Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ba...@packages.debian.org
Control: affects -1 + src:batik
Dear Release Team,
I would like to propose an upload of batik in the next point release.
[ Reason ]
CVE-2022-44729 and CVE-2022-44730 have been filed against batik. They are fixed
in sid (and soon trixie). I discussed with Security team, they said a DSA is
not needed but suggested to fix the CVE in bullseye in a point release.
The two CVE are corrected by backporting upstream changes.
[ Impact ]
The two CVE would remain:
``A malicious SVG can probe user profile / data and send it directly as
parameter to a URL.''
and
``A malicious SVG could trigger loading external resources by default, causing
resource consumption or in some cases even information disclosure.''
[ Tests ]
The rdeps using the classes touched by upstream corrections were rebuilt in a
bullseye chroot. No additional tests were made.
[ Risks ]
Code is quite trivial and it is a direct backport of changes made in version
1.17, currently in sid. Risks due to the changes in the code are quite limited
in my opinion, but batik has many rdeps so you might consider the security
risks are not important enough to deserve an update in a point release.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in oldstable
[X] the issue is verified as fixed in unstable
[ Changes ]
Changes are in 7 files and consist in:
- Blocking loading external resource by default
http://svn.apache.org/viewvc?view=revision=1905049
- Switching to empty whitelist of packages for the class RhinoClassShutter
https://svn.apache.org/viewvc?view=revision=1905011
Thanks for your attention,
--
Pierre
diff -Nru batik-1.12/debian/changelog batik-1.12/debian/changelog
--- batik-1.12/debian/changelog 2022-10-29 16:22:11.0 +0200
+++ batik-1.12/debian/changelog 2023-08-25 11:07:07.0 +0200
@@ -1,3 +1,10 @@
+batik (1.12-4+deb11u2) bullseye; urgency=medium
+
+ * Team upload.
+ * Fixing CVE-2022-44729 and CVE-2022-44730
+
+ -- Pierre Gruet Fri, 25 Aug 2023 11:07:07 +0200
+
batik (1.12-4+deb11u1) bullseye-security; urgency=high
* Team upload.
diff -Nru batik-1.12/debian/patches/CVE-2022-447xx.patch
batik-1.12/debian/patches/CVE-2022-447xx.patch
--- batik-1.12/debian/patches/CVE-2022-447xx.patch 1970-01-01
01:00:00.0 +0100
+++ batik-1.12/debian/patches/CVE-2022-447xx.patch 2023-08-25
11:06:23.0 +0200
@@ -0,0 +1,199 @@
+Description: fixing CVE-2022-44729 and CVE-2022-44730
+ by applying the file changes of upstream commits fixing the CVE
+Author: Pierre Gruet
+Origin: upstream, https://issues.apache.org/jira/browse/BATIK-1347 and
https://issues.apache.org/jira/browse/BATIK-1349
+Forwarded: not-needed
+Last-Update: 2023-08-24
+
+---
a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
+@@ -74,6 +74,9 @@
+ParsedURL docURL){
+ // Make sure that the archives comes from the same host
+ // as the document itself
++if (DATA_PROTOCOL.equals(externalResourceURL.getProtocol())) {
++return;
++}
+ if (docURL == null) {
+ se = new SecurityException
+ (Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL,
+---
a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
+@@ -20,6 +20,7 @@
+
+ import org.mozilla.javascript.ClassShutter;
+ import java.util.Arrays;
++import java.util.ArrayList;
+ import java.util.List;
+
+ /**
+@@ -29,7 +30,7 @@
+ * @version $Id: RhinoClassShutter.java 1733416 2016-03-03 07:07:13Z gadams $
+ */
+ public class RhinoClassShutter implements ClassShutter {
+-private static final List WHITELIST =
Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL");
++ public static final List WHITELIST = new ArrayList<>();
+
+ /*
+ public RhinoClassShutter() {
+@@ -58,56 +59,12 @@
+ * Returns whether the given class is visible to scripts.
+ */
+ public boolean visibleToScripts(String fullClassName) {
+-if (fullClassName.startsWith("java.") &&
!WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission")) {
+-return false;
+-}
+-
+-// Don't let them mess with script engine's internals.
+-if (fullClassName.startsWith("org.mozilla.javascript"))
+-return false;
+-
+-if (fullClassName.startsWith("org.apache.batik.")) {
+-// Just get package within batik.
+-String batikPkg = fullClassName.substring(17);
+-
+-
