| Summary: | svgsalamander new security issue CVE-2017-5617 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | Nicolas Lécureuil <mageia> |
| Status: | RESOLVED OLD | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | geiger.david68210, rverschelde |
| Version: | 5 | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://lwn.net/Vulnerabilities/713563/ | ||
| Whiteboard: | |||
| Source RPM: | svgsalamander-0.1.39-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-01-29 17:44:22 CET
David Walser
2017-01-29 17:44:36 CET
CC:
(none) =>
geiger.david68210 Debian-LTS has issued an advisory for this on February 3: https://lwn.net/Alerts/713530/ URL:
(none) =>
https://lwn.net/Vulnerabilities/713563/ Upstream bug report: https://github.com/blackears/svgSalamander/issues/11 There was an upstream PR but it was rejected two days ago, so I guess we should wait for a better patch: https://github.com/blackears/svgSalamander/pull/12 (In reply to Rémi Verschelde from comment #2) > There was an upstream PR but it was rejected two days ago, so I guess we > should wait for a better patch: > https://github.com/blackears/svgSalamander/pull/12 Note that it's the patch Debian used. But at that time it hadn't been rejected by upstream yet - I would advise that we wait a bit. http://metadata.ftp-master.debian.org/changelogs/main/s/svgsalamander/svgsalamander_1.1.1+dfsg-2_changelog This is the commit that upstream went with to fix this: https://github.com/blackears/svgSalamander/commit/a0cdd694cb917de303b08117e2544a352fc2cb58 CC:
(none) =>
rverschelde private boolean imageDataInlineOnly = false; was added to SVGUniverse.java, but I think it should be set to true by default to really fix this issue. That's the solution I went with in svgsalamander-1.1.1-2.mga6. Whiteboard:
MGA5TOO =>
(none) We won't be fixing this kind of stuff for Mageia 5. Resolution:
(none) =>
OLD |