Hello, I updated today svgSalamander in JOSM to 1.1.2, because we faced a rendering bug. With the update I found a major regression in font handling, and found out also that the CVE vulnerability wasn't correctly fixed upstream. I created three pull requests matching the patches I applied in JOSM embedded copy: https://github.com/blackears/svgSalamander/pull/30 https://github.com/blackears/svgSalamander/pull/32 https://github.com/blackears/svgSalamander/pull/33
I advise Debian to wait for a 1.1.3 release, or include those patches. Cheers, Vincent Le dim. 23 sept. 2018 à 18:11, Sebastiaan Couwenberg <sebas...@xs4all.nl> a écrit : > On 9/23/18 5:35 PM, Felix Natter wrote: > > hello Debian-gis, > > > > for svgSalamander 1.1.2, a fix for CVE-2017-5617 [1] (#853134) was > > upstreamed by Vincent Privat. > > > > [1] https://security-tracker.debian.org/tracker/CVE-2017-5617 > > > > However, upstream included the patch modified [2], with a flag in the > > "global data object" SVGUniverse, with the default being "allow it": > > > > [2] > https://github.com/blackears/svgSalamander/commit/a0cdd694cb917de303b08117e2544a352fc2cb58 > > > >> private boolean imageDataInlineOnly = false; > > > > I wonder whether this is good (enough) for Debian (and the rest of the > > world), since we would need to make sure that this is set to true: > > > > SVGUniverse svgUniverse = new SVGUniverse(); > > svgUniverse.setImageDataInlineOnly(true); > > Vincent also noted this in the JOSM issue: > > " > Library author fixed it > [differently]( > https://github.com/blackears/svgSalamander/commit/a0cdd694cb917de303b08117e2544a352fc2cb58 > ). > > When we update svgSalamander we must use > SVGUniverse.setImageDataInlineOnly(true) > " > > https://josm.openstreetmap.de/ticket/14319#comment:8 > > > in all projects using svgSalamander (which does not seem to be much for > > Debian): > > > > $ apt-cache rdepends libsvgsalamander-java > > libsvgsalamander-java > > Reverse Depends: > > freeplane > > freeplane > > josm > > games-java-dev > > > > If we agree, then I will create an upstream issue. > > > > Also, is there value in updating svgSalamander from 1.1.1 to 1.1.2? > > (I fixed a bug triggered in Freeplane in upstream, but Freeplane > contains a > > workaround). I can offer to do this, if we have an agreement for the > > above issue. > > I don't think we have to update svgSalamander yet, but if you do, we'll > need to patch JOSM. > > Kind Regards, > > Bas > >
