[Git][java-team/batik][bullseye] 2 commits: Fixing CVE-2022-44729 and CVE-2022-44730

Pierre Gruet (@pgt) gitlab at salsa.debian.org
Tue Sep 26 20:45:58 BST 2023



Pierre Gruet pushed to branch bullseye at Debian Java Maintainers / batik


Commits:
6375a7e7 by Pierre Gruet at 2023-08-25T11:06:48+02:00
Fixing CVE-2022-44729 and CVE-2022-44730

- - - - -
3ddd768a by Pierre Gruet at 2023-08-25T11:07:23+02:00
Upload to bullseye-proposed-updates

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2022-447xx.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+batik (1.12-4+deb11u2) bullseye; urgency=medium
+
+  * Team upload.
+  * Fixing CVE-2022-44729 and CVE-2022-44730
+
+ -- Pierre Gruet <pgt at debian.org>  Fri, 25 Aug 2023 11:07:07 +0200
+
 batik (1.12-4+deb11u1) bullseye-security; urgency=high
 
   * Team upload.


=====================================
debian/patches/CVE-2022-447xx.patch
=====================================
@@ -0,0 +1,199 @@
+Description: fixing CVE-2022-44729 and CVE-2022-44730
+ by applying the file changes of upstream commits fixing the CVE
+Author: Pierre Gruet <pgt at debian.org>
+Origin: upstream, https://issues.apache.org/jira/browse/BATIK-1347 and https://issues.apache.org/jira/browse/BATIK-1349
+Forwarded: not-needed
+Last-Update: 2023-08-24
+
+--- a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
++++ b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
+@@ -74,6 +74,9 @@
+                                            ParsedURL docURL){
+         // Make sure that the archives comes from the same host
+         // as the document itself
++        if (DATA_PROTOCOL.equals(externalResourceURL.getProtocol())) {
++            return;
++        }
+         if (docURL == null) {
+             se = new SecurityException
+                 (Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL,
+--- a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
++++ b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
+@@ -20,6 +20,7 @@
+ 
+ import org.mozilla.javascript.ClassShutter;
+ import java.util.Arrays;
++import java.util.ArrayList;
+ import java.util.List;
+ 
+ /**
+@@ -29,7 +30,7 @@
+  * @version $Id: RhinoClassShutter.java 1733416 2016-03-03 07:07:13Z gadams $
+  */
+ public class RhinoClassShutter implements ClassShutter {
+-    private static final List<String> WHITELIST = Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL");
++     public static final List<String> WHITELIST = new ArrayList<>();
+ 
+     /*
+     public RhinoClassShutter() {
+@@ -58,56 +59,12 @@
+      * Returns whether the given class is visible to scripts.
+      */
+     public boolean visibleToScripts(String fullClassName) {
+-        if (fullClassName.startsWith("java.") && !WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission")) {
+-            return false;
+-        }
+-
+-        // Don't let them mess with script engine's internals.
+-        if (fullClassName.startsWith("org.mozilla.javascript"))
+-            return false;
+-
+-        if (fullClassName.startsWith("org.apache.batik.")) {
+-            // Just get package within batik.
+-            String batikPkg = fullClassName.substring(17);
+-
+-            // Don't let them mess with Batik script internals.
+-            if (batikPkg.startsWith("script"))
+-                return false;
+-
+-            // Don't let them get global structures.
+-            if (batikPkg.startsWith("apps"))
+-                return false;
+-
+-            // Don't let them get scripting stuff from bridge, but specifically
+-            // allow access to:
+-            //
+-            //   o.a.b.bridge.ScriptingEnvironment$Window$IntervalScriptTimerTask
+-            //   o.a.b.bridge.ScriptingEnvironment$Window$IntervalRunnableTimerTask
+-            //   o.a.b.bridge.ScriptingEnvironment$Window$TimeoutScriptTimerTask
+-            //   o.a.b.bridge.ScriptingEnvironment$Window$TimeoutRunnableTimerTask
+-            //
+-            // since objects of these classes are returned by setInterval() and
+-            // setTimeout().
+-            if (batikPkg.startsWith("bridge.")) {
+-                String batikBridgeClass = batikPkg.substring(7);
+-                if (batikBridgeClass.startsWith("ScriptingEnvironment")) {
+-                    if (batikBridgeClass.startsWith("$Window$", 20)) {
+-                        String c = batikBridgeClass.substring(28);
+-                        if (c.equals("IntervalScriptTimerTask")
+-                                || c.equals("IntervalRunnableTimerTask")
+-                                || c.equals("TimeoutScriptTimerTask")
+-                                || c.equals("TimeoutRunnableTimerTask")) {
+-                            return true;
+-                        }
+-                    }
+-                    return false;
+-                }
+-                if (batikBridgeClass.startsWith("BaseScriptingEnvironment")) {
+-                    return false;
+-                }
+-            }
+-        }
++        for (String v : WHITELIST) {
++            if (fullClassName.matches(v)) {
++                return true;
++             }
++         }
+ 
+-        return true;
++        return false;
+     }
+ }
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
+@@ -501,11 +501,11 @@
+     public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
+         = Messages.get("Main.cl.option.constrain.script.origin.description", "No description");
+ 
+-    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
+-            = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources");
++    public static String CL_OPTION_ALLOW_EXTERNAL_RESOURCES
++            = Messages.get("Main.cl.option.allow.external.resources", "-allowExternalResources");
+ 
+-    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
+-            = Messages.get("Main.cl.option.block.external.resources.description", "No description");
++    public static String CL_OPTION_ALLOW_EXTERNAL_RESOURCES_DESCRIPTION
++            = Messages.get("Main.cl.option.allow.external.resources.description", "No description");
+ 
+     /**
+      * Option to turn off secure execution of scripts
+@@ -836,14 +836,14 @@
+                           }
+                       });
+ 
+-        optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
++        optionMap.put(CL_OPTION_ALLOW_EXTERNAL_RESOURCES,
+                 new NoValueOptionHandler(){
+                     public void handleOption(SVGConverter c){
+-                        c.allowExternalResources = false;
++                        c.allowExternalResources = true;
+                     }
+ 
+                     public String getOptionDescription(){
+-                        return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
++                        return CL_OPTION_ALLOW_EXTERNAL_RESOURCES_DESCRIPTION;
+                     }
+                 });
+     }
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
+@@ -253,7 +253,7 @@
+         the document which references them. */
+     protected boolean constrainScriptOrigin = true;
+ 
+-    protected boolean allowExternalResources = true;
++    protected boolean allowExternalResources;
+ 
+     /** Controls whether scripts should be run securely or not */
+     protected boolean securityOff = false;
+@@ -927,8 +927,8 @@
+             map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE);
+         }
+ 
+-        if (!allowExternalResources) {
+-            map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE);
++        if (allowExternalResources) {
++            map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.TRUE);
+         }
+ 
+         return map;
+--- a/batik-test-old/src/test/java/org/apache/batik/test/xml/JUnitRunnerTestCase.java
++++ b/batik-test-old/src/test/java/org/apache/batik/test/xml/JUnitRunnerTestCase.java
+@@ -57,6 +57,9 @@
+         fos.close();
+         tmp.deleteOnExit();
+         System.setProperty("java.security.policy", tmp.getAbsolutePath());
++        RhinoClassShutter.WHITELIST.addAll(Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL",
++                ".*Permission", "org.w3c.dom.*", "org.apache.batik.w3c.*", "org.apache.batik.anim.*",
++                "org.apache.batik.dom.*", "org.apache.batik.css.*"));
+     }
+ 
+     @Parameterized.Parameters
+--- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
++++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
+@@ -32,6 +32,7 @@
+ import org.apache.batik.bridge.BaseScriptingEnvironment;
+ import org.apache.batik.bridge.BridgeContext;
+ import org.apache.batik.bridge.BridgeException;
++import org.apache.batik.bridge.DefaultExternalResourceSecurity;
+ import org.apache.batik.bridge.DefaultScriptSecurity;
+ import org.apache.batik.bridge.ExternalResourceSecurity;
+ import org.apache.batik.bridge.GVTBuilder;
+@@ -1118,7 +1119,7 @@
+             if (isAllowExternalResources()) {
+                 return super.getExternalResourceSecurity(resourceURL, docURL);
+             }
+-            return new NoLoadExternalResourceSecurity();
++            return new DefaultExternalResourceSecurity(resourceURL, docURL);
+         }
+ 
+         public boolean isAllowExternalResources() {
+@@ -1126,7 +1127,7 @@
+             if (b != null) {
+                 return b;
+             }
+-            return true;
++            return false;
+         }
+     }
+ }


=====================================
debian/patches/series
=====================================
@@ -3,3 +3,4 @@ no-Jython-support.patch
 CVE-2019-17566.patch
 CVE-2022-41704.patch
 CVE-2022-42890.patch
+CVE-2022-447xx.patch



View it on GitLab: https://salsa.debian.org/java-team/batik/-/compare/f325aaedbca79e4dbad8d6945dfc74967d891480...3ddd768aff82a70df86a6c93d495fb49ea560e5a

-- 
View it on GitLab: https://salsa.debian.org/java-team/batik/-/compare/f325aaedbca79e4dbad8d6945dfc74967d891480...3ddd768aff82a70df86a6c93d495fb49ea560e5a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230926/7644601a/attachment.htm>


More information about the pkg-java-commits mailing list