Bug 24592

Summary: svgsalamander new security issue CVE-2017-5617
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, geiger.david68210, herman.viaene, mageia, sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: svgsalamander-1.1.1-3.mga7.src.rpm CVE:
Status comment: Fixed upstream in 1.1.2

Description David Walser 2019-03-29 14:54:38 CET 
Fedora has issued an advisory today (March 29):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UPUOI6NCEB6H6YHKN7M4V3CAQD63NXAU/

The issue is fixed upstream in 1.1.2.

Mageia 6 is also affected.
David Walser 2019-03-29 14:54:51 CET

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 1.1.2

Comment 1 David GEIGER 2019-03-29 16:07:07 CET 
Fixed both mga6 and cauldron!

CC: (none) => geiger.david68210

Comment 2 David Walser 2019-03-29 16:07:53 CET 
Advisory:
========================

Updated svgsalamander package fixes security vulnerability:

A vulnerability was found in the svgsalamander library. If the library is being
used in a web application for processing user supplied SVG files then the app
is vulnerable to SSRF (CVE-2017-5617).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5617
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UPUOI6NCEB6H6YHKN7M4V3CAQD63NXAU/
========================

Updated packages in core/updates_testing:
========================
svgsalamander-1.1.2-1.mga6
svgsalamander-javadoc-1.1.2-1.mga6

from svgsalamander-1.1.2-1.mga6.src.rpm

Version: Cauldron => 6
Assignee: java => qa-bugs
Whiteboard: MGA6TOO => (none)

Comment 3 Herman Viaene 2019-04-16 16:22:17 CEST 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Tried to find some testcase, but all I find delves too deep for me in Java.
Tried:
# urpmq --whatrequires svgsalamander
josm
svgsalamander

So installed josm, but when I try to use it from the CLI it first throws pages of errors, finally starts up, but loading any of the maps available from the menu just results in a black screen even after 20 min.
Of course in such case, there are no refs to svgsalamander in the trace.
Clean install is all I get at the moment.

CC: (none) => herman.viaene

Comment 4 David Walser 2019-04-16 17:58:22 CEST 
Clean install and upgrade are sufficient.
Comment 5 Herman Viaene 2019-04-17 09:57:32 CEST 
OK, will be done.

Whiteboard: (none) => MGA6-32-OK

Comment 6 PC LX 2019-04-24 19:21:12 CEST 
Installed and tested without issue.

System: Mageia 6, x86_64, Plasma DE, LXQt DE, Intel CPU, nVidia GPU using nvidia340 proprietary driver.

Tested using josm. There were some error messages when starting josm but nothing related to svgsalamander.

$ uname -a
Linux marte 4.14.106-desktop-1.mga6 #1 SMP Thu Mar 14 18:01:29 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

CC: (none) => mageia
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 7 Thomas Andrews 2019-04-28 03:57:59 CEST 
Validating. Advisory in Comment 2

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-05-12 09:23:11 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 8 Mageia Robot 2019-05-12 11:37:04 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0160.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED