Minor update to libsvgsalamander-java

To: debian-gis@lists.debian.org
Cc: debian-java@lists.debian.org
Subject: Minor update to libsvgsalamander-java
From: Felix Natter <fnatter@gmx.net>
Date: Sun, 23 Sep 2018 17:35:15 +0200
Message-id: <[🔎] 877ejc447g.fsf@bitburger.home.felix>

hello Debian-gis,

for svgSalamander 1.1.2, a fix for CVE-2017-5617 [1] (#853134) was
upstreamed by Vincent Privat.

[1] https://security-tracker.debian.org/tracker/CVE-2017-5617

However, upstream included the patch modified [2], with a flag in the
"global data object" SVGUniverse, with the default being "allow it":

[2] https://github.com/blackears/svgSalamander/commit/a0cdd694cb917de303b08117e2544a352fc2cb58

> private boolean imageDataInlineOnly = false;

I wonder whether this is good (enough) for Debian (and the rest of the
world), since we would need to make sure that this is set to true:

SVGUniverse svgUniverse = new SVGUniverse();
svgUniverse.setImageDataInlineOnly(true);

in all projects using svgSalamander (which does not seem to be much for
Debian):

$ apt-cache rdepends libsvgsalamander-java
libsvgsalamander-java
Reverse Depends:
  freeplane
  freeplane
  josm
  games-java-dev

If we agree, then I will create an upstream issue.

Also, is there value in updating svgSalamander from 1.1.1 to 1.1.2?
(I fixed a bug triggered in Freeplane in upstream, but Freeplane contains a
workaround). I can offer to do this, if we have an agreement for the
above issue.

Cheers and Best Regards,
-- 
Felix Natter

Reply to:

Follow-Ups:
- Re: Minor update to libsvgsalamander-java
  - From: Sebastiaan Couwenberg <sebastic@xs4all.nl>

Prev by Date: maven gives warnings while trying to package and even when run by itself.
Next by Date: Re: Minor update to libsvgsalamander-java
Previous by thread: Re: maven gives warnings while trying to package and even when run by itself.
Next by thread: Re: Minor update to libsvgsalamander-java
Index(es):
- Date
- Thread