Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, This update addresses CVE-2019-17566. Since there may be legitimate uses for SVG files with external resources, the upstream fix is to add an option that disables those. I have verified that those are fetched without the option and that with it, they are blocked. debdiff attached, package uploaded. Thanks, Emilio
diff -Nru batik-1.8/debian/changelog batik-1.8/debian/changelog --- batik-1.8/debian/changelog 2018-05-30 18:59:04.000000000 +0200 +++ batik-1.8/debian/changelog 2020-07-10 19:30:17.000000000 +0200 @@ -1,3 +1,11 @@ +batik (1.8-4+deb9u2) stretch; urgency=medium + + * Non-maintainer upload. + * CVE-2019-17566: Server-side request forgery via xlink:href attributes. + (Closes: #964510) + + -- Emilio Pozuelo Monfort <po...@debian.org> Fri, 10 Jul 2020 19:30:17 +0200 + batik (1.8-4+deb9u1) stretch-security; urgency=high * Team upload. diff -Nru batik-1.8/debian/patches/CVE-2019-17566.patch batik-1.8/debian/patches/CVE-2019-17566.patch --- batik-1.8/debian/patches/CVE-2019-17566.patch 1970-01-01 01:00:00.000000000 +0100 +++ batik-1.8/debian/patches/CVE-2019-17566.patch 2020-07-10 18:25:27.000000000 +0200 @@ -0,0 +1,98 @@ +--- a/sources/org/apache/batik/apps/rasterizer/Main.java ++++ b/sources/org/apache/batik/apps/rasterizer/Main.java +@@ -502,6 +502,12 @@ public class Main implements SVGConverte + public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION + = Messages.get("Main.cl.option.constrain.script.origin.description", "No description"); + ++ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES ++ = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources"); ++ ++ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION ++ = Messages.get("Main.cl.option.block.external.resources.description", "No description"); ++ + /** + * Option to turn off secure execution of scripts + */ +@@ -830,6 +836,17 @@ public class Main implements SVGConverte + return CL_OPTION_SECURITY_OFF_DESCRIPTION; + } + }); ++ ++ optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES, ++ new NoValueOptionHandler(){ ++ public void handleOption(SVGConverter c){ ++ c.allowExternalResources = false; ++ } ++ ++ public String getOptionDescription(){ ++ return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION; ++ } ++ }); + } + + /** +--- a/sources/org/apache/batik/apps/rasterizer/SVGConverter.java ++++ b/sources/org/apache/batik/apps/rasterizer/SVGConverter.java +@@ -253,6 +253,8 @@ public class SVGConverter { + the document which references them. */ + protected boolean constrainScriptOrigin = true; + ++ protected boolean allowExternalResources = true; ++ + /** Controls whether scripts should be run securely or not */ + protected boolean securityOff = false; + +@@ -925,6 +927,10 @@ public class SVGConverter { + map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE); + } + ++ if (!allowExternalResources) { ++ map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE); ++ } ++ + return map; + } + +--- a/sources/org/apache/batik/transcoder/SVGAbstractTranscoder.java ++++ b/sources/org/apache/batik/transcoder/SVGAbstractTranscoder.java +@@ -33,8 +33,10 @@ import org.apache.batik.bridge.BaseScrip + import org.apache.batik.bridge.BridgeContext; + import org.apache.batik.bridge.BridgeException; + import org.apache.batik.bridge.DefaultScriptSecurity; ++import org.apache.batik.bridge.ExternalResourceSecurity; + import org.apache.batik.bridge.GVTBuilder; + import org.apache.batik.bridge.NoLoadScriptSecurity; ++import org.apache.batik.bridge.NoLoadExternalResourceSecurity; + import org.apache.batik.bridge.RelaxedScriptSecurity; + import org.apache.batik.bridge.SVGUtilities; + import org.apache.batik.bridge.ScriptSecurity; +@@ -878,6 +880,9 @@ public abstract class SVGAbstractTransco + = new BooleanKey(); + + ++ public static final TranscodingHints.Key KEY_ALLOW_EXTERNAL_RESOURCES ++ = new BooleanKey(); ++ + /** + * A user agent implementation for <code>PrintTranscoder</code>. + */ +@@ -1110,5 +1115,19 @@ public abstract class SVGAbstractTransco + } + } + ++ public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) { ++ if (isAllowExternalResources()) { ++ return super.getExternalResourceSecurity(resourceURL, docURL); ++ } ++ return new NoLoadExternalResourceSecurity(); ++ } ++ ++ public boolean isAllowExternalResources() { ++ Boolean b = (Boolean)SVGAbstractTranscoder.this.hints.get(KEY_ALLOW_EXTERNAL_RESOURCES); ++ if (b != null) { ++ return b; ++ } ++ return true; ++ } + } + } diff -Nru batik-1.8/debian/patches/series batik-1.8/debian/patches/series --- batik-1.8/debian/patches/series 2018-05-30 18:59:04.000000000 +0200 +++ batik-1.8/debian/patches/series 2020-07-10 18:25:10.000000000 +0200 @@ -4,3 +4,4 @@ bug805469.patch CVE-2017-5662.patch CVE-2018-8013.patch +CVE-2019-17566.patch
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.