On 2017-04-23 23:06:57, Emilio Pozuelo Monfort wrote: > On 23/04/17 21:50, Ola Lundqvist wrote: >> Dear maintainer(s), >> >> The Debian LTS team would like to fix the security issues which are >> currently open in the Wheezy version of batik: >> https://security-tracker.debian.org/tracker/CVE-2017-5662 > > FWIW I investigated this a bit and there doesn't seem to be any details other > than what is in the advisory: i.e. I couldn't find the commit that fixes this > (looking at the svn repository) or an upstream bug report. I found a > security-related one, reported by Lars Krapf (as mentioned in the oss-security > mail) but that seemed different than CVE-2017-5662 and much older (see [1]).
Why do you believe it is different? I looked in the [list of bugs][] fixed upstream in the 1.9 release, and I couldn't find anything else. The related issue, [BATIK-1018][], explicitly says: The impact of this vulnerability range form denial of service to file disclosure. Under Windows, it can also be used to steal LM/NTLM hashes. ... which seems to match pretty well what the advisory says. This was reported as affecting Batik 1.8, which is not that old: it's the previous release, uploaded in Debian in July 2015. I'm preparing an update to wheezy based on those issues right now and I updated the security tracker with links to those patches. A. [list of bugs]: https://issues.apache.org/jira/browse/BATIK-1091?jql=project%20%3D%20BATIK%20AND%20fixVersion%20%3D%201.9%20ORDER%20BY%20updated%20DESC%2C%20priority%20DESC%2C%20created%20ASC [BATIK-1018]: https://issues.apache.org/jira/browse/BATIK-1018 -- Government is the Entertainment division of the military-industrial complex. - Frank Zappa