Skip to content

Commit 4ec3a24

Browse files
deepin-ci-robothudeng-go
authored and
Zeno-sole
committed
fix(plantuml): CVE-2026-0858
Fix stored XSS in SVG export for GraphViz diagrams. Disable SVG export for PSystemDot to prevent malicious JavaScript injection in generated SVG output. Upstream: plantuml/plantuml@6826315 Generated-By: glm-5.1 Co-Authored-By: hudeng <hudeng@deepin.org>
1 parent 462d1a9 commit 4ec3a24

3 files changed

Lines changed: 37 additions & 0 deletions

File tree

debian/changelog

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,9 @@
1+
plantuml (1:1.2020.2+ds-3deepin1) unstable; urgency=medium
2+
3+
* CVE-2026-0858: Fix stored XSS in SVG export for GraphViz diagrams
4+
5+
-- deepin-ci-robot <packages@deepin.org> Mon, 27 Apr 2026 14:56:42 +0800
6+
17
plantuml (1:1.2020.2+ds-3) unstable; urgency=medium
28

39
[ Tomas Janousek ]

debian/patches/CVE-2026-0858.patch

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
Index: github-plantuml-2026-0858/src/net/sourceforge/plantuml/directdot/PSystemDot.java
2+
===================================================================
3+
--- github-plantuml-2026-0858.orig/src/net/sourceforge/plantuml/directdot/PSystemDot.java
4+
+++ github-plantuml-2026-0858/src/net/sourceforge/plantuml/directdot/PSystemDot.java
5+
@@ -8,7 +8,7 @@
6+
*
7+
* If you like this project or if you find it useful, you can support us at:
8+
*
9+
- * http://plantuml.com/patreon (only 1$ per month!)
10+
+ * http://plantuml.com/patreon (only 1$ per month)
11+
* http://plantuml.com/paypal
12+
*
13+
* This file is part of PlantUML.
14+
@@ -40,6 +40,7 @@ import java.util.Arrays;
15+
16+
import net.sourceforge.plantuml.AbstractPSystem;
17+
import net.sourceforge.plantuml.CounterOutputStream;
18+
+import net.sourceforge.plantuml.FileFormat;
19+
import net.sourceforge.plantuml.FileFormatOption;
20+
import net.sourceforge.plantuml.StringUtils;
21+
import net.sourceforge.plantuml.api.ImageDataSimple;
22+
@@ -70,6 +71,8 @@ public class PSystemDot extends Abstract
23+
@Override
24+
final protected ImageData exportDiagramNow(OutputStream os, int num, FileFormatOption fileFormat, long seed)
25+
throws IOException {
26+
+ if (fileFormat.getFileFormat() == FileFormat.SVG)
27+
+ return ImageDataSimple.ok();
28+
final Graphviz graphviz = GraphvizUtils.create(null, data,
29+
StringUtils.goLowerCase(fileFormat.getFileFormat().name()));
30+
if (graphviz.getExeState() != ExeState.OK) {

debian/patches/series

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,4 @@ ditaa/0001-Update-ditaa.patch
33
ditaa/0002-Support-SVG-export-in-ditaa.patch
44
ditaa/0003-ditaa-Force-String.format-locale-to-fix-decimal-sepa.patch
55
ditaa/0004-ditaa-Do-not-fill-dashed-shapes-especially-not-open-.patch
6+
CVE-2026-0858.patch

0 commit comments

Comments
 (0)