Bug#964510: batik: diff for NMU version 1.12-1.1

Emilio Pozuelo Monfort pochu at debian.org
Fri Jul 10 18:25:37 BST 2020 

Package: batik
Version: 1.12-1
Severity: normal
Tags: patch  pending

Dear maintainer,

I've prepared an NMU for batik (versioned as 1.12-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards.

diff -Nru batik-1.12/debian/changelog batik-1.12/debian/changelog
--- batik-1.12/debian/changelog	2020-02-16 21:16:51.000000000 +0100
+++ batik-1.12/debian/changelog	2020-07-10 18:23:19.000000000 +0200
@@ -1,3 +1,10 @@
+batik (1.12-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-17566: Server-side request forgery via xlink:href attributes.
+
+ -- Emilio Pozuelo Monfort <pochu at debian.org>  Fri, 10 Jul 2020 18:23:19 +0200
+
 batik (1.12-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru batik-1.12/debian/patches/CVE-2019-17566.patch batik-1.12/debian/patches/CVE-2019-17566.patch
--- batik-1.12/debian/patches/CVE-2019-17566.patch	1970-01-01 01:00:00.000000000 +0100
+++ batik-1.12/debian/patches/CVE-2019-17566.patch	2020-07-10 18:22:41.000000000 +0200
@@ -0,0 +1,98 @@
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java	2019/12/09 12:10:03	1871083
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java	2019/12/09 12:24:18	1871084
+@@ -501,6 +501,12 @@
+     public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
+         = Messages.get("Main.cl.option.constrain.script.origin.description", "No description");
+ 
++    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
++            = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources");
++
++    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
++            = Messages.get("Main.cl.option.block.external.resources.description", "No description");
++
+     /**
+      * Option to turn off secure execution of scripts
+      */
+@@ -829,6 +835,17 @@
+                               return CL_OPTION_SECURITY_OFF_DESCRIPTION;
+                           }
+                       });
++
++        optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
++                new NoValueOptionHandler(){
++                    public void handleOption(SVGConverter c){
++                        c.allowExternalResources = false;
++                    }
++
++                    public String getOptionDescription(){
++                        return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
++                    }
++                });
+     }
+ 
+     /**
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java	2019/12/09 12:10:03	1871083
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java	2019/12/09 12:24:18	1871084
+@@ -253,6 +253,8 @@
+         the document which references them. */
+     protected boolean constrainScriptOrigin = true;
+ 
++    protected boolean allowExternalResources = true;
++
+     /** Controls whether scripts should be run securely or not */
+     protected boolean securityOff = false;
+ 
+@@ -925,6 +927,10 @@
+             map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE);
+         }
+ 
++        if (!allowExternalResources) {
++            map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE);
++        }
++
+         return map;
+     }
+ 
+--- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java	2019/12/09 12:10:03	1871083
++++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java	2019/12/09 12:24:18	1871084
+@@ -33,8 +33,10 @@
+ import org.apache.batik.bridge.BridgeContext;
+ import org.apache.batik.bridge.BridgeException;
+ import org.apache.batik.bridge.DefaultScriptSecurity;
++import org.apache.batik.bridge.ExternalResourceSecurity;
+ import org.apache.batik.bridge.GVTBuilder;
+ import org.apache.batik.bridge.NoLoadScriptSecurity;
++import org.apache.batik.bridge.NoLoadExternalResourceSecurity;
+ import org.apache.batik.bridge.RelaxedScriptSecurity;
+ import org.apache.batik.bridge.SVGUtilities;
+ import org.apache.batik.bridge.ScriptSecurity;
+@@ -877,6 +879,9 @@
+         = new BooleanKey();
+ 
+ 
++    public static final TranscodingHints.Key KEY_ALLOW_EXTERNAL_RESOURCES
++            = new BooleanKey();
++
+     /**
+      * A user agent implementation for <code>PrintTranscoder</code>.
+      */
+@@ -1109,5 +1114,19 @@
+             }
+         }
+ 
++        public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) {
++            if (isAllowExternalResources()) {
++                return super.getExternalResourceSecurity(resourceURL, docURL);
++            }
++            return new NoLoadExternalResourceSecurity();
++        }
++
++        public boolean isAllowExternalResources() {
++            Boolean b = (Boolean)SVGAbstractTranscoder.this.hints.get(KEY_ALLOW_EXTERNAL_RESOURCES);
++            if (b != null) {
++                return b;
++            }
++            return true;
++        }
+     }
+ }
diff -Nru batik-1.12/debian/patches/series batik-1.12/debian/patches/series
--- batik-1.12/debian/patches/series	2020-02-16 21:16:51.000000000 +0100
+++ batik-1.12/debian/patches/series	2020-07-10 18:17:47.000000000 +0200
@@ -1,2 +1,3 @@
 06_fix_paths_in_policy_files.patch
 no-Jython-support.patch
+CVE-2019-17566.patch

More information about the pkg-java-maintainers mailing list