[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2017-5617: svgSalamander



On 02/02/2017 07:09 PM, Sebastiaan Couwenberg wrote:
> On 02/02/2017 07:44 AM, Sebastiaan Couwenberg wrote:
>> On 02/01/2017 10:08 AM, Bas Couwenberg wrote:
>>> On 2017-02-01 09:35, Bas Couwenberg wrote:
>>>> Including the JOSM developers (josm-dev@openstreetmap.org) is also a
>>>> good idea, they (and Vincent Privat in particular) have contributed
>>>> patches to svgSalamander recently.
>>>>
>>>> I'll report the issue in the JOSM Trac since it also affects the
>>>> embedded copy in their upstream SVN repo.
>>>
>>> JOSM issue: https://josm.openstreetmap.de/ticket/14319
>>
>> Vicent Privat has fixed the issue for JOSM, and I've added a patch to
>> the svgsalamander Debian package with his changes.
>>
>> We may want to include the regression test too, but I'm not sure how
>> that works in svgsalamander.
>>
>> If we can't do that easily, we should just keep the patch as-is without
>> the regression tests that are included for JOSM.
> 
> I want the fixed package uploaded ASAP, preferably today because
> tomorrow I leave for FOSDEM and aren't likely to be able to do an upload.

I've uploaded the fixed svgsalamander to unstable, and also ported the
patch to the package in jessie & wheezy.

I'll coordinate with the security & LTS teams before uploading to
package for jessie & wheezy.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1


Reply to: