Bug#854028: unblock: svgsalamander/1.1.1+dfsg-2

Fri Feb 3 09:02:40 UTC 2017

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: unblock

Please unblock package svgsalamander

It contains a patch by Vincent Privat to fix CVE-2017-5617 (#853134).

unblock svgsalamander/1.1.1+dfsg-2

Kind Regards,

Bas
-------------- next part --------------
diff -Nru svgsalamander-1.1.1+dfsg/debian/changelog svgsalamander-1.1.1+dfsg/debian/changelog

--- svgsalamander-1.1.1+dfsg/debian/changelog	2016-08-22 08:31:39.000000000 +0200
+++ svgsalamander-1.1.1+dfsg/debian/changelog	2017-02-03 08:39:45.000000000 +0100
@@ -1,3 +1,11 @@
+svgsalamander (1.1.1+dfsg-2) unstable; urgency=medium
+
+  * Team upload.
+  * Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF).
+    (closes: #853134)
+
+ -- Bas Couwenberg <sebastic at debian.org>  Fri, 03 Feb 2017 08:39:45 +0100
+
 svgsalamander (1.1.1+dfsg-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru svgsalamander-1.1.1+dfsg/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch svgsalamander-1.1.1+dfsg/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch
--- svgsalamander-1.1.1+dfsg/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch	1970-01-01 01:00:00.000000000 +0100
+++ svgsalamander-1.1.1+dfsg/debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch	2017-02-02 07:34:34.000000000 +0100
@@ -0,0 +1,109 @@
+Description: Fix CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery)
+ See: http://www.openwall.com/lists/oss-security/2017/01/27/3
+Author: Vincent Privat
+Origin: https://josm.openstreetmap.de/changeset/11526/josm
+Bug: https://github.com/blackears/svgSalamander/issues/11
+Bug-Debian: https://bugs.debian.org/853134
+
+--- a/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java
++++ b/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java
+@@ -112,21 +112,10 @@ public class ImageSVG extends Renderable
+             if (getPres(sty.setName("xlink:href")))
+             {
+                 URI src = sty.getURIValue(getXMLBase());
++                // CVE-2017-5617: Allow only data scheme
+                 if ("data".equals(src.getScheme()))
+                 {
+                     imageSrc = new URL(null, src.toASCIIString(), new Handler());
+-                } else
+-                {
+-                    try
+-                    {
+-                        imageSrc = src.toURL();
+-                    } catch (Exception e)
+-                    {
+-                        Logger.getLogger(SVGConst.SVG_LOGGER).log(Level.WARNING,
+-                            "Could not parse xlink:href " + src, e);
+-//                        e.printStackTrace();
+-                        imageSrc = null;
+-                    }
+                 }
+             }
+         } catch (Exception e)
+@@ -134,32 +123,33 @@ public class ImageSVG extends Renderable
+             throw new SVGException(e);
+         }
+ 
+-        diagram.getUniverse().registerImage(imageSrc);
+-
+-        //Set widths if not set
+-        BufferedImage img = diagram.getUniverse().getImage(imageSrc);
+-        if (img == null)
++        if (imageSrc != null)
+         {
+-            xform = new AffineTransform();
+-            bounds = new Rectangle2D.Float();
+-            return;
+-        }
++            diagram.getUniverse().registerImage(imageSrc);
+ 
+-        if (width == 0)
+-        {
+-            width = img.getWidth();
+-        }
+-        if (height == 0)
+-        {
+-            height = img.getHeight();
+-        }
++            //Set widths if not set
++            BufferedImage img = diagram.getUniverse().getImage(imageSrc);
++            if (img == null)
++            {
++                xform = new AffineTransform();
++                bounds = new Rectangle2D.Float();
++                return;
++            }
+ 
+-        //Determine image xform
+-        xform = new AffineTransform();
+-//        xform.setToScale(this.width / img.getWidth(), this.height / img.getHeight());
+-//        xform.translate(this.x, this.y);
+-        xform.translate(this.x, this.y);
+-        xform.scale(this.width / img.getWidth(), this.height / img.getHeight());
++            if (width == 0)
++            {
++                width = img.getWidth();
++            }
++            if (height == 0)
++            {
++                height = img.getHeight();
++            }
++
++            //Determine image xform
++            xform = new AffineTransform();
++            xform.translate(this.x, this.y);
++            xform.scale(this.width / img.getWidth(), this.height / img.getHeight());
++        }
+ 
+         bounds = new Rectangle2D.Float(this.x, this.y, this.width, this.height);
+     }
+@@ -328,16 +318,14 @@ public class ImageSVG extends Renderable
+             {
+                 URI src = sty.getURIValue(getXMLBase());
+ 
+-                URL newVal;
++                URL newVal = null;
++                // CVE-2017-5617: Allow only data scheme
+                 if ("data".equals(src.getScheme()))
+                 {
+                     newVal = new URL(null, src.toASCIIString(), new Handler());
+-                } else
+-                {
+-                    newVal = src.toURL();
+                 }
+ 
+-                if (!newVal.equals(imageSrc))
++                if (newVal != null && !newVal.equals(imageSrc))
+                 {
+                     imageSrc = newVal;
+                     shapeChange = true;
diff -Nru svgsalamander-1.1.1+dfsg/debian/patches/series svgsalamander-1.1.1+dfsg/debian/patches/series
--- svgsalamander-1.1.1+dfsg/debian/patches/series	2016-08-13 20:52:08.000000000 +0200
+++ svgsalamander-1.1.1+dfsg/debian/patches/series	2017-02-02 07:30:09.000000000 +0100
@@ -3,3 +3,4 @@
 0003-Modify-javadoc-target-to-add-links-to-system-API-doc.patch
 0005-dont-call-netbeans-ant-tasks.patch
 0006-modify-broken-upstream-pom.patch
+0007-CVE-2017-5617-Allow-only-data-scheme.patch
