[svgsalamander] 01/02: Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF).

Bas Couwenberg sebastic at debian.org
Fri Feb 3 08:30:41 UTC 2017 

This is an automated email from the git hooks/post-receive script.

sebastic pushed a commit to branch wheezy
in repository svgsalamander.

commit 0463aaee3bee4c864869832a1cbac9986e1bb16b
Author: Bas Couwenberg <sebastic at xs4all.nl>
Date:   Thu Feb 2 07:36:32 2017 +0100

    Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF).
    
    (closes: #853134)
---
 debian/changelog                                   |  8 ++
 ...0007-CVE-2017-5617-Allow-only-data-scheme.patch | 98 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 107 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 8f89009..4b4153e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+svgsalamander (0~svn95-1+deb8u1) UNRELEASED; urgency=high
+
+  * Team upload.
+  * Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF).
+    (closes: #853134)
+
+ -- Bas Couwenberg <sebastic at debian.org>  Thu, 02 Feb 2017 07:34:57 +0100
+
 svgsalamander (0~svn95-1) unstable; urgency=low
 
   * Initial release (Closes: #613293)
diff --git a/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch b/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch
new file mode 100644
index 0000000..bbde3ea
--- /dev/null
+++ b/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch
@@ -0,0 +1,98 @@
+Description: Fix CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery)
+ See: http://www.openwall.com/lists/oss-security/2017/01/27/3
+Author: Vincent Privat
+Origin: https://josm.openstreetmap.de/changeset/11526/josm
+Bug: https://github.com/blackears/svgSalamander/issues/11
+Bug-Debian: https://bugs.debian.org/853134
+
+--- a/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java
++++ b/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java
+@@ -80,21 +80,11 @@ public class ImageSVG extends Renderable
+             if (getPres(sty.setName("xlink:href")))
+             {
+                 URI src = sty.getURIValue(getXMLBase());
++                // CVE-2017-5617: Allow only data scheme
+                 if ("data".equals(src.getScheme()))
+                 {
+                     imageSrc = new URL(null, src.toASCIIString(), new Handler());
+                 }
+-                else
+-                {
+-                    try {
+-                        imageSrc = src.toURL();
+-                    }
+-                    catch (Exception e)
+-                    {
+-                        e.printStackTrace();
+-                        imageSrc = null;
+-                    }
+-                }
+             }
+         }
+         catch (Exception e)
+@@ -102,27 +92,30 @@ public class ImageSVG extends Renderable
+             throw new SVGException(e);
+         }
+ 
+-        diagram.getUniverse().registerImage(imageSrc);
+-        
+-        //Set widths if not set
+-        BufferedImage img = diagram.getUniverse().getImage(imageSrc);
+-        if (img == null)
++        if (imageSrc != null)
+         {
++            diagram.getUniverse().registerImage(imageSrc);
++            
++            //Set widths if not set
++            BufferedImage img = diagram.getUniverse().getImage(imageSrc);
++            if (img == null)
++            {
++                xform = new AffineTransform();
++                bounds = new Rectangle2D.Float();
++                return;
++            }
++            
++            if (width == 0) width = img.getWidth();
++            if (height == 0) height = img.getHeight();
++            
++            //Determine image xform
+             xform = new AffineTransform();
+-            bounds = new Rectangle2D.Float();
+-            return;
++    //        xform.setToScale(this.width / img.getWidth(), this.height / img.getHeight());
++    //        xform.translate(this.x, this.y);
++            xform.translate(this.x, this.y);
++            xform.scale(this.width / img.getWidth(), this.height / img.getHeight());
+         }
+         
+-        if (width == 0) width = img.getWidth();
+-        if (height == 0) height = img.getHeight();
+-        
+-        //Determine image xform
+-        xform = new AffineTransform();
+-//        xform.setToScale(this.width / img.getWidth(), this.height / img.getHeight());
+-//        xform.translate(this.x, this.y);
+-        xform.translate(this.x, this.y);
+-        xform.scale(this.width / img.getWidth(), this.height / img.getHeight());
+-        
+         bounds = new Rectangle2D.Float(this.x, this.y, this.width, this.height);
+     }
+     
+@@ -254,9 +247,15 @@ public class ImageSVG extends Renderable
+             if (getPres(sty.setName("xlink:href")))
+             {
+                 URI src = sty.getURIValue(getXMLBase());
+-                URL newVal = src.toURL();
++
++                URL newVal = null;
++                // CVE-2017-5617: Allow only data scheme
++                if ("data".equals(src.getScheme()))
++                {
++                    newVal = new URL(null, src.toASCIIString(), new Handler());
++                }
+                 
+-                if (!newVal.equals(imageSrc))
++                if (newVal != null && !newVal.equals(imageSrc))
+                 {
+                     imageSrc = newVal;
+                     shapeChange = true;
diff --git a/debian/patches/series b/debian/patches/series
index a1749da..6db8559 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
 0002-Disable-useless-automated-jar-signing.patch
 0003-Modify-javadoc-target-to-add-links-to-system-API-doc.patch
 0004-Use-system-awt-gradient-instead-of-the-embedded-bati.patch
+0007-CVE-2017-5617-Allow-only-data-scheme.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/svgsalamander.git

More information about the pkg-java-commits mailing list