[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Minor update to libsvgsalamander-java

On 9/23/18 5:35 PM, Felix Natter wrote:
> hello Debian-gis,
> for svgSalamander 1.1.2, a fix for CVE-2017-5617 [1] (#853134) was
> upstreamed by Vincent Privat.
> [1] https://security-tracker.debian.org/tracker/CVE-2017-5617
> However, upstream included the patch modified [2], with a flag in the
> "global data object" SVGUniverse, with the default being "allow it":
> [2] https://github.com/blackears/svgSalamander/commit/a0cdd694cb917de303b08117e2544a352fc2cb58
>> private boolean imageDataInlineOnly = false;
> I wonder whether this is good (enough) for Debian (and the rest of the
> world), since we would need to make sure that this is set to true:
> SVGUniverse svgUniverse = new SVGUniverse();
> svgUniverse.setImageDataInlineOnly(true);

Vincent also noted this in the JOSM issue:

 Library author fixed it ​

 When we update svgSalamander we must use


> in all projects using svgSalamander (which does not seem to be much for
> Debian):
> $ apt-cache rdepends libsvgsalamander-java
> libsvgsalamander-java
> Reverse Depends:
>   freeplane
>   freeplane
>   josm
>   games-java-dev
> If we agree, then I will create an upstream issue.
> Also, is there value in updating svgSalamander from 1.1.1 to 1.1.2?
> (I fixed a bug triggered in Freeplane in upstream, but Freeplane contains a
> workaround). I can offer to do this, if we have an agreement for the
> above issue.

I don't think we have to update svgSalamander yet, but if you do, we'll
need to patch JOSM.

Kind Regards,


Reply to: