Dear Security Team, I have prepared an update for batik [1] in wheezy to address CVE-2015-0250. Attached is the debdiff. Please let me know if you would like me to upload it.
Thank you, tony [1] https://security-tracker.debian.org/tracker/source-package/batik
diff -Nru batik-1.7+dfsg/debian/changelog batik-1.7+dfsg/debian/changelog --- batik-1.7+dfsg/debian/changelog 2012-06-23 06:04:34.000000000 -0700 +++ batik-1.7+dfsg/debian/changelog 2015-03-25 20:53:11.000000000 -0700 @@ -1,3 +1,12 @@ +batik (1.7+dfsg-3+deb7u1) wheezy-security; urgency=high + + * Team upload. + * Add debian/patches/cve_2015_0250.patch to disable external XML entity + resolution (information disclosure). This addresses CVE-2015-0250. + (Closes: #780897) + + -- tony mancill <[email protected]> Tue, 24 Mar 2015 05:17:00 +0000 + batik (1.7+dfsg-3) unstable; urgency=low * Team upload. diff -Nru batik-1.7+dfsg/debian/patches/cve_2015_0250.patch batik-1.7+dfsg/debian/patches/cve_2015_0250.patch --- batik-1.7+dfsg/debian/patches/cve_2015_0250.patch 1969-12-31 16:00:00.000000000 -0800 +++ batik-1.7+dfsg/debian/patches/cve_2015_0250.patch 2015-03-21 10:06:12.000000000 -0700 @@ -0,0 +1,60 @@ +Description: Fix information disclosure by disabling external XML entity processing. + The upstream patch was modified slightly to apply cleanly against + the source package in Debian. +Forwarded: not-needed +Origin: https://svn.apache.org/viewvc/xmlgraphics/batik/trunk/sources/org/apache/batik/dom/util/SAXDocumentFactory.java?r1=662304&r2=1664335&view=patch +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780897 + +--- a/sources/org/apache/batik/dom/util/SAXDocumentFactory.java ++++ b/sources/org/apache/batik/dom/util/SAXDocumentFactory.java +@@ -30,25 +30,26 @@ + import javax.xml.parsers.SAXParser; + import javax.xml.parsers.SAXParserFactory; + +-import org.apache.batik.util.HaltingThread; +-import org.apache.batik.util.XMLConstants; +- ++import org.w3c.dom.DOMImplementation; ++import org.w3c.dom.Document; ++import org.w3c.dom.DocumentType; ++import org.w3c.dom.Element; ++import org.w3c.dom.Node; + import org.xml.sax.Attributes; + import org.xml.sax.ErrorHandler; + import org.xml.sax.InputSource; + import org.xml.sax.Locator; + import org.xml.sax.SAXException; + import org.xml.sax.SAXNotRecognizedException; ++import org.xml.sax.SAXNotSupportedException; + import org.xml.sax.SAXParseException; + import org.xml.sax.XMLReader; + import org.xml.sax.ext.LexicalHandler; + import org.xml.sax.helpers.DefaultHandler; + import org.xml.sax.helpers.XMLReaderFactory; + +-import org.w3c.dom.DOMImplementation; +-import org.w3c.dom.Document; +-import org.w3c.dom.Element; +-import org.w3c.dom.Node; ++import org.apache.batik.util.HaltingThread; ++import org.apache.batik.util.XMLConstants; + + /** + * This class contains methods for creating Document instances +@@ -391,6 +392,16 @@ + static SAXParserFactory saxFactory; + static { + saxFactory = SAXParserFactory.newInstance(); ++ try { ++ saxFactory.setFeature("http://xml.org/sax/features/external-general-entities";, false); ++ saxFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";, false); ++ } catch (SAXNotRecognizedException e) { ++ e.printStackTrace(); ++ } catch (SAXNotSupportedException e) { ++ e.printStackTrace(); ++ } catch (ParserConfigurationException e) { ++ e.printStackTrace(); ++ } + } + + /** diff -Nru batik-1.7+dfsg/debian/patches/series batik-1.7+dfsg/debian/patches/series --- batik-1.7+dfsg/debian/patches/series 2012-03-12 12:57:14.000000000 -0700 +++ batik-1.7+dfsg/debian/patches/series 2015-03-25 20:53:47.000000000 -0700 @@ -1,3 +1,4 @@ 06_fix_paths_in_policy_files.patch source-1.5.patch remove-js.patch +cve_2015_0250.patch
signature.asc
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
