[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Minor update to libsvgsalamander-java

hello Debian-gis,

for svgSalamander 1.1.2, a fix for CVE-2017-5617 [1] (#853134) was
upstreamed by Vincent Privat.

[1] https://security-tracker.debian.org/tracker/CVE-2017-5617

However, upstream included the patch modified [2], with a flag in the
"global data object" SVGUniverse, with the default being "allow it":

[2] https://github.com/blackears/svgSalamander/commit/a0cdd694cb917de303b08117e2544a352fc2cb58

> private boolean imageDataInlineOnly = false;

I wonder whether this is good (enough) for Debian (and the rest of the
world), since we would need to make sure that this is set to true:

SVGUniverse svgUniverse = new SVGUniverse();

in all projects using svgSalamander (which does not seem to be much for

$ apt-cache rdepends libsvgsalamander-java
Reverse Depends:

If we agree, then I will create an upstream issue.

Also, is there value in updating svgSalamander from 1.1.1 to 1.1.2?
(I fixed a bug triggered in Freeplane in upstream, but Freeplane contains a
workaround). I can offer to do this, if we have an agreement for the
above issue.

Cheers and Best Regards,
Felix Natter

Reply to: