[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2017-5617: svgSalamander



Hi Felix,

On 2017-02-01 09:13, Felix Natter wrote:
there is a security vulnerability in svgSalamander:
  https://github.com/blackears/svgSalamander/issues/11

I've been following that issue since it popped up on by DMD TODO list.

The problem occurs when including raster/svg images via <image>.
The reporter says "How to fix - any schemes apart from data in the
xlink:href attribute should be disallowed"

The fix for svgSalamander is probably to patch the code which handles xlink:href and return NULL for any value that doesn't start with "data:", or something along those lines.

--> I am not aware of svgSalamander properties (the only other toggle I
can think of is java system properties), so can we _disable_ other
schemes? I don't think that breaks SVG renderding in Freeplane, how
about josm / other applications?

I don't know if it will break JOSM, but I suspect it won't. We'll have to test it with the patched svgsalamander when it's available.

http://stackoverflow.com/questions/6249664/does-svg-support-embedding-of-bitmap-images
--> data: schema seems provides a way for including base64 encoded
raster/svg images inline in an SVG.

--> Can we discuss how to fix this?

Sure, ideally upstream is included in that discussion.

Or shall we wait until Mark (the upstream author) fixes this
(might take a month)? Or at least ping him for a solution?

Pinging him is a good idea, upstream needs to be involved in resolving this issue.

Including the JOSM developers (josm-dev@openstreetmap.org) is also a good idea, they (and Vincent Privat in particular) have contributed patches to svgSalamander recently.

I'll report the issue in the JOSM Trac since it also affects the embedded copy in their upstream SVN repo.

Kind Regards,

Bas


Reply to: