Author: tmancill
Date: 2015-03-21 18:12:57 +0000 (Sat, 21 Mar 2015)
New Revision: 18661
Added:
trunk/batik/debian/patches/cve_2015_0250.patch
Modified:
trunk/batik/debian/changelog
trunk/batik/debian/patches/series
Log:
add cve_2015_0250.patch (#780897)
Modified: trunk/batik/debian/changelog
===================================================================
--- trunk/batik/debian/changelog 2015-03-16 14:27:25 UTC (rev 18660)
+++ trunk/batik/debian/changelog 2015-03-21 18:12:57 UTC (rev 18661)
@@ -4,6 +4,9 @@
* Team upload.
* Update homepage URL to https://xmlgraphics.apache.org/batik/ in
debian/control and debian/copyright. (Closes: #771539)
+ * Add debian/patches/cve_2015_0250.patch to disable external XML entity
+ resolution (information disclosure). This addresses CVE-2015-0250.
+ (Closes: #780897)
[ Emmanuel Bourg ]
* Replaced the Build-Id in the manifests with a constant value
Added: trunk/batik/debian/patches/cve_2015_0250.patch
===================================================================
--- trunk/batik/debian/patches/cve_2015_0250.patch (rev 0)
+++ trunk/batik/debian/patches/cve_2015_0250.patch 2015-03-21 18:12:57 UTC (rev 18661)
@@ -0,0 +1,60 @@
+Description: Fix information disclosure by disabling external XML entity processing.
+ The upstream patch was modified slightly to apply cleanly against
+ the source package in Debian.
+Forwarded: not-needed
+Origin: https://svn.apache.org/viewvc/xmlgraphics/batik/trunk/sources/org/apache/batik/dom/util/SAXDocumentFactory.java?r1=662304&r2=1664335&view=patch
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780897
+
+--- a/sources/org/apache/batik/dom/util/SAXDocumentFactory.java
++++ b/sources/org/apache/batik/dom/util/SAXDocumentFactory.java
+@@ -30,25 +30,26 @@
+ import javax.xml.parsers.SAXParser;
+ import javax.xml.parsers.SAXParserFactory;
+
+-import org.apache.batik.util.HaltingThread;
+-import org.apache.batik.util.XMLConstants;
+-
++import org.w3c.dom.DOMImplementation;
++import org.w3c.dom.Document;
++import org.w3c.dom.DocumentType;
++import org.w3c.dom.Element;
++import org.w3c.dom.Node;
+ import org.xml.sax.Attributes;
+ import org.xml.sax.ErrorHandler;
+ import org.xml.sax.InputSource;
+ import org.xml.sax.Locator;
+ import org.xml.sax.SAXException;
+ import org.xml.sax.SAXNotRecognizedException;
++import org.xml.sax.SAXNotSupportedException;
+ import org.xml.sax.SAXParseException;
+ import org.xml.sax.XMLReader;
+ import org.xml.sax.ext.LexicalHandler;
+ import org.xml.sax.helpers.DefaultHandler;
+ import org.xml.sax.helpers.XMLReaderFactory;
+
+-import org.w3c.dom.DOMImplementation;
+-import org.w3c.dom.Document;
+-import org.w3c.dom.Element;
+-import org.w3c.dom.Node;
++import org.apache.batik.util.HaltingThread;
++import org.apache.batik.util.XMLConstants;
+
+ /**
+ * This class contains methods for creating Document instances
+@@ -391,6 +392,16 @@
+ static SAXParserFactory saxFactory;
+ static {
+ saxFactory = SAXParserFactory.newInstance();
++ try {
++ saxFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++ saxFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++ } catch (SAXNotRecognizedException e) {
++ e.printStackTrace();
++ } catch (SAXNotSupportedException e) {
++ e.printStackTrace();
++ } catch (ParserConfigurationException e) {
++ e.printStackTrace();
++ }
+ }
+
+ /**
Modified: trunk/batik/debian/patches/series
===================================================================
--- trunk/batik/debian/patches/series 2015-03-16 14:27:25 UTC (rev 18660)
+++ trunk/batik/debian/patches/series 2015-03-21 18:12:57 UTC (rev 18661)
@@ -1,3 +1,4 @@
06_fix_paths_in_policy_files.patch
source-1.5.patch
remove-js.patch
+cve_2015_0250.patch