Bug#854028: marked as done (unblock: svgsalamander/1.1.1+dfsg-2)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 03 Feb 2017 17:06:00 +0000
with message-id <70b9ef02-baf7-b802-17dd-49ee9da54cc7@thykier.net>
and subject line Re: Bug#854028: unblock: svgsalamander/1.1.1+dfsg-2
has caused the Debian Bug report #854028,
regarding unblock: svgsalamander/1.1.1+dfsg-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
854028: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854028
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: svgsalamander/1.1.1+dfsg-2
• From: Bas Couwenberg <sebastic@xs4all.nl>
• Date: Fri, 03 Feb 2017 10:02:40 +0100
• Message-id: <[🔎] 148611256054.31588.10620067683208345823.reportbug@osiris.linuxminded.xs4all.nl>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package svgsalamander

It contains a patch by Vincent Privat to fix CVE-2017-5617 (#853134).

unblock svgsalamander/1.1.1+dfsg-2

Kind Regards,

Bas

diff -Nru svgsalamander-1.1.1+dfsg/debian/changelog svgsalamander-1.1.1+dfsg/debian/changelog
--- svgsalamander-1.1.1+dfsg/debian/changelog	2016-08-22 08:31:39.000000000 +0200
+++ svgsalamander-1.1.1+dfsg/debian/changelog	2017-02-03 08:39:45.000000000 +0100
@@ -1,3 +1,11 @@
+svgsalamander (1.1.1+dfsg-2) unstable; urgency=medium
+
+  * Team upload.
+  * Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF).
+    (closes: #853134)
+
+ -- Bas Couwenberg <sebastic@debian.org>  Fri, 03 Feb 2017 08:39:45 +0100
+
 svgsalamander (1.1.1+dfsg-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru svgsalamander-1.1.1+dfsg/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch svgsalamander-1.1.1+dfsg/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch
--- svgsalamander-1.1.1+dfsg/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch	1970-01-01 01:00:00.000000000 +0100
+++ svgsalamander-1.1.1+dfsg/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch	2017-02-02 07:34:34.000000000 +0100
@@ -0,0 +1,109 @@
+Description: Fix CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery)
+ See: http://www.openwall.com/lists/oss-security/2017/01/27/3
+Author: Vincent Privat
+Origin: https://josm.openstreetmap.de/changeset/11526/josm
+Bug: https://github.com/blackears/svgSalamander/issues/11
+Bug-Debian: https://bugs.debian.org/853134
+
+--- a/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java
++++ b/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java
+@@ -112,21 +112,10 @@ public class ImageSVG extends Renderable
+             if (getPres(sty.setName("xlink:href")))
+             {
+                 URI src = sty.getURIValue(getXMLBase());
++                // CVE-2017-5617: Allow only data scheme
+                 if ("data".equals(src.getScheme()))
+                 {
+                     imageSrc = new URL(null, src.toASCIIString(), new Handler());
+-                } else
+-                {
+-                    try
+-                    {
+-                        imageSrc = src.toURL();
+-                    } catch (Exception e)
+-                    {
+-                        Logger.getLogger(SVGConst.SVG_LOGGER).log(Level.WARNING,
+-                            "Could not parse xlink:href " + src, e);
+-//                        e.printStackTrace();
+-                        imageSrc = null;
+-                    }
+                 }
+             }
+         } catch (Exception e)
+@@ -134,32 +123,33 @@ public class ImageSVG extends Renderable
+             throw new SVGException(e);
+         }
+ 
+-        diagram.getUniverse().registerImage(imageSrc);
+-
+-        //Set widths if not set
+-        BufferedImage img = diagram.getUniverse().getImage(imageSrc);
+-        if (img == null)
++        if (imageSrc != null)
+         {
+-            xform = new AffineTransform();
+-            bounds = new Rectangle2D.Float();
+-            return;
+-        }
++            diagram.getUniverse().registerImage(imageSrc);
+ 
+-        if (width == 0)
+-        {
+-            width = img.getWidth();
+-        }
+-        if (height == 0)
+-        {
+-            height = img.getHeight();
+-        }
++            //Set widths if not set
++            BufferedImage img = diagram.getUniverse().getImage(imageSrc);
++            if (img == null)
++            {
++                xform = new AffineTransform();
++                bounds = new Rectangle2D.Float();
++                return;
++            }
+ 
+-        //Determine image xform
+-        xform = new AffineTransform();
+-//        xform.setToScale(this.width / img.getWidth(), this.height / img.getHeight());
+-//        xform.translate(this.x, this.y);
+-        xform.translate(this.x, this.y);
+-        xform.scale(this.width / img.getWidth(), this.height / img.getHeight());
++            if (width == 0)
++            {
++                width = img.getWidth();
++            }
++            if (height == 0)
++            {
++                height = img.getHeight();
++            }
++
++            //Determine image xform
++            xform = new AffineTransform();
++            xform.translate(this.x, this.y);
++            xform.scale(this.width / img.getWidth(), this.height / img.getHeight());
++        }
+ 
+         bounds = new Rectangle2D.Float(this.x, this.y, this.width, this.height);
+     }
+@@ -328,16 +318,14 @@ public class ImageSVG extends Renderable
+             {
+                 URI src = sty.getURIValue(getXMLBase());
+ 
+-                URL newVal;
++                URL newVal = null;
++                // CVE-2017-5617: Allow only data scheme
+                 if ("data".equals(src.getScheme()))
+                 {
+                     newVal = new URL(null, src.toASCIIString(), new Handler());
+-                } else
+-                {
+-                    newVal = src.toURL();
+                 }
+ 
+-                if (!newVal.equals(imageSrc))
++                if (newVal != null && !newVal.equals(imageSrc))
+                 {
+                     imageSrc = newVal;
+                     shapeChange = true;
diff -Nru svgsalamander-1.1.1+dfsg/debian/patches/series svgsalamander-1.1.1+dfsg/debian/patches/series
--- svgsalamander-1.1.1+dfsg/debian/patches/series	2016-08-13 20:52:08.000000000 +0200
+++ svgsalamander-1.1.1+dfsg/debian/patches/series	2017-02-02 07:30:09.000000000 +0100
@@ -3,3 +3,4 @@
 0003-Modify-javadoc-target-to-add-links-to-system-API-doc.patch
 0005-dont-call-netbeans-ant-tasks.patch
 0006-modify-broken-upstream-pom.patch
+0007-CVE-2017-5617-Allow-only-data-scheme.patch

--- End Message ---

--- Begin Message ---

• To: Bas Couwenberg <sebastic@xs4all.nl>, 854028-done@bugs.debian.org
• Subject: Re: Bug#854028: unblock: svgsalamander/1.1.1+dfsg-2
• From: Niels Thykier <niels@thykier.net>
• Date: Fri, 03 Feb 2017 17:06:00 +0000
• Message-id: <70b9ef02-baf7-b802-17dd-49ee9da54cc7@thykier.net>
• In-reply-to: <[🔎] 148611256054.31588.10620067683208345823.reportbug@osiris.linuxminded.xs4all.nl>
• References: <[🔎] 148611256054.31588.10620067683208345823.reportbug@osiris.linuxminded.xs4all.nl>

Bas Couwenberg:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package svgsalamander
> 
> It contains a patch by Vincent Privat to fix CVE-2017-5617 (#853134).
> 
> unblock svgsalamander/1.1.1+dfsg-2
> 
> Kind Regards,
> 
> Bas
> 

Unblocked, thanks.

~Niels

--- End Message ---