Bug#964807: buster-pu: package batik/1.10-2

Emilio Pozuelo Monfort pochu at debian.org
Fri Jul 10 18:36:11 BST 2020 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org at packages.debian.org
Usertags: pu

Hi,

This update addresses CVE-2019-17566. Since there may be legitimate uses
for SVG files with external resources, the upstream fix is to add an
option that disables those. I have verified that those are fetched without
the option and that with it, they are blocked.

debdiff attached, package uploaded.

Thanks,
Emilio
-------------- next part --------------
diff -Nru batik-1.10/debian/changelog batik-1.10/debian/changelog
--- batik-1.10/debian/changelog	2018-12-20 00:28:22.000000000 +0100
+++ batik-1.10/debian/changelog	2020-07-10 19:28:13.000000000 +0200
@@ -1,3 +1,11 @@
+batik (1.10-2+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-17566: Server-side request forgery via xlink:href attributes.
+    (Closes: #964510)
+
+ -- Emilio Pozuelo Monfort <pochu at debian.org>  Fri, 10 Jul 2020 19:28:13 +0200
+
 batik (1.10-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru batik-1.10/debian/patches/CVE-2019-17566.patch batik-1.10/debian/patches/CVE-2019-17566.patch
--- batik-1.10/debian/patches/CVE-2019-17566.patch	1970-01-01 01:00:00.000000000 +0100
+++ batik-1.10/debian/patches/CVE-2019-17566.patch	2020-07-10 18:24:04.000000000 +0200
@@ -0,0 +1,98 @@
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java	2019/12/09 12:10:03	1871083
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java	2019/12/09 12:24:18	1871084
+@@ -501,6 +501,12 @@
+     public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
+         = Messages.get("Main.cl.option.constrain.script.origin.description", "No description");
+ 
++    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
++            = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources");
++
++    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
++            = Messages.get("Main.cl.option.block.external.resources.description", "No description");
++
+     /**
+      * Option to turn off secure execution of scripts
+      */
+@@ -829,6 +835,17 @@
+                               return CL_OPTION_SECURITY_OFF_DESCRIPTION;
+                           }
+                       });
++
++        optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
++                new NoValueOptionHandler(){
++                    public void handleOption(SVGConverter c){
++                        c.allowExternalResources = false;
++                    }
++
++                    public String getOptionDescription(){
++                        return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
++                    }
++                });
+     }
+ 
+     /**
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java	2019/12/09 12:10:03	1871083
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java	2019/12/09 12:24:18	1871084
+@@ -253,6 +253,8 @@
+         the document which references them. */
+     protected boolean constrainScriptOrigin = true;
+ 
++    protected boolean allowExternalResources = true;
++
+     /** Controls whether scripts should be run securely or not */
+     protected boolean securityOff = false;
+ 
+@@ -925,6 +927,10 @@
+             map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE);
+         }
+ 
++        if (!allowExternalResources) {
++            map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE);
++        }
++
+         return map;
+     }
+ 
+--- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java	2019/12/09 12:10:03	1871083
++++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java	2019/12/09 12:24:18	1871084
+@@ -33,8 +33,10 @@
+ import org.apache.batik.bridge.BridgeContext;
+ import org.apache.batik.bridge.BridgeException;
+ import org.apache.batik.bridge.DefaultScriptSecurity;
++import org.apache.batik.bridge.ExternalResourceSecurity;
+ import org.apache.batik.bridge.GVTBuilder;
+ import org.apache.batik.bridge.NoLoadScriptSecurity;
++import org.apache.batik.bridge.NoLoadExternalResourceSecurity;
+ import org.apache.batik.bridge.RelaxedScriptSecurity;
+ import org.apache.batik.bridge.SVGUtilities;
+ import org.apache.batik.bridge.ScriptSecurity;
+@@ -877,6 +879,9 @@
+         = new BooleanKey();
+ 
+ 
++    public static final TranscodingHints.Key KEY_ALLOW_EXTERNAL_RESOURCES
++            = new BooleanKey();
++
+     /**
+      * A user agent implementation for <code>PrintTranscoder</code>.
+      */
+@@ -1109,5 +1114,19 @@
+             }
+         }
+ 
++        public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) {
++            if (isAllowExternalResources()) {
++                return super.getExternalResourceSecurity(resourceURL, docURL);
++            }
++            return new NoLoadExternalResourceSecurity();
++        }
++
++        public boolean isAllowExternalResources() {
++            Boolean b = (Boolean)SVGAbstractTranscoder.this.hints.get(KEY_ALLOW_EXTERNAL_RESOURCES);
++            if (b != null) {
++                return b;
++            }
++            return true;
++        }
+     }
+ }
diff -Nru batik-1.10/debian/patches/series batik-1.10/debian/patches/series
--- batik-1.10/debian/patches/series	2018-12-20 00:20:31.000000000 +0100
+++ batik-1.10/debian/patches/series	2020-07-10 18:24:10.000000000 +0200
@@ -1,3 +1,4 @@
 06_fix_paths_in_policy_files.patch
 no-Jython-support.patch
 09_java11_compatibility.patch
+CVE-2019-17566.patch

More information about the pkg-java-maintainers mailing list