Bug#860566: Wheezy update of batik?

Antoine Beaupré anarcat at orangeseeds.org
Wed Apr 26 18:20:39 UTC 2017


On 2017-04-23 23:06:57, Emilio Pozuelo Monfort wrote:
> On 23/04/17 21:50, Ola Lundqvist wrote:
>> Dear maintainer(s),
>> 
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of batik:
>> https://security-tracker.debian.org/tracker/CVE-2017-5662
>
> FWIW I investigated this a bit and there doesn't seem to be any details other
> than what is in the advisory: i.e. I couldn't find the commit that fixes this
> (looking at the svn repository) or an upstream bug report. I found a
> security-related one, reported by Lars Krapf (as mentioned in the oss-security
> mail) but that seemed different than CVE-2017-5662 and much older (see [1]).

Why do you believe it is different?

I looked in the [list of bugs][] fixed upstream in the 1.9 release, and
I couldn't find anything else. The related issue, [BATIK-1018][],
explicitly says:

    The impact of this vulnerability range form denial of service to
    file disclosure. Under Windows, it can also be used to steal LM/NTLM
    hashes.

... which seems to match pretty well what the advisory says. This was
reported as affecting Batik 1.8, which is not that old: it's the
previous release, uploaded in Debian in July 2015.

I'm preparing an update to wheezy based on those issues right now and I
updated the security tracker with links to those patches.

A.

 [list of bugs]: https://issues.apache.org/jira/browse/BATIK-1091?jql=project%20%3D%20BATIK%20AND%20fixVersion%20%3D%201.9%20ORDER%20BY%20updated%20DESC%2C%20priority%20DESC%2C%20created%20ASC
 [BATIK-1018]: https://issues.apache.org/jira/browse/BATIK-1018

-- 
Government is the Entertainment division of the military-industrial
complex.
                        - Frank Zappa



More information about the pkg-java-maintainers mailing list