(matches!( + url_resolver.resolve_href("."), Err(AllowedUrlError::NotSiblingOrChildOfBaseFile) )); + assert!(matches!( + url_resolver.resolve_href(".#../../../../../../../../../../etc/passwd"), + Err(AllowedUrlError::NoFragmentIdentifierAllowed) + )); + } + + #[test] + fn disallows_fragment() { + // UrlResolver::resolve_href() explicitly disallows fragment identifiers. + // This is because they should have been stripped before calling that function, + // by NodeId or the Iri machinery. + let url_resolver = + UrlResolver::new(Some(Url::parse("https://example.com/foo.svg").unwrap())); + + assert!(matches!( + url_resolver.resolve_href("bar.svg#fragment"), + Err(AllowedUrlError::NoFragmentIdentifierAllowed) + )); } } diff -Nru librsvg-2.54.5+dfsg/tests/Makefile.am librsvg-2.54.7+dfsg/tests/Makefile.am --- librsvg-2.54.5+dfsg/tests/Makefile.am 2022-08-26 19:06:23.000000000 +0000 +++ librsvg-2.54.7+dfsg/tests/Makefile.am 2023-07-20 02:02:15.000000000 +0000 @@ -10,6 +10,7 @@ src/intrinsic_dimensions.rs \ src/legacy_sizing.rs \ src/loading_crash.rs \ + src/loading_disallowed.rs \ src/main.rs \ src/primitive_geometries.rs \ src/primitives.rs \ @@ -61,6 +62,7 @@ $(wildcard $(srcdir)/fixtures/errors/*) \ $(wildcard $(srcdir)/fixtures/geometries/*) \ $(wildcard $(srcdir)/fixtures/loading/*) \ + $(wildcard $(srcdir)/fixtures/loading/subdir/*) \ $(wildcard $(srcdir)/fixtures/primitive_geometries/*) \ $(wildcard $(srcdir)/fixtures/reftests/*.css) \ $(wildcard $(srcdir)/fixtures/reftests/*.svg) \ diff -Nru librsvg-2.54.5+dfsg/tests/Makefile.in librsvg-2.54.7+dfsg/tests/Makefile.in --- librsvg-2.54.5+dfsg/tests/Makefile.in 2022-08-26 19:06:47.000000000 +0000 +++ librsvg-2.54.7+dfsg/tests/Makefile.in 2023-07-22 23:51:50.000000000 +0000 @@ -681,6 +681,7 @@ src/intrinsic_dimensions.rs \ src/legacy_sizing.rs \ src/loading_crash.rs \ + src/loading_disallowed.rs \ src/main.rs \ src/primitive_geometries.rs \ src/primitives.rs \ @@ -722,6 +723,7 @@ $(wildcard $(srcdir)/fixtures/errors/*) \ $(wildcard $(srcdir)/fixtures/geometries/*) \ $(wildcard $(srcdir)/fixtures/loading/*) \ + $(wildcard $(srcdir)/fixtures/loading/subdir/*) \ $(wildcard $(srcdir)/fixtures/primitive_geometries/*) \ $(wildcard $(srcdir)/fixtures/reftests/*.css) \ $(wildcard $(srcdir)/fixtures/reftests/*.svg) \ diff -Nru librsvg-2.54.5+dfsg/tests/fixtures/loading/bar.svg librsvg-2.54.7+dfsg/tests/fixtures/loading/bar.svg --- librsvg-2.54.5+dfsg/tests/fixtures/loading/bar.svg 1970-01-01 00:00:00.000000000 +0000 +++ librsvg-2.54.7+dfsg/tests/fixtures/loading/bar.svg 2023-07-20 02:02:15.000000000 +0000 @@ -0,0 +1 @@ + diff -Nru librsvg-2.54.5+dfsg/tests/fixtures/loading/disallowed-996-ref.svg librsvg-2.54.7+dfsg/tests/fixtures/loading/disallowed-996-ref.svg --- librsvg-2.54.5+dfsg/tests/fixtures/loading/disallowed-996-ref.svg 1970-01-01 00:00:00.000000000 +0000 +++ librsvg-2.54.7+dfsg/tests/fixtures/loading/disallowed-996-ref.svg 2023-07-20 02:02:15.000000000 +0000 @@ -0,0 +1,10 @@ + + + + + + This text should appear + + diff -Nru librsvg-2.54.5+dfsg/tests/fixtures/loading/disallowed-996.svg librsvg-2.54.7+dfsg/tests/fixtures/loading/disallowed-996.svg --- librsvg-2.54.5+dfsg/tests/fixtures/loading/disallowed-996.svg 1970-01-01 00:00:00.000000000 +0000 +++ librsvg-2.54.7+dfsg/tests/fixtures/loading/disallowed-996.svg 2023-07-20 02:02:15.000000000 +0000 @@ -0,0 +1,12 @@ + + + + + + + This text should appear + + + diff -Nru librsvg-2.54.5+dfsg/tests/fixtures/loading/foo.svg librsvg-2.54.7+dfsg/tests/fixtures/loading/foo.svg --- librsvg-2.54.5+dfsg/tests/fixtures/loading/foo.svg 1970-01-01 00:00:00.000000000 +0000 +++ librsvg-2.54.7+dfsg/tests/fixtures/loading/foo.svg 2023-07-20 02:02:15.000000000 +0000 @@ -0,0 +1 @@ + diff -Nru librsvg-2.54.5+dfsg/tests/fixtures/loading/subdir/baz.svg librsvg-2.54.7+dfsg/tests/fixtures/loading/subdir/baz.svg --- librsvg-2.54.5+dfsg/tests/fixtures/loading/subdir/baz.svg 1970-01-01 00:00:00.000000000 +0000 +++ librsvg-2.54.7+dfsg/tests/fixtures/loading/subdir/baz.svg 2023-07-20 02:02:15.000000000 +0000 @@ -0,0 +1 @@ + Binary files /srv/release.debian.org/tmp/wpIgy98tdj/librsvg-2.54.5+dfsg/tests/fixtures/reftests/filter-morphology-from-reference-page-ref.png and /srv/release.debian.org/tmp/_p4AnTinXT/librsvg-2.54.7+dfsg/tests/fixtures/reftests/filter-morphology-from-reference-page-ref.png differ diff -Nru librsvg-2.54.5+dfsg/tests/fixtures/reftests/filter-morphology-from-reference-page.svg librsvg-2.54.7+dfsg/tests/fixtures/reftests/filter-morphology-from-reference-page.svg --- librsvg-2.54.5+dfsg/tests/fixtures/reftests/filter-morphology-from-reference-page.svg 2022-08-26 19:06:23.000000000 +0000 +++ librsvg-2.54.7+dfsg/tests/fixtures/reftests/filter-morphology-from-reference-page.svg 1970-01-01 00:00:00.000000000 +0000 @@ -1,37 +0,0 @@ - - - - Example feMorphology - Examples of erode and dilate - Five text strings drawn as outlines. - The first is unfiltered. The second and third use 'erode'. - The fourth and fifth use 'dilate'. - - - - - - - - - - - - - - - - - - Unfiltered - Erode radius 3 - Erode radius 6 - Dilate radius 3 - Dilate radius 6 - - - diff -Nru librsvg-2.54.5+dfsg/tests/src/loading_disallowed.rs librsvg-2.54.7+dfsg/tests/src/loading_disallowed.rs --- librsvg-2.54.5+dfsg/tests/src/loading_disallowed.rs 1970-01-01 00:00:00.000000000 +0000 +++ librsvg-2.54.7+dfsg/tests/src/loading_disallowed.rs 2023-07-20 02:02:15.000000000 +0000 @@ -0,0 +1,7 @@ +use crate::test_svg_reference; + +test_svg_reference!( + bug_996_malicious_url, + "tests/fixtures/loading/disallowed-996.svg", + "tests/fixtures/loading/disallowed-996-ref.svg" +); diff -Nru librsvg-2.54.5+dfsg/tests/src/main.rs librsvg-2.54.7+dfsg/tests/src/main.rs --- librsvg-2.54.5+dfsg/tests/src/main.rs 2022-08-26 19:06:23.000000000 +0000 +++ librsvg-2.54.7+dfsg/tests/src/main.rs 2023-07-20 02:02:15.000000000 +0000 @@ -29,6 +29,9 @@ mod loading_crash; #[cfg(test)] +mod loading_disallowed; + +#[cfg(test)] mod predicates; #[cfg(test)] diff -Nru librsvg-2.54.5+dfsg/win32/config-msvc.mak librsvg-2.54.7+dfsg/win32/config-msvc.mak --- librsvg-2.54.5+dfsg/win32/config-msvc.mak 2022-08-26 19:06:53.000000000 +0000 +++ librsvg-2.54.7+dfsg/win32/config-msvc.mak 2023-07-22 23:51:52.000000000 +0000 @@ -5,7 +5,7 @@ RSVG_VER = 2 RSVG_API_VER = $(RSVG_VER).0 CHECK_GIR_PACKAGE = gdk-pixbuf-2.0 -RSVG_PKG_VERSION = 2.54.5 +RSVG_PKG_VERSION = 2.54.7 # Make bin, include and library directories of configurable !ifndef BINDIR diff -Nru librsvg-2.54.5+dfsg/win32/config.h.win32 librsvg-2.54.7+dfsg/win32/config.h.win32 --- librsvg-2.54.5+dfsg/win32/config.h.win32 2022-08-26 19:06:53.000000000 +0000 +++ librsvg-2.54.7+dfsg/win32/config.h.win32 2023-07-22 23:51:52.000000000 +0000 @@ -84,7 +84,7 @@ #define PACKAGE_NAME "RSVG" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "RSVG 2.54.5" +#define PACKAGE_STRING "RSVG 2.54.7" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "librsvg" @@ -93,13 +93,13 @@ #define PACKAGE_URL "" /* Define to the version of this package. */ -#define PACKAGE_VERSION "2.54.5" +#define PACKAGE_VERSION "2.54.7" /* Define to 1 if you have the ANSI C header files. */ #define STDC_HEADERS 1 /* Version number of package */ -#define VERSION "2.54.5" +#define VERSION "2.54.7" /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel). */