Bug#853134: CVE-2017-5617: svgSalamander
Bas Couwenberg
sebastic at xs4all.nl
Wed Feb 1 08:35:23 UTC 2017
Hi Felix,
On 2017-02-01 09:13, Felix Natter wrote:
> there is a security vulnerability in svgSalamander:
> https://github.com/blackears/svgSalamander/issues/11
I've been following that issue since it popped up on by DMD TODO list.
> The problem occurs when including raster/svg images via <image>.
> The reporter says "How to fix - any schemes apart from data in the
> xlink:href attribute should be disallowed"
The fix for svgSalamander is probably to patch the code which handles
xlink:href and return NULL for any value that doesn't start with
"data:", or something along those lines.
> --> I am not aware of svgSalamander properties (the only other toggle I
> can think of is java system properties), so can we _disable_ other
> schemes? I don't think that breaks SVG renderding in Freeplane, how
> about josm / other applications?
I don't know if it will break JOSM, but I suspect it won't. We'll have
to test it with the patched svgsalamander when it's available.
> http://stackoverflow.com/questions/6249664/does-svg-support-embedding-of-bitmap-images
> --> data: schema seems provides a way for including base64 encoded
> raster/svg images inline in an SVG.
>
> --> Can we discuss how to fix this?
Sure, ideally upstream is included in that discussion.
> Or shall we wait until Mark (the upstream author) fixes this
> (might take a month)? Or at least ping him for a solution?
Pinging him is a good idea, upstream needs to be involved in resolving
this issue.
Including the JOSM developers (josm-dev at openstreetmap.org) is also a
good idea, they (and Vincent Privat in particular) have contributed
patches to svgSalamander recently.
I'll report the issue in the JOSM Trac since it also affects the
embedded copy in their upstream SVN repo.
Kind Regards,
Bas
More information about the pkg-java-maintainers
mailing list