Bug 20206

Summary: svgsalamander new security issue CVE-2017-5617
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Nicolas Lécureuil <mageia>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, rverschelde
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/713563/
Whiteboard:
Source RPM: svgsalamander-0.1.39-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-01-29 17:44:22 CET
A CVE has been assigned for a security issue in svgsalamander:
http://openwall.com/lists/oss-security/2017/01/29/2

No fix is available at this time.  Mageia 5 is also affected.
David Walser 2017-01-29 17:44:36 CET

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2017-02-04 16:29:36 CET
Debian-LTS has issued an advisory for this on February 3:
https://lwn.net/Alerts/713530/

URL: (none) => https://lwn.net/Vulnerabilities/713563/

Comment 2 Rémi Verschelde 2017-03-06 19:11:38 CET
Upstream bug report: https://github.com/blackears/svgSalamander/issues/11

There was an upstream PR but it was rejected two days ago, so I guess we should wait for a better patch: https://github.com/blackears/svgSalamander/pull/12
Comment 3 Rémi Verschelde 2017-03-06 19:12:58 CET
(In reply to Rémi Verschelde from comment #2) 
> There was an upstream PR but it was rejected two days ago, so I guess we
> should wait for a better patch:
> https://github.com/blackears/svgSalamander/pull/12

Note that it's the patch Debian used. But at that time it hadn't been rejected by upstream yet - I would advise that we wait a bit.
http://metadata.ftp-master.debian.org/changelogs/main/s/svgsalamander/svgsalamander_1.1.1+dfsg-2_changelog
Comment 4 David Walser 2017-06-04 20:44:24 CEST
This is the commit that upstream went with to fix this:
https://github.com/blackears/svgSalamander/commit/a0cdd694cb917de303b08117e2544a352fc2cb58

CC: (none) => rverschelde

Comment 5 David Walser 2017-06-04 20:45:57 CEST
private boolean imageDataInlineOnly = false;

was added to SVGUniverse.java, but I think it should be set to true by default to really fix this issue.
Comment 6 David Walser 2017-06-04 21:01:04 CEST
That's the solution I went with in svgsalamander-1.1.1-2.mga6.

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 7 David Walser 2017-12-27 04:36:22 CET
We won't be fixing this kind of stuff for Mageia 5.

Resolution: (none) => OLD
Status: NEW => RESOLVED