hello Debian-gis, for svgSalamander 1.1.2, a fix for CVE-2017-5617 [1] (#853134) was upstreamed by Vincent Privat.
[1] https://security-tracker.debian.org/tracker/CVE-2017-5617 However, upstream included the patch modified [2], with a flag in the "global data object" SVGUniverse, with the default being "allow it": [2] https://github.com/blackears/svgSalamander/commit/a0cdd694cb917de303b08117e2544a352fc2cb58 > private boolean imageDataInlineOnly = false; I wonder whether this is good (enough) for Debian (and the rest of the world), since we would need to make sure that this is set to true: SVGUniverse svgUniverse = new SVGUniverse(); svgUniverse.setImageDataInlineOnly(true); in all projects using svgSalamander (which does not seem to be much for Debian): $ apt-cache rdepends libsvgsalamander-java libsvgsalamander-java Reverse Depends: freeplane freeplane josm games-java-dev If we agree, then I will create an upstream issue. Also, is there value in updating svgSalamander from 1.1.1 to 1.1.2? (I fixed a bug triggered in Freeplane in upstream, but Freeplane contains a workaround). I can offer to do this, if we have an agreement for the above issue. Cheers and Best Regards, -- Felix Natter
