Bug#780897: wheezy-security update for batik (CVE-2015-0250)

tony mancill tmancill at debian.org
Thu Mar 26 04:13:54 UTC 2015 

Dear Security Team,

I have prepared an update for batik [1] in wheezy to address
CVE-2015-0250.  Attached is the debdiff.  Please let me know if you
would like me to upload it.

Thank you,
tony

[1] https://security-tracker.debian.org/tracker/source-package/batik
-------------- next part --------------
diff -Nru batik-1.7+dfsg/debian/changelog batik-1.7+dfsg/debian/changelog
--- batik-1.7+dfsg/debian/changelog	2012-06-23 06:04:34.000000000 -0700
+++ batik-1.7+dfsg/debian/changelog	2015-03-25 20:53:11.000000000 -0700
@@ -1,3 +1,12 @@
+batik (1.7+dfsg-3+deb7u1) wheezy-security; urgency=high
+
+  * Team upload.
+  * Add debian/patches/cve_2015_0250.patch to disable external XML entity
+    resolution (information disclosure).  This addresses CVE-2015-0250.
+    (Closes: #780897)
+
+ -- tony mancill <tmancill at debian.org>  Tue, 24 Mar 2015 05:17:00 +0000
+
 batik (1.7+dfsg-3) unstable; urgency=low
 
   * Team upload.
diff -Nru batik-1.7+dfsg/debian/patches/cve_2015_0250.patch batik-1.7+dfsg/debian/patches/cve_2015_0250.patch
--- batik-1.7+dfsg/debian/patches/cve_2015_0250.patch	1969-12-31 16:00:00.000000000 -0800
+++ batik-1.7+dfsg/debian/patches/cve_2015_0250.patch	2015-03-21 10:06:12.000000000 -0700
@@ -0,0 +1,60 @@
+Description: Fix information disclosure by disabling external XML entity processing.
+ The upstream patch was modified slightly to apply cleanly against
+ the source package in Debian.
+Forwarded: not-needed
+Origin: https://svn.apache.org/viewvc/xmlgraphics/batik/trunk/sources/org/apache/batik/dom/util/SAXDocumentFactory.java?r1=662304&r2=1664335&view=patch
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780897
+
+--- a/sources/org/apache/batik/dom/util/SAXDocumentFactory.java
++++ b/sources/org/apache/batik/dom/util/SAXDocumentFactory.java
+@@ -30,25 +30,26 @@
+ import javax.xml.parsers.SAXParser;
+ import javax.xml.parsers.SAXParserFactory;
+ 
+-import org.apache.batik.util.HaltingThread;
+-import org.apache.batik.util.XMLConstants;
+-
++import org.w3c.dom.DOMImplementation;
++import org.w3c.dom.Document;
++import org.w3c.dom.DocumentType;
++import org.w3c.dom.Element;
++import org.w3c.dom.Node;
+ import org.xml.sax.Attributes;
+ import org.xml.sax.ErrorHandler;
+ import org.xml.sax.InputSource;
+ import org.xml.sax.Locator;
+ import org.xml.sax.SAXException;
+ import org.xml.sax.SAXNotRecognizedException;
++import org.xml.sax.SAXNotSupportedException;
+ import org.xml.sax.SAXParseException;
+ import org.xml.sax.XMLReader;
+ import org.xml.sax.ext.LexicalHandler;
+ import org.xml.sax.helpers.DefaultHandler;
+ import org.xml.sax.helpers.XMLReaderFactory;
+ 
+-import org.w3c.dom.DOMImplementation;
+-import org.w3c.dom.Document;
+-import org.w3c.dom.Element;
+-import org.w3c.dom.Node;
++import org.apache.batik.util.HaltingThread;
++import org.apache.batik.util.XMLConstants;
+ 
+ /**
+  * This class contains methods for creating Document instances
+@@ -391,6 +392,16 @@
+     static SAXParserFactory saxFactory;
+     static {
+         saxFactory = SAXParserFactory.newInstance();
++        try {
++            saxFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++            saxFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++        } catch (SAXNotRecognizedException e) {
++            e.printStackTrace();
++        } catch (SAXNotSupportedException e) {
++            e.printStackTrace();
++        } catch (ParserConfigurationException e) {
++            e.printStackTrace();
++        }
+     }
+ 
+     /**
diff -Nru batik-1.7+dfsg/debian/patches/series batik-1.7+dfsg/debian/patches/series
--- batik-1.7+dfsg/debian/patches/series	2012-03-12 12:57:14.000000000 -0700
+++ batik-1.7+dfsg/debian/patches/series	2015-03-25 20:53:47.000000000 -0700
@@ -1,3 +1,4 @@
 06_fix_paths_in_policy_files.patch
 source-1.5.patch
 remove-js.patch
+cve_2015_0250.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20150325/4ee66d4d/attachment-0001.sig>

More information about the pkg-java-maintainers mailing list