This is an automated email from the git hooks/post-receive script. sebastic pushed a commit to branch master in repository svgsalamander.
commit 1831801120fe371f2c19b8fffc11d4188d9ea51c Author: Bas Couwenberg <[email protected]> Date: Thu Feb 2 07:36:32 2017 +0100 Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF). (closes: #853134) --- debian/changelog | 8 ++ ...0007-CVE-2017-5617-Allow-only-data-scheme.patch | 109 +++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 118 insertions(+) diff --git a/debian/changelog b/debian/changelog index d531569..d885c42 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +svgsalamander (1.1.1+dfsg-2) UNRELEASED; urgency=medium + + * Team upload. + * Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF). + (closes: #853134) + + -- Bas Couwenberg <[email protected]> Thu, 02 Feb 2017 07:34:57 +0100 + svgsalamander (1.1.1+dfsg-1) unstable; urgency=medium * Team upload. diff --git a/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch b/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch new file mode 100644 index 0000000..647fb88 --- /dev/null +++ b/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch @@ -0,0 +1,109 @@ +Description: Fix CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery) + See: http://www.openwall.com/lists/oss-security/2017/01/27/3 +Author: Vincent Privat +Origin: https://josm.openstreetmap.de/changeset/11526/josm +Bug: https://github.com/blackears/svgSalamander/issues/11 +Bug-Debian: https://bugs.debian.org/853134 + +--- a/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java ++++ b/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java +@@ -112,21 +112,10 @@ public class ImageSVG extends Renderable + if (getPres(sty.setName("xlink:href"))) + { + URI src = sty.getURIValue(getXMLBase()); ++ // CVE-2017-5617: Allow only data scheme + if ("data".equals(src.getScheme())) + { + imageSrc = new URL(null, src.toASCIIString(), new Handler()); +- } else +- { +- try +- { +- imageSrc = src.toURL(); +- } catch (Exception e) +- { +- Logger.getLogger(SVGConst.SVG_LOGGER).log(Level.WARNING, +- "Could not parse xlink:href " + src, e); +-// e.printStackTrace(); +- imageSrc = null; +- } + } + } + } catch (Exception e) +@@ -134,32 +123,33 @@ public class ImageSVG extends Renderable + throw new SVGException(e); + } + +- diagram.getUniverse().registerImage(imageSrc); +- +- //Set widths if not set +- BufferedImage img = diagram.getUniverse().getImage(imageSrc); +- if (img == null) ++ if (imageSrc != null) + { +- xform = new AffineTransform(); +- bounds = new Rectangle2D.Float(); +- return; +- } ++ diagram.getUniverse().registerImage(imageSrc); + +- if (width == 0) +- { +- width = img.getWidth(); +- } +- if (height == 0) +- { +- height = img.getHeight(); +- } ++ //Set widths if not set ++ BufferedImage img = diagram.getUniverse().getImage(imageSrc); ++ if (img == null) ++ { ++ xform = new AffineTransform(); ++ bounds = new Rectangle2D.Float(); ++ return; ++ } + +- //Determine image xform +- xform = new AffineTransform(); +-// xform.setToScale(this.width / img.getWidth(), this.height / img.getHeight()); +-// xform.translate(this.x, this.y); +- xform.translate(this.x, this.y); +- xform.scale(this.width / img.getWidth(), this.height / img.getHeight()); ++ if (width == 0) ++ { ++ width = img.getWidth(); ++ } ++ if (height == 0) ++ { ++ height = img.getHeight(); ++ } ++ ++ //Determine image xform ++ xform = new AffineTransform(); ++ xform.translate(this.x, this.y); ++ xform.scale(this.width / img.getWidth(), this.height / img.getHeight()); ++ } + + bounds = new Rectangle2D.Float(this.x, this.y, this.width, this.height); + } +@@ -328,16 +318,14 @@ public class ImageSVG extends Renderable + { + URI src = sty.getURIValue(getXMLBase()); + +- URL newVal; ++ URL newVal = null; ++ // CVE-2017-5617: Allow only data scheme + if ("data".equals(src.getScheme())) + { + newVal = new URL(null, src.toASCIIString(), new Handler()); +- } else +- { +- newVal = src.toURL(); + } + +- if (!newVal.equals(imageSrc)) ++ if (newVal != null && !newVal.equals(imageSrc)) + { + imageSrc = newVal; + shapeChange = true; diff --git a/debian/patches/series b/debian/patches/series index a396b50..c9b061b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ 0003-Modify-javadoc-target-to-add-links-to-system-API-doc.patch 0005-dont-call-netbeans-ant-tasks.patch 0006-modify-broken-upstream-pom.patch +0007-CVE-2017-5617-Allow-only-data-scheme.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/svgsalamander.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
