Bug#964809: stretch-pu: package batik/1.8-4+deb9u1

Emilio Pozuelo Monfort pochu at debian.org
Fri Jul 10 18:40:41 BST 2020 

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org at packages.debian.org
Usertags: pu

Hi,

This update addresses CVE-2019-17566. Since there may be legitimate uses
for SVG files with external resources, the upstream fix is to add an
option that disables those. I have verified that those are fetched without
the option and that with it, they are blocked.

debdiff attached, package uploaded.

Thanks,
Emilio
-------------- next part --------------
diff -Nru batik-1.8/debian/changelog batik-1.8/debian/changelog
--- batik-1.8/debian/changelog	2018-05-30 18:59:04.000000000 +0200
+++ batik-1.8/debian/changelog	2020-07-10 19:30:17.000000000 +0200
@@ -1,3 +1,11 @@
+batik (1.8-4+deb9u2) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-17566: Server-side request forgery via xlink:href attributes.
+    (Closes: #964510)
+
+ -- Emilio Pozuelo Monfort <pochu at debian.org>  Fri, 10 Jul 2020 19:30:17 +0200
+
 batik (1.8-4+deb9u1) stretch-security; urgency=high
 
   * Team upload.
diff -Nru batik-1.8/debian/patches/CVE-2019-17566.patch batik-1.8/debian/patches/CVE-2019-17566.patch
--- batik-1.8/debian/patches/CVE-2019-17566.patch	1970-01-01 01:00:00.000000000 +0100
+++ batik-1.8/debian/patches/CVE-2019-17566.patch	2020-07-10 18:25:27.000000000 +0200
@@ -0,0 +1,98 @@
+--- a/sources/org/apache/batik/apps/rasterizer/Main.java
++++ b/sources/org/apache/batik/apps/rasterizer/Main.java
+@@ -502,6 +502,12 @@ public class Main implements SVGConverte
+     public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
+         = Messages.get("Main.cl.option.constrain.script.origin.description", "No description");
+ 
++    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
++            = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources");
++
++    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
++            = Messages.get("Main.cl.option.block.external.resources.description", "No description");
++
+     /**
+      * Option to turn off secure execution of scripts
+      */
+@@ -830,6 +836,17 @@ public class Main implements SVGConverte
+                               return CL_OPTION_SECURITY_OFF_DESCRIPTION;
+                           }
+                       });
++
++        optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
++                new NoValueOptionHandler(){
++                    public void handleOption(SVGConverter c){
++                        c.allowExternalResources = false;
++                    }
++
++                    public String getOptionDescription(){
++                        return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
++                    }
++                });
+     }
+ 
+     /**
+--- a/sources/org/apache/batik/apps/rasterizer/SVGConverter.java
++++ b/sources/org/apache/batik/apps/rasterizer/SVGConverter.java
+@@ -253,6 +253,8 @@ public class SVGConverter {
+         the document which references them. */
+     protected boolean constrainScriptOrigin = true;
+ 
++    protected boolean allowExternalResources = true;
++
+     /** Controls whether scripts should be run securely or not */
+     protected boolean securityOff = false;
+ 
+@@ -925,6 +927,10 @@ public class SVGConverter {
+             map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE);
+         }
+ 
++        if (!allowExternalResources) {
++            map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE);
++        }
++
+         return map;
+     }
+ 
+--- a/sources/org/apache/batik/transcoder/SVGAbstractTranscoder.java
++++ b/sources/org/apache/batik/transcoder/SVGAbstractTranscoder.java
+@@ -33,8 +33,10 @@ import org.apache.batik.bridge.BaseScrip
+ import org.apache.batik.bridge.BridgeContext;
+ import org.apache.batik.bridge.BridgeException;
+ import org.apache.batik.bridge.DefaultScriptSecurity;
++import org.apache.batik.bridge.ExternalResourceSecurity;
+ import org.apache.batik.bridge.GVTBuilder;
+ import org.apache.batik.bridge.NoLoadScriptSecurity;
++import org.apache.batik.bridge.NoLoadExternalResourceSecurity;
+ import org.apache.batik.bridge.RelaxedScriptSecurity;
+ import org.apache.batik.bridge.SVGUtilities;
+ import org.apache.batik.bridge.ScriptSecurity;
+@@ -878,6 +880,9 @@ public abstract class SVGAbstractTransco
+         = new BooleanKey();
+ 
+ 
++    public static final TranscodingHints.Key KEY_ALLOW_EXTERNAL_RESOURCES
++            = new BooleanKey();
++
+     /**
+      * A user agent implementation for <code>PrintTranscoder</code>.
+      */
+@@ -1110,5 +1115,19 @@ public abstract class SVGAbstractTransco
+             }
+         }
+ 
++        public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) {
++            if (isAllowExternalResources()) {
++                return super.getExternalResourceSecurity(resourceURL, docURL);
++            }
++            return new NoLoadExternalResourceSecurity();
++        }
++
++        public boolean isAllowExternalResources() {
++            Boolean b = (Boolean)SVGAbstractTranscoder.this.hints.get(KEY_ALLOW_EXTERNAL_RESOURCES);
++            if (b != null) {
++                return b;
++            }
++            return true;
++        }
+     }
+ }
diff -Nru batik-1.8/debian/patches/series batik-1.8/debian/patches/series
--- batik-1.8/debian/patches/series	2018-05-30 18:59:04.000000000 +0200
+++ batik-1.8/debian/patches/series	2020-07-10 18:25:10.000000000 +0200
@@ -4,3 +4,4 @@
 bug805469.patch
 CVE-2017-5662.patch
 CVE-2018-8013.patch
+CVE-2019-17566.patch

More information about the pkg-java-maintainers mailing list