On 9/23/18 5:35 PM, Felix Natter wrote: > hello Debian-gis, > > for svgSalamander 1.1.2, a fix for CVE-2017-5617 [1] (#853134) was > upstreamed by Vincent Privat. > > [1] https://security-tracker.debian.org/tracker/CVE-2017-5617 > > However, upstream included the patch modified [2], with a flag in the > "global data object" SVGUniverse, with the default being "allow it": > > [2] > https://github.com/blackears/svgSalamander/commit/a0cdd694cb917de303b08117e2544a352fc2cb58 > >> private boolean imageDataInlineOnly = false; > > I wonder whether this is good (enough) for Debian (and the rest of the > world), since we would need to make sure that this is set to true: > > SVGUniverse svgUniverse = new SVGUniverse(); > svgUniverse.setImageDataInlineOnly(true);
Vincent also noted this in the JOSM issue: " Library author fixed it [differently](https://github.com/blackears/svgSalamander/commit/a0cdd694cb917de303b08117e2544a352fc2cb58). When we update svgSalamander we must use SVGUniverse.setImageDataInlineOnly(true) " https://josm.openstreetmap.de/ticket/14319#comment:8 > in all projects using svgSalamander (which does not seem to be much for > Debian): > > $ apt-cache rdepends libsvgsalamander-java > libsvgsalamander-java > Reverse Depends: > freeplane > freeplane > josm > games-java-dev > > If we agree, then I will create an upstream issue. > > Also, is there value in updating svgSalamander from 1.1.1 to 1.1.2? > (I fixed a bug triggered in Freeplane in upstream, but Freeplane contains a > workaround). I can offer to do this, if we have an agreement for the > above issue. I don't think we have to update svgSalamander yet, but if you do, we'll need to patch JOSM. Kind Regards, Bas
