Minor update to libsvgsalamander-java
hello Debian-gis,
for svgSalamander 1.1.2, a fix for CVE-2017-5617 [1] (#853134) was
upstreamed by Vincent Privat.
[1] https://security-tracker.debian.org/tracker/CVE-2017-5617
However, upstream included the patch modified [2], with a flag in the
"global data object" SVGUniverse, with the default being "allow it":
[2] https://github.com/blackears/svgSalamander/commit/a0cdd694cb917de303b08117e2544a352fc2cb58
> private boolean imageDataInlineOnly = false;
I wonder whether this is good (enough) for Debian (and the rest of the
world), since we would need to make sure that this is set to true:
SVGUniverse svgUniverse = new SVGUniverse();
svgUniverse.setImageDataInlineOnly(true);
in all projects using svgSalamander (which does not seem to be much for
Debian):
$ apt-cache rdepends libsvgsalamander-java
libsvgsalamander-java
Reverse Depends:
freeplane
freeplane
josm
games-java-dev
If we agree, then I will create an upstream issue.
Also, is there value in updating svgSalamander from 1.1.1 to 1.1.2?
(I fixed a bug triggered in Freeplane in upstream, but Freeplane contains a
workaround). I can offer to do this, if we have an agreement for the
above issue.
Cheers and Best Regards,
--
Felix Natter
Reply to: