Package: batik Version: 1.12-1 Severity: normal Tags: patch pending Dear maintainer,
I've prepared an NMU for batik (versioned as 1.12-1.1) and uploaded it to DELAYED/5. Please feel free to tell me if I should delay it longer. Regards. diff -Nru batik-1.12/debian/changelog batik-1.12/debian/changelog --- batik-1.12/debian/changelog 2020-02-16 21:16:51.000000000 +0100 +++ batik-1.12/debian/changelog 2020-07-10 18:23:19.000000000 +0200 @@ -1,3 +1,10 @@ +batik (1.12-1.1) unstable; urgency=medium + + * Non-maintainer upload. + * CVE-2019-17566: Server-side request forgery via xlink:href attributes. + + -- Emilio Pozuelo Monfort <po...@debian.org> Fri, 10 Jul 2020 18:23:19 +0200 + batik (1.12-1) unstable; urgency=medium * Team upload. diff -Nru batik-1.12/debian/patches/CVE-2019-17566.patch batik-1.12/debian/patches/CVE-2019-17566.patch --- batik-1.12/debian/patches/CVE-2019-17566.patch 1970-01-01 01:00:00.000000000 +0100 +++ batik-1.12/debian/patches/CVE-2019-17566.patch 2020-07-10 18:22:41.000000000 +0200 @@ -0,0 +1,98 @@ +--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java 2019/12/09 12:10:03 1871083 ++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java 2019/12/09 12:24:18 1871084 +@@ -501,6 +501,12 @@ + public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION + = Messages.get("Main.cl.option.constrain.script.origin.description", "No description"); + ++ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES ++ = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources"); ++ ++ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION ++ = Messages.get("Main.cl.option.block.external.resources.description", "No description"); ++ + /** + * Option to turn off secure execution of scripts + */ +@@ -829,6 +835,17 @@ + return CL_OPTION_SECURITY_OFF_DESCRIPTION; + } + }); ++ ++ optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES, ++ new NoValueOptionHandler(){ ++ public void handleOption(SVGConverter c){ ++ c.allowExternalResources = false; ++ } ++ ++ public String getOptionDescription(){ ++ return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION; ++ } ++ }); + } + + /** +--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java 2019/12/09 12:10:03 1871083 ++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java 2019/12/09 12:24:18 1871084 +@@ -253,6 +253,8 @@ + the document which references them. */ + protected boolean constrainScriptOrigin = true; + ++ protected boolean allowExternalResources = true; ++ + /** Controls whether scripts should be run securely or not */ + protected boolean securityOff = false; + +@@ -925,6 +927,10 @@ + map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE); + } + ++ if (!allowExternalResources) { ++ map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE); ++ } ++ + return map; + } + +--- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java 2019/12/09 12:10:03 1871083 ++++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java 2019/12/09 12:24:18 1871084 +@@ -33,8 +33,10 @@ + import org.apache.batik.bridge.BridgeContext; + import org.apache.batik.bridge.BridgeException; + import org.apache.batik.bridge.DefaultScriptSecurity; ++import org.apache.batik.bridge.ExternalResourceSecurity; + import org.apache.batik.bridge.GVTBuilder; + import org.apache.batik.bridge.NoLoadScriptSecurity; ++import org.apache.batik.bridge.NoLoadExternalResourceSecurity; + import org.apache.batik.bridge.RelaxedScriptSecurity; + import org.apache.batik.bridge.SVGUtilities; + import org.apache.batik.bridge.ScriptSecurity; +@@ -877,6 +879,9 @@ + = new BooleanKey(); + + ++ public static final TranscodingHints.Key KEY_ALLOW_EXTERNAL_RESOURCES ++ = new BooleanKey(); ++ + /** + * A user agent implementation for <code>PrintTranscoder</code>. + */ +@@ -1109,5 +1114,19 @@ + } + } + ++ public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) { ++ if (isAllowExternalResources()) { ++ return super.getExternalResourceSecurity(resourceURL, docURL); ++ } ++ return new NoLoadExternalResourceSecurity(); ++ } ++ ++ public boolean isAllowExternalResources() { ++ Boolean b = (Boolean)SVGAbstractTranscoder.this.hints.get(KEY_ALLOW_EXTERNAL_RESOURCES); ++ if (b != null) { ++ return b; ++ } ++ return true; ++ } + } + } diff -Nru batik-1.12/debian/patches/series batik-1.12/debian/patches/series --- batik-1.12/debian/patches/series 2020-02-16 21:16:51.000000000 +0100 +++ batik-1.12/debian/patches/series 2020-07-10 18:17:47.000000000 +0200 @@ -1,2 +1,3 @@ 06_fix_paths_in_policy_files.patch no-Jython-support.patch +CVE-2019-17566.patch