Re: Minor update to libsvgsalamander-java
On 9/23/18 5:35 PM, Felix Natter wrote:
> hello Debian-gis,
> for svgSalamander 1.1.2, a fix for CVE-2017-5617  (#853134) was
> upstreamed by Vincent Privat.
>  https://security-tracker.debian.org/tracker/CVE-2017-5617
> However, upstream included the patch modified , with a flag in the
> "global data object" SVGUniverse, with the default being "allow it":
>  https://github.com/blackears/svgSalamander/commit/a0cdd694cb917de303b08117e2544a352fc2cb58
>> private boolean imageDataInlineOnly = false;
> I wonder whether this is good (enough) for Debian (and the rest of the
> world), since we would need to make sure that this is set to true:
> SVGUniverse svgUniverse = new SVGUniverse();
Vincent also noted this in the JOSM issue:
Library author fixed it
When we update svgSalamander we must use
> in all projects using svgSalamander (which does not seem to be much for
> $ apt-cache rdepends libsvgsalamander-java
> Reverse Depends:
> If we agree, then I will create an upstream issue.
> Also, is there value in updating svgSalamander from 1.1.1 to 1.1.2?
> (I fixed a bug triggered in Freeplane in upstream, but Freeplane contains a
> workaround). I can offer to do this, if we have an agreement for the
> above issue.
I don't think we have to update svgSalamander yet, but if you do, we'll
need to patch JOSM.