On 9/23/18 5:35 PM, Felix Natter wrote:
> hello Debian-gis,
>
> for svgSalamander 1.1.2, a fix for CVE-2017-5617 [1] (#853134) was
> upstreamed by Vincent Privat.
>
> [1] https://security-tracker.debian.org/tracker/CVE-2017-5617
>
> However, upstream included the patch modified [2], with a flag in the
> "global data object" SVGUniverse, with the default being "allow it":
>
> [2] https://github.com/blackears/svgSalamander/commit/a0cdd694cb917de303b08117e2544a352fc2cb58
>
>> private boolean imageDataInlineOnly = false;
>
> I wonder whether this is good (enough) for Debian (and the rest of the
> world), since we would need to make sure that this is set to true:
>
> SVGUniverse svgUniverse = new SVGUniverse();
> svgUniverse.setImageDataInlineOnly(true);
Vincent also noted this in the JOSM issue:
"
Library author fixed it
[differently](https://github.com/blackears/svgSalamander/commit/a0cdd694cb917de303b08117e2544a352fc2cb58).
When we update svgSalamander we must use
SVGUniverse.setImageDataInlineOnly(true)
"
https://josm.openstreetmap.de/ticket/14319#comment:8
> in all projects using svgSalamander (which does not seem to be much for
> Debian):
>
> $ apt-cache rdepends libsvgsalamander-java
> libsvgsalamander-java
> Reverse Depends:
> freeplane
> freeplane
> josm
> games-java-dev
>
> If we agree, then I will create an upstream issue.
>
> Also, is there value in updating svgSalamander from 1.1.1 to 1.1.2?
> (I fixed a bug triggered in Freeplane in upstream, but Freeplane contains a
> workaround). I can offer to do this, if we have an agreement for the
> above issue.
I don't think we have to update svgSalamander yet, but if you do, we'll
need to patch JOSM.
Kind Regards,
Bas