Your message dated Fri, 03 Feb 2017 17:06:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#854028: unblock: svgsalamander/1.1.1+dfsg-2
has caused the Debian Bug report #854028,
regarding unblock: svgsalamander/1.1.1+dfsg-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
854028: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854028
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package svgsalamander
It contains a patch by Vincent Privat to fix CVE-2017-5617 (#853134).
unblock svgsalamander/1.1.1+dfsg-2
Kind Regards,
Bas
diff -Nru svgsalamander-1.1.1+dfsg/debian/changelog
svgsalamander-1.1.1+dfsg/debian/changelog
--- svgsalamander-1.1.1+dfsg/debian/changelog 2016-08-22 08:31:39.000000000
+0200
+++ svgsalamander-1.1.1+dfsg/debian/changelog 2017-02-03 08:39:45.000000000
+0100
@@ -1,3 +1,11 @@
+svgsalamander (1.1.1+dfsg-2) unstable; urgency=medium
+
+ * Team upload.
+ * Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF).
+ (closes: #853134)
+
+ -- Bas Couwenberg <[email protected]> Fri, 03 Feb 2017 08:39:45 +0100
+
svgsalamander (1.1.1+dfsg-1) unstable; urgency=medium
* Team upload.
diff -Nru
svgsalamander-1.1.1+dfsg/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch
svgsalamander-1.1.1+dfsg/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch
---
svgsalamander-1.1.1+dfsg/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch
1970-01-01 01:00:00.000000000 +0100
+++
svgsalamander-1.1.1+dfsg/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch
2017-02-02 07:34:34.000000000 +0100
@@ -0,0 +1,109 @@
+Description: Fix CVE-2017-5617: svgSalamander SSRF (Server-Side Request
Forgery)
+ See: http://www.openwall.com/lists/oss-security/2017/01/27/3
+Author: Vincent Privat
+Origin: https://josm.openstreetmap.de/changeset/11526/josm
+Bug: https://github.com/blackears/svgSalamander/issues/11
+Bug-Debian: https://bugs.debian.org/853134
+
+--- a/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java
++++ b/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java
+@@ -112,21 +112,10 @@ public class ImageSVG extends Renderable
+ if (getPres(sty.setName("xlink:href")))
+ {
+ URI src = sty.getURIValue(getXMLBase());
++ // CVE-2017-5617: Allow only data scheme
+ if ("data".equals(src.getScheme()))
+ {
+ imageSrc = new URL(null, src.toASCIIString(), new
Handler());
+- } else
+- {
+- try
+- {
+- imageSrc = src.toURL();
+- } catch (Exception e)
+- {
+-
Logger.getLogger(SVGConst.SVG_LOGGER).log(Level.WARNING,
+- "Could not parse xlink:href " + src, e);
+-// e.printStackTrace();
+- imageSrc = null;
+- }
+ }
+ }
+ } catch (Exception e)
+@@ -134,32 +123,33 @@ public class ImageSVG extends Renderable
+ throw new SVGException(e);
+ }
+
+- diagram.getUniverse().registerImage(imageSrc);
+-
+- //Set widths if not set
+- BufferedImage img = diagram.getUniverse().getImage(imageSrc);
+- if (img == null)
++ if (imageSrc != null)
+ {
+- xform = new AffineTransform();
+- bounds = new Rectangle2D.Float();
+- return;
+- }
++ diagram.getUniverse().registerImage(imageSrc);
+
+- if (width == 0)
+- {
+- width = img.getWidth();
+- }
+- if (height == 0)
+- {
+- height = img.getHeight();
+- }
++ //Set widths if not set
++ BufferedImage img = diagram.getUniverse().getImage(imageSrc);
++ if (img == null)
++ {
++ xform = new AffineTransform();
++ bounds = new Rectangle2D.Float();
++ return;
++ }
+
+- //Determine image xform
+- xform = new AffineTransform();
+-// xform.setToScale(this.width / img.getWidth(), this.height /
img.getHeight());
+-// xform.translate(this.x, this.y);
+- xform.translate(this.x, this.y);
+- xform.scale(this.width / img.getWidth(), this.height /
img.getHeight());
++ if (width == 0)
++ {
++ width = img.getWidth();
++ }
++ if (height == 0)
++ {
++ height = img.getHeight();
++ }
++
++ //Determine image xform
++ xform = new AffineTransform();
++ xform.translate(this.x, this.y);
++ xform.scale(this.width / img.getWidth(), this.height /
img.getHeight());
++ }
+
+ bounds = new Rectangle2D.Float(this.x, this.y, this.width,
this.height);
+ }
+@@ -328,16 +318,14 @@ public class ImageSVG extends Renderable
+ {
+ URI src = sty.getURIValue(getXMLBase());
+
+- URL newVal;
++ URL newVal = null;
++ // CVE-2017-5617: Allow only data scheme
+ if ("data".equals(src.getScheme()))
+ {
+ newVal = new URL(null, src.toASCIIString(), new
Handler());
+- } else
+- {
+- newVal = src.toURL();
+ }
+
+- if (!newVal.equals(imageSrc))
++ if (newVal != null && !newVal.equals(imageSrc))
+ {
+ imageSrc = newVal;
+ shapeChange = true;
diff -Nru svgsalamander-1.1.1+dfsg/debian/patches/series
svgsalamander-1.1.1+dfsg/debian/patches/series
--- svgsalamander-1.1.1+dfsg/debian/patches/series 2016-08-13
20:52:08.000000000 +0200
+++ svgsalamander-1.1.1+dfsg/debian/patches/series 2017-02-02
07:30:09.000000000 +0100
@@ -3,3 +3,4 @@
0003-Modify-javadoc-target-to-add-links-to-system-API-doc.patch
0005-dont-call-netbeans-ant-tasks.patch
0006-modify-broken-upstream-pom.patch
+0007-CVE-2017-5617-Allow-only-data-scheme.patch
--- End Message ---
--- Begin Message ---
Bas Couwenberg:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Please unblock package svgsalamander
>
> It contains a patch by Vincent Privat to fix CVE-2017-5617 (#853134).
>
> unblock svgsalamander/1.1.1+dfsg-2
>
> Kind Regards,
>
> Bas
>
Unblocked, thanks.
~Niels
--- End Message ---
