A CVE has been assigned for a security issue in svgsalamander: http://openwall.com/lists/oss-security/2017/01/29/2 No fix is available at this time. Mageia 5 is also affected.
CC: (none) => geiger.david68210Whiteboard: (none) => MGA5TOO
Debian-LTS has issued an advisory for this on February 3: https://lwn.net/Alerts/713530/
URL: (none) => https://lwn.net/Vulnerabilities/713563/
Upstream bug report: https://github.com/blackears/svgSalamander/issues/11 There was an upstream PR but it was rejected two days ago, so I guess we should wait for a better patch: https://github.com/blackears/svgSalamander/pull/12
(In reply to Rémi Verschelde from comment #2) > There was an upstream PR but it was rejected two days ago, so I guess we > should wait for a better patch: > https://github.com/blackears/svgSalamander/pull/12 Note that it's the patch Debian used. But at that time it hadn't been rejected by upstream yet - I would advise that we wait a bit. http://metadata.ftp-master.debian.org/changelogs/main/s/svgsalamander/svgsalamander_1.1.1+dfsg-2_changelog
This is the commit that upstream went with to fix this: https://github.com/blackears/svgSalamander/commit/a0cdd694cb917de303b08117e2544a352fc2cb58
CC: (none) => rverschelde
private boolean imageDataInlineOnly = false; was added to SVGUniverse.java, but I think it should be set to true by default to really fix this issue.
That's the solution I went with in svgsalamander-1.1.1-2.mga6.
Whiteboard: MGA5TOO => (none)Version: Cauldron => 5
We won't be fixing this kind of stuff for Mageia 5.
Resolution: (none) => OLDStatus: NEW => RESOLVED