Zac Sims discovered a directory traversal in the URL decoder of librsvg,
a SAX-based renderer library for SVG files, which could result in read
of arbitrary files when processing a specially crafted SVG file with an
For the oldstable distribution (bullseye), this problem has been fixed
in version 2.50.3+dfsg-1+deb11u1.
For the stable distribution (bookworm), this problem has been fixed in
We recommend that you upgrade your librsvg packages.