Fixing CVE-2017-5617 (SSRF) for svgsalamander in wheezy
Dear LTS Team,
Vincent Privat of the JOSM development team have provided a fix for
CVE-2017-5617 (#853134).
I've included a patch with his changes in the Debian package, and
uploaded it to unstable, and backported the patch for the jessie &
wheezy packages.
Affected versions:
* jessie: 0~svn95-1
* wheezy: 0~svn95-1
Fixed versions:
* jessie: 0~svn95-1+deb8u1
* wheezy: 0~svn95-1+deb7u1
Are these changes OK for upload to security-master?
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
diff -Nru svgsalamander-0~svn95/debian/changelog svgsalamander-0~svn95/debian/changelog
--- svgsalamander-0~svn95/debian/changelog 2011-05-10 22:36:09.000000000 +0200
+++ svgsalamander-0~svn95/debian/changelog 2017-02-03 09:47:28.000000000 +0100
@@ -1,3 +1,11 @@
+svgsalamander (0~svn95-1+deb7u1) wheezy-security; urgency=high
+
+ * Team upload.
+ * Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF).
+ (closes: #853134)
+
+ -- Bas Couwenberg <sebastic@debian.org> Fri, 03 Feb 2017 09:18:11 +0100
+
svgsalamander (0~svn95-1) unstable; urgency=low
* Initial release (Closes: #613293)
diff -Nru svgsalamander-0~svn95/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch svgsalamander-0~svn95/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch
--- svgsalamander-0~svn95/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch 1970-01-01 01:00:00.000000000 +0100
+++ svgsalamander-0~svn95/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch 2017-02-03 09:46:54.000000000 +0100
@@ -0,0 +1,98 @@
+Description: Fix CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery)
+ See: http://www.openwall.com/lists/oss-security/2017/01/27/3
+Author: Vincent Privat
+Origin: https://josm.openstreetmap.de/changeset/11526/josm
+Bug: https://github.com/blackears/svgSalamander/issues/11
+Bug-Debian: https://bugs.debian.org/853134
+
+--- a/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java
++++ b/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java
+@@ -80,21 +80,11 @@ public class ImageSVG extends Renderable
+ if (getPres(sty.setName("xlink:href")))
+ {
+ URI src = sty.getURIValue(getXMLBase());
++ // CVE-2017-5617: Allow only data scheme
+ if ("data".equals(src.getScheme()))
+ {
+ imageSrc = new URL(null, src.toASCIIString(), new Handler());
+ }
+- else
+- {
+- try {
+- imageSrc = src.toURL();
+- }
+- catch (Exception e)
+- {
+- e.printStackTrace();
+- imageSrc = null;
+- }
+- }
+ }
+ }
+ catch (Exception e)
+@@ -102,27 +92,30 @@ public class ImageSVG extends Renderable
+ throw new SVGException(e);
+ }
+
+- diagram.getUniverse().registerImage(imageSrc);
+-
+- //Set widths if not set
+- BufferedImage img = diagram.getUniverse().getImage(imageSrc);
+- if (img == null)
++ if (imageSrc != null)
+ {
++ diagram.getUniverse().registerImage(imageSrc);
++
++ //Set widths if not set
++ BufferedImage img = diagram.getUniverse().getImage(imageSrc);
++ if (img == null)
++ {
++ xform = new AffineTransform();
++ bounds = new Rectangle2D.Float();
++ return;
++ }
++
++ if (width == 0) width = img.getWidth();
++ if (height == 0) height = img.getHeight();
++
++ //Determine image xform
+ xform = new AffineTransform();
+- bounds = new Rectangle2D.Float();
+- return;
++ // xform.setToScale(this.width / img.getWidth(), this.height / img.getHeight());
++ // xform.translate(this.x, this.y);
++ xform.translate(this.x, this.y);
++ xform.scale(this.width / img.getWidth(), this.height / img.getHeight());
+ }
+
+- if (width == 0) width = img.getWidth();
+- if (height == 0) height = img.getHeight();
+-
+- //Determine image xform
+- xform = new AffineTransform();
+-// xform.setToScale(this.width / img.getWidth(), this.height / img.getHeight());
+-// xform.translate(this.x, this.y);
+- xform.translate(this.x, this.y);
+- xform.scale(this.width / img.getWidth(), this.height / img.getHeight());
+-
+ bounds = new Rectangle2D.Float(this.x, this.y, this.width, this.height);
+ }
+
+@@ -254,9 +247,15 @@ public class ImageSVG extends Renderable
+ if (getPres(sty.setName("xlink:href")))
+ {
+ URI src = sty.getURIValue(getXMLBase());
+- URL newVal = src.toURL();
++
++ URL newVal = null;
++ // CVE-2017-5617: Allow only data scheme
++ if ("data".equals(src.getScheme()))
++ {
++ newVal = new URL(null, src.toASCIIString(), new Handler());
++ }
+
+- if (!newVal.equals(imageSrc))
++ if (newVal != null && !newVal.equals(imageSrc))
+ {
+ imageSrc = newVal;
+ shapeChange = true;
diff -Nru svgsalamander-0~svn95/debian/patches/series svgsalamander-0~svn95/debian/patches/series
--- svgsalamander-0~svn95/debian/patches/series 2011-05-09 20:54:16.000000000 +0200
+++ svgsalamander-0~svn95/debian/patches/series 2017-02-03 09:46:54.000000000 +0100
@@ -2,3 +2,4 @@
0002-Disable-useless-automated-jar-signing.patch
0003-Modify-javadoc-target-to-add-links-to-system-API-doc.patch
0004-Use-system-awt-gradient-instead-of-the-embedded-bati.patch
+0007-CVE-2017-5617-Allow-only-data-scheme.patch
Reply to: