Bug#853134: CVE-2017-5617: svgSalamander
Felix Natter
fnatter at gmx.net
Wed Feb 1 08:13:40 UTC 2017
hello d-gis/Bas,
there is a security vulnerability in svgSalamander:
https://github.com/blackears/svgSalamander/issues/11
The problem occurs when including raster/svg images via <image>.
The reporter says "How to fix - any schemes apart from data in the
xlink:href attribute should be disallowed"
--> I am not aware of svgSalamander properties (the only other toggle I
can think of is java system properties), so can we _disable_ other
schemes? I don't think that breaks SVG renderding in Freeplane, how
about josm / other applications?
http://stackoverflow.com/questions/6249664/does-svg-support-embedding-of-bitmap-images
--> data: schema seems provides a way for including base64 encoded
raster/svg images inline in an SVG.
--> Can we discuss how to fix this?
Or shall we wait until Mark (the upstream author) fixes this
(might take a month)? Or at least ping him for a solution?
Cheers and Best Regards,
--
Felix Natter
More information about the pkg-java-maintainers
mailing list