Skip to content
Snippets Groups Projects
Commit 18318011 authored by Bas Couwenberg's avatar Bas Couwenberg
Browse files

Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF). 

(closes: #853134)
parent 90add006
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
debian/changelog
+ 8
0
View file @ 18318011
svgsalamander (1.1.1+dfsg-2) UNRELEASED; urgency=medium
* Team upload.
* Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF).
(closes: #853134)
-- Bas Couwenberg <sebastic@debian.org> Thu, 02 Feb 2017 07:34:57 +0100
svgsalamander (1.1.1+dfsg-1) unstable; urgency=medium
* Team upload.
......
debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch 0 → 100644
+ 109
0
View file @ 18318011
Description: Fix CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery)
See: http://www.openwall.com/lists/oss-security/2017/01/27/3
Author: Vincent Privat
Origin: https://josm.openstreetmap.de/changeset/11526/josm
Bug: https://github.com/blackears/svgSalamander/issues/11
Bug-Debian: https://bugs.debian.org/853134
--- a/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java
+++ b/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java
@@ -112,21 +112,10 @@ public class ImageSVG extends Renderable
if (getPres(sty.setName("xlink:href")))
{
URI src = sty.getURIValue(getXMLBase());
+ // CVE-2017-5617: Allow only data scheme
if ("data".equals(src.getScheme()))
{
imageSrc = new URL(null, src.toASCIIString(), new Handler());
- } else
- {
- try
- {
- imageSrc = src.toURL();
- } catch (Exception e)
- {
- Logger.getLogger(SVGConst.SVG_LOGGER).log(Level.WARNING,
- "Could not parse xlink:href " + src, e);
-// e.printStackTrace();
- imageSrc = null;
- }
}
}
} catch (Exception e)
@@ -134,32 +123,33 @@ public class ImageSVG extends Renderable
throw new SVGException(e);
}
- diagram.getUniverse().registerImage(imageSrc);
-
- //Set widths if not set
- BufferedImage img = diagram.getUniverse().getImage(imageSrc);
- if (img == null)
+ if (imageSrc != null)
{
- xform = new AffineTransform();
- bounds = new Rectangle2D.Float();
- return;
- }
+ diagram.getUniverse().registerImage(imageSrc);
- if (width == 0)
- {
- width = img.getWidth();
- }
- if (height == 0)
- {
- height = img.getHeight();
- }
+ //Set widths if not set
+ BufferedImage img = diagram.getUniverse().getImage(imageSrc);
+ if (img == null)
+ {
+ xform = new AffineTransform();
+ bounds = new Rectangle2D.Float();
+ return;
+ }
- //Determine image xform
- xform = new AffineTransform();
-// xform.setToScale(this.width / img.getWidth(), this.height / img.getHeight());
-// xform.translate(this.x, this.y);
- xform.translate(this.x, this.y);
- xform.scale(this.width / img.getWidth(), this.height / img.getHeight());
+ if (width == 0)
+ {
+ width = img.getWidth();
+ }
+ if (height == 0)
+ {
+ height = img.getHeight();
+ }
+
+ //Determine image xform
+ xform = new AffineTransform();
+ xform.translate(this.x, this.y);
+ xform.scale(this.width / img.getWidth(), this.height / img.getHeight());
+ }
bounds = new Rectangle2D.Float(this.x, this.y, this.width, this.height);
}
@@ -328,16 +318,14 @@ public class ImageSVG extends Renderable
{
URI src = sty.getURIValue(getXMLBase());
- URL newVal;
+ URL newVal = null;
+ // CVE-2017-5617: Allow only data scheme
if ("data".equals(src.getScheme()))
{
newVal = new URL(null, src.toASCIIString(), new Handler());
- } else
- {
- newVal = src.toURL();
}
- if (!newVal.equals(imageSrc))
+ if (newVal != null && !newVal.equals(imageSrc))
{
imageSrc = newVal;
shapeChange = true;
debian/patches/series
+ 1
0
View file @ 18318011
......@@ -3,3 +3,4 @@
0003-Modify-javadoc-target-to-add-links-to-system-API-doc.patch
0005-dont-call-netbeans-ant-tasks.patch
0006-modify-broken-upstream-pom.patch
0007-CVE-2017-5617-Allow-only-data-scheme.patch
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment