Bug#853134: CVE-2017-5617: svgSalamander

2017-02-03 Thread Sebastiaan Couwenberg 
On 02/02/2017 07:09 PM, Sebastiaan Couwenberg wrote:
> On 02/02/2017 07:44 AM, Sebastiaan Couwenberg wrote:
>> On 02/01/2017 10:08 AM, Bas Couwenberg wrote:
>>> On 2017-02-01 09:35, Bas Couwenberg wrote:
 Including the JOSM developers (josm-...@openstreetmap.org) is also a
 good idea, they (and Vincent Privat in particular) have contributed
 patches to svgSalamander recently.

 I'll report the issue in the JOSM Trac since it also affects the
 embedded copy in their upstream SVN repo.
>>>
>>> JOSM issue: https://josm.openstreetmap.de/ticket/14319
>>
>> Vicent Privat has fixed the issue for JOSM, and I've added a patch to
>> the svgsalamander Debian package with his changes.
>>
>> We may want to include the regression test too, but I'm not sure how
>> that works in svgsalamander.
>>
>> If we can't do that easily, we should just keep the patch as-is without
>> the regression tests that are included for JOSM.
> 
> I want the fixed package uploaded ASAP, preferably today because
> tomorrow I leave for FOSDEM and aren't likely to be able to do an upload.

I've uploaded the fixed svgsalamander to unstable, and also ported the
patch to the package in jessie & wheezy.

I'll coordinate with the security & LTS teams before uploading to
package for jessie & wheezy.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#853134: CVE-2017-5617: svgSalamander

2017-02-02 Thread Sebastiaan Couwenberg 
On 02/02/2017 07:44 AM, Sebastiaan Couwenberg wrote:
> Control: tags -1 pending
> 
> On 02/01/2017 10:08 AM, Bas Couwenberg wrote:
>> On 2017-02-01 09:35, Bas Couwenberg wrote:
>>> Including the JOSM developers (josm-...@openstreetmap.org) is also a
>>> good idea, they (and Vincent Privat in particular) have contributed
>>> patches to svgSalamander recently.
>>>
>>> I'll report the issue in the JOSM Trac since it also affects the
>>> embedded copy in their upstream SVN repo.
>>
>> JOSM issue: https://josm.openstreetmap.de/ticket/14319
> 
> Vicent Privat has fixed the issue for JOSM, and I've added a patch to
> the svgsalamander Debian package with his changes.
> 
> We may want to include the regression test too, but I'm not sure how
> that works in svgsalamander.
> 
> If we can't do that easily, we should just keep the patch as-is without
> the regression tests that are included for JOSM.

I want the fixed package uploaded ASAP, preferably today because
tomorrow I leave for FOSDEM and aren't likely to be able to do an upload.

Felix, have you had a look at the patch?

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#853134: CVE-2017-5617: svgSalamander

2017-02-01 Thread Sebastiaan Couwenberg 
Control: tags -1 pending

On 02/01/2017 10:08 AM, Bas Couwenberg wrote:
> On 2017-02-01 09:35, Bas Couwenberg wrote:
>> Including the JOSM developers (josm-...@openstreetmap.org) is also a
>> good idea, they (and Vincent Privat in particular) have contributed
>> patches to svgSalamander recently.
>>
>> I'll report the issue in the JOSM Trac since it also affects the
>> embedded copy in their upstream SVN repo.
> 
> JOSM issue: https://josm.openstreetmap.de/ticket/14319

Vicent Privat has fixed the issue for JOSM, and I've added a patch to
the svgsalamander Debian package with his changes.

We may want to include the regression test too, but I'm not sure how
that works in svgsalamander.

If we can't do that easily, we should just keep the patch as-is without
the regression tests that are included for JOSM.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#853134: CVE-2017-5617: svgSalamander

2017-02-01 Thread Bas Couwenberg 

On 2017-02-01 09:35, Bas Couwenberg wrote:

Including the JOSM developers (josm-...@openstreetmap.org) is also a
good idea, they (and Vincent Privat in particular) have contributed
patches to svgSalamander recently.

I'll report the issue in the JOSM Trac since it also affects the
embedded copy in their upstream SVN repo.


JOSM issue: https://josm.openstreetmap.de/ticket/14319

Kind Regards,

Bas

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#853134: CVE-2017-5617: svgSalamander

2017-02-01 Thread Bas Couwenberg 

Hi Felix,

On 2017-02-01 09:13, Felix Natter wrote:

there is a security vulnerability in svgSalamander:
  https://github.com/blackears/svgSalamander/issues/11


I've been following that issue since it popped up on by DMD TODO list.


The problem occurs when including raster/svg images via .
The reporter says "How to fix - any schemes apart from data in the
xlink:href attribute should be disallowed"


The fix for svgSalamander is probably to patch the code which handles 
xlink:href and return NULL for any value that doesn't start with 
"data:", or something along those lines.



--> I am not aware of svgSalamander properties (the only other toggle I
can think of is java system properties), so can we _disable_ other
schemes? I don't think that breaks SVG renderding in Freeplane, how
about josm / other applications?


I don't know if it will break JOSM, but I suspect it won't. We'll have 
to test it with the patched svgsalamander when it's available.



http://stackoverflow.com/questions/6249664/does-svg-support-embedding-of-bitmap-images
--> data: schema seems provides a way for including base64 encoded
raster/svg images inline in an SVG.

--> Can we discuss how to fix this?


Sure, ideally upstream is included in that discussion.


Or shall we wait until Mark (the upstream author) fixes this
(might take a month)? Or at least ping him for a solution?


Pinging him is a good idea, upstream needs to be involved in resolving 
this issue.


Including the JOSM developers (josm-...@openstreetmap.org) is also a 
good idea, they (and Vincent Privat in particular) have contributed 
patches to svgSalamander recently.


I'll report the issue in the JOSM Trac since it also affects the 
embedded copy in their upstream SVN repo.


Kind Regards,

Bas

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#853134: CVE-2017-5617: svgSalamander

2017-02-01 Thread Felix Natter 
hello d-gis/Bas,

there is a security vulnerability in svgSalamander:
  https://github.com/blackears/svgSalamander/issues/11

The problem occurs when including raster/svg images via .
The reporter says "How to fix - any schemes apart from data in the
xlink:href attribute should be disallowed"

--> I am not aware of svgSalamander properties (the only other toggle I
can think of is java system properties), so can we _disable_ other
schemes? I don't think that breaks SVG renderding in Freeplane, how
about josm / other applications?

http://stackoverflow.com/questions/6249664/does-svg-support-embedding-of-bitmap-images
--> data: schema seems provides a way for including base64 encoded
raster/svg images inline in an SVG.

--> Can we discuss how to fix this?

Or shall we wait until Mark (the upstream author) fixes this
(might take a month)? Or at least ping him for a solution?

Cheers and Best Regards,
-- 
Felix Natter

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.