From $URL: If the library is being used in a web application for processing user supplied SVG files then the app is vulnerable to SSRF. The attacker can send a specially crafted svg file, for example > <svg width="5cm" height="4cm" version="1.1" > xmlns="http://www.w3.org/2000/svg" xmlns:xlink= "http://www.w3.or /1999/xlink"> > <image xlink:href="https://host-in-the-trusted-network.invalid/test.jpg" x="0" y="0" height="50px" width="50px"/> > </svg> and the lib will send the request inside the trusted network to the host-in-the-trusted-network.com (bypassing the firewall). In general, the attacker can use any scheme supported by default (such as file://, jar:// etc) or use application specific scheme.
According to the upstream ticket, this is now fixed via https://github.com/blackears/svgSalamander/commit/a0cdd694cb917de303b08117e2544a352fc2cb58 in version 1.1.2. See https://github.com/blackears/svgSalamander/pull/12 for further discussion about the fix.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=23e4ebd36288a78038ba403891819de76fb2d94f commit 23e4ebd36288a78038ba403891819de76fb2d94f Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-08-14 19:58:03 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-08-14 19:58:03 +0000 profiles/package.mask: mask dev-java/svgsalamander * 1 rdep Bug: https://bugs.gentoo.org/607720 Signed-off-by: Aaron Bauman <bman@gentoo.org> profiles/package.mask | 6 ++++++ 1 file changed, 6 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f5838f5cf33468e30c405be27d0784be0b8d379 commit 3f5838f5cf33468e30c405be27d0784be0b8d379 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-09-14 15:23:51 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-09-14 15:25:58 +0000 dev-java/svgsalamander: Remove last-rited pkg Bug: https://bugs.gentoo.org/607720 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-java/svgsalamander/Manifest | 1 - dev-java/svgsalamander/metadata.xml | 15 ------- dev-java/svgsalamander/svgsalamander-0.0-r2.ebuild | 52 ---------------------- profiles/package.mask | 5 --- 4 files changed, 73 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=305f3c4136b7a57be67d73bf833d9a70a718ee8a commit 305f3c4136b7a57be67d73bf833d9a70a718ee8a Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-09-14 15:23:13 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-09-14 15:25:57 +0000 dev-java/flyingsaucer: Remove last-rited pkg Bug: https://bugs.gentoo.org/607720 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-java/flyingsaucer/Manifest | 1 - dev-java/flyingsaucer/files/7-itext-2.0.8.patch | 61 -------------------- dev-java/flyingsaucer/flyingsaucer-7-r2.ebuild | 75 ------------------------- dev-java/flyingsaucer/metadata.xml | 14 ----- profiles/package.mask | 1 - 5 files changed, 152 deletions(-)
This issue was resolved and addressed in GLSA 202003-11 at https://security.gentoo.org/glsa/202003-11 by GLSA coordinator Thomas Deutschmann (whissi).
