[Git][java-team/batik][bullseye] 2 commits: Fixing CVE-2022-44729 and CVE-2022-44730
Pierre Gruet (@pgt)
gitlab at salsa.debian.org
Tue Sep 26 20:45:58 BST 2023
Pierre Gruet pushed to branch bullseye at Debian Java Maintainers / batik
Commits:
6375a7e7 by Pierre Gruet at 2023-08-25T11:06:48+02:00
Fixing CVE-2022-44729 and CVE-2022-44730
- - - - -
3ddd768a by Pierre Gruet at 2023-08-25T11:07:23+02:00
Upload to bullseye-proposed-updates
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/CVE-2022-447xx.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+batik (1.12-4+deb11u2) bullseye; urgency=medium
+
+ * Team upload.
+ * Fixing CVE-2022-44729 and CVE-2022-44730
+
+ -- Pierre Gruet <pgt at debian.org> Fri, 25 Aug 2023 11:07:07 +0200
+
batik (1.12-4+deb11u1) bullseye-security; urgency=high
* Team upload.
=====================================
debian/patches/CVE-2022-447xx.patch
=====================================
@@ -0,0 +1,199 @@
+Description: fixing CVE-2022-44729 and CVE-2022-44730
+ by applying the file changes of upstream commits fixing the CVE
+Author: Pierre Gruet <pgt at debian.org>
+Origin: upstream, https://issues.apache.org/jira/browse/BATIK-1347 and https://issues.apache.org/jira/browse/BATIK-1349
+Forwarded: not-needed
+Last-Update: 2023-08-24
+
+--- a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
++++ b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
+@@ -74,6 +74,9 @@
+ ParsedURL docURL){
+ // Make sure that the archives comes from the same host
+ // as the document itself
++ if (DATA_PROTOCOL.equals(externalResourceURL.getProtocol())) {
++ return;
++ }
+ if (docURL == null) {
+ se = new SecurityException
+ (Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL,
+--- a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
++++ b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
+@@ -20,6 +20,7 @@
+
+ import org.mozilla.javascript.ClassShutter;
+ import java.util.Arrays;
++import java.util.ArrayList;
+ import java.util.List;
+
+ /**
+@@ -29,7 +30,7 @@
+ * @version $Id: RhinoClassShutter.java 1733416 2016-03-03 07:07:13Z gadams $
+ */
+ public class RhinoClassShutter implements ClassShutter {
+- private static final List<String> WHITELIST = Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL");
++ public static final List<String> WHITELIST = new ArrayList<>();
+
+ /*
+ public RhinoClassShutter() {
+@@ -58,56 +59,12 @@
+ * Returns whether the given class is visible to scripts.
+ */
+ public boolean visibleToScripts(String fullClassName) {
+- if (fullClassName.startsWith("java.") && !WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission")) {
+- return false;
+- }
+-
+- // Don't let them mess with script engine's internals.
+- if (fullClassName.startsWith("org.mozilla.javascript"))
+- return false;
+-
+- if (fullClassName.startsWith("org.apache.batik.")) {
+- // Just get package within batik.
+- String batikPkg = fullClassName.substring(17);
+-
+- // Don't let them mess with Batik script internals.
+- if (batikPkg.startsWith("script"))
+- return false;
+-
+- // Don't let them get global structures.
+- if (batikPkg.startsWith("apps"))
+- return false;
+-
+- // Don't let them get scripting stuff from bridge, but specifically
+- // allow access to:
+- //
+- // o.a.b.bridge.ScriptingEnvironment$Window$IntervalScriptTimerTask
+- // o.a.b.bridge.ScriptingEnvironment$Window$IntervalRunnableTimerTask
+- // o.a.b.bridge.ScriptingEnvironment$Window$TimeoutScriptTimerTask
+- // o.a.b.bridge.ScriptingEnvironment$Window$TimeoutRunnableTimerTask
+- //
+- // since objects of these classes are returned by setInterval() and
+- // setTimeout().
+- if (batikPkg.startsWith("bridge.")) {
+- String batikBridgeClass = batikPkg.substring(7);
+- if (batikBridgeClass.startsWith("ScriptingEnvironment")) {
+- if (batikBridgeClass.startsWith("$Window$", 20)) {
+- String c = batikBridgeClass.substring(28);
+- if (c.equals("IntervalScriptTimerTask")
+- || c.equals("IntervalRunnableTimerTask")
+- || c.equals("TimeoutScriptTimerTask")
+- || c.equals("TimeoutRunnableTimerTask")) {
+- return true;
+- }
+- }
+- return false;
+- }
+- if (batikBridgeClass.startsWith("BaseScriptingEnvironment")) {
+- return false;
+- }
+- }
+- }
++ for (String v : WHITELIST) {
++ if (fullClassName.matches(v)) {
++ return true;
++ }
++ }
+
+- return true;
++ return false;
+ }
+ }
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
+@@ -501,11 +501,11 @@
+ public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
+ = Messages.get("Main.cl.option.constrain.script.origin.description", "No description");
+
+- public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
+- = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources");
++ public static String CL_OPTION_ALLOW_EXTERNAL_RESOURCES
++ = Messages.get("Main.cl.option.allow.external.resources", "-allowExternalResources");
+
+- public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
+- = Messages.get("Main.cl.option.block.external.resources.description", "No description");
++ public static String CL_OPTION_ALLOW_EXTERNAL_RESOURCES_DESCRIPTION
++ = Messages.get("Main.cl.option.allow.external.resources.description", "No description");
+
+ /**
+ * Option to turn off secure execution of scripts
+@@ -836,14 +836,14 @@
+ }
+ });
+
+- optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
++ optionMap.put(CL_OPTION_ALLOW_EXTERNAL_RESOURCES,
+ new NoValueOptionHandler(){
+ public void handleOption(SVGConverter c){
+- c.allowExternalResources = false;
++ c.allowExternalResources = true;
+ }
+
+ public String getOptionDescription(){
+- return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
++ return CL_OPTION_ALLOW_EXTERNAL_RESOURCES_DESCRIPTION;
+ }
+ });
+ }
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
+@@ -253,7 +253,7 @@
+ the document which references them. */
+ protected boolean constrainScriptOrigin = true;
+
+- protected boolean allowExternalResources = true;
++ protected boolean allowExternalResources;
+
+ /** Controls whether scripts should be run securely or not */
+ protected boolean securityOff = false;
+@@ -927,8 +927,8 @@
+ map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE);
+ }
+
+- if (!allowExternalResources) {
+- map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE);
++ if (allowExternalResources) {
++ map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.TRUE);
+ }
+
+ return map;
+--- a/batik-test-old/src/test/java/org/apache/batik/test/xml/JUnitRunnerTestCase.java
++++ b/batik-test-old/src/test/java/org/apache/batik/test/xml/JUnitRunnerTestCase.java
+@@ -57,6 +57,9 @@
+ fos.close();
+ tmp.deleteOnExit();
+ System.setProperty("java.security.policy", tmp.getAbsolutePath());
++ RhinoClassShutter.WHITELIST.addAll(Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL",
++ ".*Permission", "org.w3c.dom.*", "org.apache.batik.w3c.*", "org.apache.batik.anim.*",
++ "org.apache.batik.dom.*", "org.apache.batik.css.*"));
+ }
+
+ @Parameterized.Parameters
+--- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
++++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
+@@ -32,6 +32,7 @@
+ import org.apache.batik.bridge.BaseScriptingEnvironment;
+ import org.apache.batik.bridge.BridgeContext;
+ import org.apache.batik.bridge.BridgeException;
++import org.apache.batik.bridge.DefaultExternalResourceSecurity;
+ import org.apache.batik.bridge.DefaultScriptSecurity;
+ import org.apache.batik.bridge.ExternalResourceSecurity;
+ import org.apache.batik.bridge.GVTBuilder;
+@@ -1118,7 +1119,7 @@
+ if (isAllowExternalResources()) {
+ return super.getExternalResourceSecurity(resourceURL, docURL);
+ }
+- return new NoLoadExternalResourceSecurity();
++ return new DefaultExternalResourceSecurity(resourceURL, docURL);
+ }
+
+ public boolean isAllowExternalResources() {
+@@ -1126,7 +1127,7 @@
+ if (b != null) {
+ return b;
+ }
+- return true;
++ return false;
+ }
+ }
+ }
=====================================
debian/patches/series
=====================================
@@ -3,3 +3,4 @@ no-Jython-support.patch
CVE-2019-17566.patch
CVE-2022-41704.patch
CVE-2022-42890.patch
+CVE-2022-447xx.patch
View it on GitLab: https://salsa.debian.org/java-team/batik/-/compare/f325aaedbca79e4dbad8d6945dfc74967d891480...3ddd768aff82a70df86a6c93d495fb49ea560e5a
--
View it on GitLab: https://salsa.debian.org/java-team/batik/-/compare/f325aaedbca79e4dbad8d6945dfc74967d891480...3ddd768aff82a70df86a6c93d495fb49ea560e5a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230926/7644601a/attachment.htm>
More information about the pkg-java-commits
mailing list