Package: librsvg / 2.50.3+dfsg-1+deb11u1

Metadata

Package Version Patches format
librsvg 2.50.3+dfsg-1+deb11u1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
10_rsvg gz.patch | (download)

librsvg/rsvg-handle.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

 
 revert abi breakage

Provide the rsvg_handle_new_gz function.
Do not provide the C prototype to force
applications using it to use rsvg_handle_new instead.
Add fallback for when tree_index.sgml is not available.patch | (download)

doc/rsvg-docs.xml | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 
 add fallback for when tree_index.sgml is not available

Newer versions of gtk-doc-tools will not generate empty files anymore.
https://gitlab.gnome.org/GNOME/gtk-doc/commit/97541700fe55bf5ba1522773dd242a4598cac187
thin lto.patch | (download)

Cargo.toml | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 
 enable thin lto

(full LTO is not used because of https://github.com/rust-lang/rust/issues/66118).
See https://gitlab.gnome.org/GNOME/librsvg/-/commit/7ad034d.
Skip invalid_viewbox test on 32 bit x86.patch | (download)

rsvg_internals/src/aspect_ratio.rs | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 
 skip invalid_viewbox test on 32-bit x86

This test appears to be failing on i386, possibly due to extended
precision in the i387 FPU. Building with -mfpmath=sse might resolve this,
but that isn't currently allowed in Debian due to our i386 baseline
being 20 years old (in particular no SSE and no SSE2).

Signed-off-by: Simon McVittie <smcv@debian.org>
996 Fix arbitrary file read when href has special charact.patch | (download)

librsvg/rsvg-handle.c | 6 5 + 1 - 0 !
rsvg_internals/src/allowed_url.rs | 229 170 + 59 - 0 !
rsvg_internals/src/filters/component_transfer.rs | 2 1 + 1 - 0 !
tests/Makefile.am | 1 1 + 0 - 0 !
tests/fixtures/loading/bar.svg | 1 1 + 0 - 0 !
tests/fixtures/loading/foo.svg | 1 1 + 0 - 0 !
tests/fixtures/loading/subdir/baz.svg | 1 1 + 0 - 0 !
7 files changed, 180 insertions(+), 61 deletions(-)

 
 (#996): fix arbitrary file read when href has special characters

In UrlResolver::resolve_href() we now explicitly disallow URLs that
have a query string ("?") or a fragment identifier ("#").

We also explicitly check for a base URL and not resolving to a path,
for example, "file:///base/foo.svg" + "." would resolve to
"file:///base/" - this is technically correct, but we don't want to
resolve to directories.

Also, we pass a canonicalized path name as a URL upstream, so that
g_file_new_from_url() will consume it later, instead of passing the
original and potentially malicious URL.
Fix compilation on rustc 1.40.0.patch | (download)

rsvg_internals/src/allowed_url.rs | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 
 fix compilation on rustc 1.40.0
tests Fix build with older Autotools.patch | (download)

tests/Makefile.am | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 
 tests: fix build with older autotools

/usr/bin/install: omitting directory '././fixtures/loading/subdir'
make[5]: *** [Makefile:1143: install-nobase_installed_testDATA] Error 1

Bug-Debian: https://bugs.debian.org/1041810