debian/0000775000000000000000000000000013046115534007172 5ustar debian/control0000664000000000000000000000331213045050544010572 0ustar Source: svgsalamander Priority: extra Maintainer: Debian Java Maintainers Uploaders: Nicolas Dandrimont Build-Depends: debhelper (>= 7.0.50~), javahelper (>= 0.32~), maven-repo-helper Build-Depends-Indep: default-jdk, default-jdk-doc, ant, ant-optional, ant-doc, javacc Standards-Version: 3.9.2 Section: java Homepage: http://svgsalamander.java.net/ Vcs-Git: git://git.debian.org/pkg-java/svgsalamander.git Vcs-Browser: http://git.debian.org/?p=pkg-java/svgsalamander.git;a=summary Package: libsvgsalamander-java Architecture: all Depends: ${shlibs:Depends}, ${misc:Depends}, ${java:Depends} Recommends: ${java:Recommends} Description: SVG engine for Java SVG Salamander is an SVG engine for Java that's designed to be small, fast, and allow programmers to use it with a minimum of fuss. . It's in particular targeted for making it easy to integrate SVG into Java games and making it much easier for artists to design 2D game content - from rich interactive menus to charts and graphcs to complex animations. Package: libsvgsalamander-java-doc Architecture: all Section: doc Depends: ${shlibs:Depends}, ${misc:Depends}, ${java:Depends} Recommends: ${java:Recommends} Description: SVG engine for Java (documentation) SVG Salamander is an SVG engine for Java that's designed to be small, fast, and allow programmers to use it with a minimum of fuss. . It's in particular targeted for making it easy to integrate SVG into Java games and making it much easier for artists to design 2D game content - from rich interactive menus to charts and graphcs to complex animations. . This package includes the javadoc API documentation for svgsalamander. debian/patches/0000775000000000000000000000000013045050544010617 5ustar debian/patches/0003-Modify-javadoc-target-to-add-links-to-system-API-doc.patch0000664000000000000000000000165713045050544023751 0ustar From: Nicolas Dandrimont Date: Sun, 6 Mar 2011 11:36:54 +0100 Subject: Modify javadoc target to add links to system API docs --- svg-core/nbproject/build-impl.xml | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/svg-core/nbproject/build-impl.xml b/svg-core/nbproject/build-impl.xml index 3a71c95..56d5331 100755 --- a/svg-core/nbproject/build-impl.xml +++ b/svg-core/nbproject/build-impl.xml @@ -756,6 +756,8 @@ is divided into following sections: + + -- debian/patches/0007-CVE-2017-5617-Allow-only-data-scheme.patch0000664000000000000000000000751313045050544020042 0ustar Description: Fix CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery) See: http://www.openwall.com/lists/oss-security/2017/01/27/3 Author: Vincent Privat Origin: https://josm.openstreetmap.de/changeset/11526/josm Bug: https://github.com/blackears/svgSalamander/issues/11 Bug-Debian: https://bugs.debian.org/853134 --- a/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java +++ b/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java @@ -80,21 +80,11 @@ public class ImageSVG extends Renderable if (getPres(sty.setName("xlink:href"))) { URI src = sty.getURIValue(getXMLBase()); + // CVE-2017-5617: Allow only data scheme if ("data".equals(src.getScheme())) { imageSrc = new URL(null, src.toASCIIString(), new Handler()); } - else - { - try { - imageSrc = src.toURL(); - } - catch (Exception e) - { - e.printStackTrace(); - imageSrc = null; - } - } } } catch (Exception e) @@ -102,27 +92,30 @@ public class ImageSVG extends Renderable throw new SVGException(e); } - diagram.getUniverse().registerImage(imageSrc); - - //Set widths if not set - BufferedImage img = diagram.getUniverse().getImage(imageSrc); - if (img == null) + if (imageSrc != null) { + diagram.getUniverse().registerImage(imageSrc); + + //Set widths if not set + BufferedImage img = diagram.getUniverse().getImage(imageSrc); + if (img == null) + { + xform = new AffineTransform(); + bounds = new Rectangle2D.Float(); + return; + } + + if (width == 0) width = img.getWidth(); + if (height == 0) height = img.getHeight(); + + //Determine image xform xform = new AffineTransform(); - bounds = new Rectangle2D.Float(); - return; + // xform.setToScale(this.width / img.getWidth(), this.height / img.getHeight()); + // xform.translate(this.x, this.y); + xform.translate(this.x, this.y); + xform.scale(this.width / img.getWidth(), this.height / img.getHeight()); } - if (width == 0) width = img.getWidth(); - if (height == 0) height = img.getHeight(); - - //Determine image xform - xform = new AffineTransform(); -// xform.setToScale(this.width / img.getWidth(), this.height / img.getHeight()); -// xform.translate(this.x, this.y); - xform.translate(this.x, this.y); - xform.scale(this.width / img.getWidth(), this.height / img.getHeight()); - bounds = new Rectangle2D.Float(this.x, this.y, this.width, this.height); } @@ -254,9 +247,15 @@ public class ImageSVG extends Renderable if (getPres(sty.setName("xlink:href"))) { URI src = sty.getURIValue(getXMLBase()); - URL newVal = src.toURL(); + + URL newVal = null; + // CVE-2017-5617: Allow only data scheme + if ("data".equals(src.getScheme())) + { + newVal = new URL(null, src.toASCIIString(), new Handler()); + } - if (!newVal.equals(imageSrc)) + if (newVal != null && !newVal.equals(imageSrc)) { imageSrc = newVal; shapeChange = true; debian/patches/series0000664000000000000000000000041413045050544012033 0ustar 0001-Make-build-use-system-libraries.patch 0002-Disable-useless-automated-jar-signing.patch 0003-Modify-javadoc-target-to-add-links-to-system-API-doc.patch 0004-Use-system-awt-gradient-instead-of-the-embedded-bati.patch 0007-CVE-2017-5617-Allow-only-data-scheme.patch debian/patches/0004-Use-system-awt-gradient-instead-of-the-embedded-bati.patch0000664000000000000000000001375513045050544024147 0ustar From: Nicolas Dandrimont Date: Mon, 7 Mar 2011 00:13:13 +0100 Subject: Use system awt gradient instead of the embedded batik code copy Upstream embeds batik as a backwards-compatibility measure, as the Gradient classes used were added to java.awt in JDK6. --- .../main/java/com/kitfox/svg/LinearGradient.java | 21 ++++++++----------- .../main/java/com/kitfox/svg/RadialGradient.java | 21 ++++++++----------- 2 files changed, 18 insertions(+), 24 deletions(-) diff --git a/svg-core/src/main/java/com/kitfox/svg/LinearGradient.java b/svg-core/src/main/java/com/kitfox/svg/LinearGradient.java index 06a1503..bdfe724 100644 --- a/svg-core/src/main/java/com/kitfox/svg/LinearGradient.java +++ b/svg-core/src/main/java/com/kitfox/svg/LinearGradient.java @@ -34,9 +34,6 @@ import java.awt.*; import com.kitfox.svg.xml.*; import org.xml.sax.*; -//import org.apache.batik.ext.awt.*; -import com.kitfox.svg.batik.*; - /** * @author Mark McKay @@ -95,32 +92,32 @@ public class LinearGradient extends Gradient { public Paint getPaint(Rectangle2D bounds, AffineTransform xform) { - com.kitfox.svg.batik.MultipleGradientPaint.CycleMethodEnum method; + MultipleGradientPaint.CycleMethod method; switch (spreadMethod) { default: case SM_PAD: - method = com.kitfox.svg.batik.MultipleGradientPaint.NO_CYCLE; + method = MultipleGradientPaint.CycleMethod.NO_CYCLE; break; case SM_REPEAT: - method = com.kitfox.svg.batik.MultipleGradientPaint.REPEAT; + method = MultipleGradientPaint.CycleMethod.REPEAT; break; case SM_REFLECT: - method = com.kitfox.svg.batik.MultipleGradientPaint.REFLECT; + method = MultipleGradientPaint.CycleMethod.REFLECT; break; } - com.kitfox.svg.batik.LinearGradientPaint paint; + LinearGradientPaint paint; if (gradientUnits == GU_USER_SPACE_ON_USE) { // paint = new LinearGradientPaint(x1, y1, x2, y2, getStopFractions(), getStopColors(), method); - paint = new com.kitfox.svg.batik.LinearGradientPaint( + paint = new LinearGradientPaint( new Point2D.Float(x1, y1), new Point2D.Float(x2, y2), getStopFractions(), getStopColors(), method, - com.kitfox.svg.batik.MultipleGradientPaint.SRGB, + MultipleGradientPaint.ColorSpaceType.SRGB, gradientTransform); } else @@ -137,13 +134,13 @@ public class LinearGradient extends Gradient { viewXform.concatenate(gradientTransform); - paint = new com.kitfox.svg.batik.LinearGradientPaint( + paint = new LinearGradientPaint( new Point2D.Float(x1, y1), new Point2D.Float(x2, y2), getStopFractions(), getStopColors(), method, - com.kitfox.svg.batik.MultipleGradientPaint.SRGB, + MultipleGradientPaint.ColorSpaceType.SRGB, viewXform); } diff --git a/svg-core/src/main/java/com/kitfox/svg/RadialGradient.java b/svg-core/src/main/java/com/kitfox/svg/RadialGradient.java index 37b9414..52521cc 100644 --- a/svg-core/src/main/java/com/kitfox/svg/RadialGradient.java +++ b/svg-core/src/main/java/com/kitfox/svg/RadialGradient.java @@ -34,9 +34,6 @@ import java.awt.*; import com.kitfox.svg.xml.*; import org.xml.sax.*; -//import org.apache.batik.ext.awt.*; -import com.kitfox.svg.batik.*; - /** * @author Mark McKay @@ -101,33 +98,33 @@ public class RadialGradient extends Gradient { public Paint getPaint(Rectangle2D bounds, AffineTransform xform) { - com.kitfox.svg.batik.MultipleGradientPaint.CycleMethodEnum method; + MultipleGradientPaint.CycleMethod method; switch (spreadMethod) { default: case SM_PAD: - method = com.kitfox.svg.batik.MultipleGradientPaint.NO_CYCLE; + method = MultipleGradientPaint.CycleMethod.NO_CYCLE; break; case SM_REPEAT: - method = com.kitfox.svg.batik.MultipleGradientPaint.REPEAT; + method = MultipleGradientPaint.CycleMethod.REPEAT; break; case SM_REFLECT: - method = com.kitfox.svg.batik.MultipleGradientPaint.REFLECT; + method = MultipleGradientPaint.CycleMethod.REFLECT; break; } - com.kitfox.svg.batik.RadialGradientPaint paint; + RadialGradientPaint paint; if (gradientUnits == GU_USER_SPACE_ON_USE) { - paint = new com.kitfox.svg.batik.RadialGradientPaint( + paint = new RadialGradientPaint( new Point2D.Float(cx, cy), r, new Point2D.Float(fx, fy), getStopFractions(), getStopColors(), method, - com.kitfox.svg.batik.MultipleGradientPaint.SRGB, + MultipleGradientPaint.ColorSpaceType.SRGB, gradientTransform); } else @@ -138,14 +135,14 @@ public class RadialGradient extends Gradient { viewXform.concatenate(gradientTransform); - paint = new com.kitfox.svg.batik.RadialGradientPaint( + paint = new RadialGradientPaint( new Point2D.Float(cx, cy), r, new Point2D.Float(fx, fy), getStopFractions(), getStopColors(), method, - com.kitfox.svg.batik.MultipleGradientPaint.SRGB, + MultipleGradientPaint.ColorSpaceType.SRGB, viewXform); } -- debian/patches/0001-Make-build-use-system-libraries.patch0000664000000000000000000000144213045050544020257 0ustar From: Nicolas Dandrimont Date: Fri, 18 Feb 2011 13:21:02 +0100 Subject: Make build use system libraries --- svg-core/build.xml | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/svg-core/build.xml b/svg-core/build.xml index 0fbc9b1..74e3fed 100755 --- a/svg-core/build.xml +++ b/svg-core/build.xml @@ -68,7 +68,7 @@ --> - + -- debian/patches/0002-Disable-useless-automated-jar-signing.patch0000664000000000000000000000236613045050544021441 0ustar From: Nicolas Dandrimont Date: Sun, 6 Mar 2011 11:10:29 +0100 Subject: Disable useless automated jar signing. --- svg-core/build.xml | 14 -------------- 1 files changed, 0 insertions(+), 14 deletions(-) diff --git a/svg-core/build.xml b/svg-core/build.xml index 74e3fed..05d3dc6 100755 --- a/svg-core/build.xml +++ b/svg-core/build.xml @@ -109,20 +109,6 @@ - - - - - - - - - - - - - - -- debian/libsvgsalamander-java-doc.javadoc0000664000000000000000000000002612747140044015522 0ustar svg-core/dist/javadoc debian/README.Debian0000664000000000000000000000057112747140044011237 0ustar svgsalamander for Debian ------------------------ SVGSalamander in Debian has been stripped off the embedded batik code copy, as it was only kept by upstream for compatibility with Java < 6. You should be able to replace calls for the embedded batik with calls to the system's java.awt. -- Nicolas Dandrimont , Sun, 27 Mar 2011 13:09:43 +0200 debian/libsvgsalamander-java.poms0000664000000000000000000000002112747140044014321 0ustar svg-core/pom.xml debian/compat0000664000000000000000000000000213045050544010366 0ustar 7 debian/changelog0000664000000000000000000000112413046115534011042 0ustar svgsalamander (0~svn95-1+deb8u1build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian -- Tyler Hicks Mon, 06 Feb 2017 15:50:52 +0000 svgsalamander (0~svn95-1+deb8u1) jessie-security; urgency=high * Team upload. * Add patch by Vincent Privat to fix CVE-2017-5617 (SSRF). (closes: #853134) -- Bas Couwenberg Fri, 03 Feb 2017 09:03:52 +0100 svgsalamander (0~svn95-1) unstable; urgency=low * Initial release (Closes: #613293) -- Nicolas Dandrimont Tue, 10 May 2011 22:30:00 +0200 debian/copyright0000664000000000000000000000505413045050544011127 0ustar Format: http://dep.debian.net/deps/dep5 Upstream-Name: svgsalamander Source: Files: * Copyright: 2010, Mark McKay License: LGPL-2.0 or BSD Files: debian/* Copyright: 2011 Nicolas Dandrimont License: BSD License: LGPL-2.0 This package is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. . This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. . You should have received a copy of the GNU General Public License along with this program. If not, see . . On Debian systems, the complete text of the GNU Lesser General Public License can be found in "/usr/share/common-licenses/LGPL-2". License: BSD All rights reserved. . Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. * Neither the name of the kitfox.com nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. . THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. debian/source/0000775000000000000000000000000012756516052010501 5ustar debian/source/format0000664000000000000000000000001412747140044011701 0ustar 3.0 (quilt) debian/rules0000775000000000000000000000311113045050544010244 0ustar #!/usr/bin/make -f # -*- makefile -*- # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 JAVA_HOME=/usr/lib/jvm/default-java ANT = /usr/bin/ant -Djavac.source=1.6 -Djavac.target=1.6 -Djavac.classpath=/usr/share/java/ant.jar PACKAGE = svgsalamander SRC_VERSION := $(shell dpkg-parsechangelog | sed -ne 's/^Version: \(\([0-9]\+\):\)\?\(.*\)-.*/\3/p') SVN_REVISION := $(shell echo ${SRC_VERSION} | sed -ne 's/^.*svn\([0-9]\+\)/\1/p') TARBALL = $(PACKAGE)_$(SRC_VERSION).orig.tar.gz %: dh $@ --with javahelper,maven-repo-helper override_dh_auto_build: -mkdir -p $(CURDIR)/svg-core/src/gen/res -mkdir -p $(CURDIR)/svg-core/src/gen/java cd $(CURDIR)/svg-core && $(ANT) jar && $(ANT) javadoc override_dh_clean: -mkdir -p $(CURDIR)/svg-core/src/gen/res -mkdir -p $(CURDIR)/svg-core/src/gen/java cd $(CURDIR)/svg-core && $(ANT) clean -rm www/binaries/*.jar dh_clean .PHONY: get-orig-source get-orig-source: rm -rf get-orig-source $(TARBALL) mkdir get-orig-source svn export -r $(SVN_REVISION) https://svn.java.net/svn/svgsalamander~svn/trunk \ get-orig-source/$(PACKAGE)-$(SRC_VERSION).orig find get-orig-source/ -name *.jar -delete find get-orig-source/ -name *.zip -delete # Strip old sourceless stuff : rm get-orig-source/$(PACKAGE)-$(SRC_VERSION).orig/doc/dev/GetTRDoc.pdf rm -r get-orig-source/$(PACKAGE)-$(SRC_VERSION).orig/svg-core/src/main/java/com/kitfox/svg/batik GZIP='--best --no-name' tar czf $(TARBALL) -C get-orig-source $(PACKAGE)-$(SRC_VERSION).orig rm -rf get-orig-source echo " "$(TARBALL)" created; move it to the right destination to build the package" debian/README.source0000664000000000000000000000127713045050544011356 0ustar svgsalamander for Debian ------------------------ The source code was checked out from SVN at : https://svn.java.net/svn/svgsalamander~svn/trunk The tarball is cleaned of .jar and .zip files. The doc/dev/getTRDoc.pdf file allows unlimited redistribution, but the sources are unavailable. It has been removed from the tarball. It is a thesis on "Least Squares Approximation By G1 Piecewise Parametric Cubes" by Marion R. Holmes, and can be fetched from http://oai.dtic.mil/oai/oai?verb=getRecord&metadataPrefix=html&identifier=ADA277978. See the get-orig-source target for debian/rules to fetch a clean tarball. -- Nicolas Dandrimont , Sun, 6 Mar 2011 15:07:47 +0100 debian/libsvgsalamander-java.jlibs0000664000000000000000000000010312747140044014447 0ustar www/binaries/svgSalamander.jar www/binaries/svgSalamander-tiny.jar