[Git][java-team/batik][master] 6 commits: Import Debian changes 1.12-1.1
Sudip Mukherjee
gitlab at salsa.debian.org
Fri Sep 4 19:17:01 BST 2020
Sudip Mukherjee pushed to branch master at Debian Java Maintainers / batik
Commits:
8a73cb07 by Emilio Pozuelo Monfort at 2020-09-04T13:24:14+01:00
Import Debian changes 1.12-1.1
batik (1.12-1.1) unstable; urgency=medium
* Non-maintainer upload.
* CVE-2019-17566: Server-side request forgery via xlink:href attributes..
- - - - -
46a084de by Sudip Mukherjee at 2020-09-04T18:55:43+01:00
Use debhelper-compat and update compat level to 13
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee at gmail.com>
- - - - -
dc8ac619 by Sudip Mukherjee at 2020-09-04T18:56:14+01:00
Update version in d/manifest
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee at gmail.com>
- - - - -
18a43a56 by Sudip Mukherjee at 2020-09-04T18:56:59+01:00
Use java helper to use d/manifest
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee at gmail.com>
- - - - -
f9b43222 by Sudip Mukherjee at 2020-09-04T18:57:33+01:00
Update Standards-Version to 4.5.0
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee at gmail.com>
- - - - -
9a20d44d by Sudip Mukherjee at 2020-09-04T19:00:36+01:00
Add changelog for 1.12-2 release
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee at gmail.com>
- - - - -
7 changed files:
- debian/changelog
- − debian/compat
- debian/control
- debian/manifest
- + debian/patches/CVE-2019-17566.patch
- debian/patches/series
- debian/rules
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,22 @@
+batik (1.12-2) unstable; urgency=medium
+
+ * Team upload.
+ * Use debhelper-compat.
+ - Update compat level to 13.
+ * Update version in d/manifest.
+ * Use java helper to generate MANIFEST.MF from d/manifest.
+ - MANIFEST file in generate jars missed Bundle information.
+ * Update Standards-Version to 4.5.0
+
+ -- Sudip Mukherjee <sudipm.mukherjee at gmail.com> Fri, 04 Sep 2020 19:00:07 +0100
+
+batik (1.12-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2019-17566: Server-side request forgery via xlink:href attributes.
+
+ -- Emilio Pozuelo Monfort <pochu at debian.org> Fri, 10 Jul 2020 18:23:19 +0200
+
batik (1.12-1) unstable; urgency=medium
* Team upload.
=====================================
debian/compat deleted
=====================================
@@ -1 +0,0 @@
-11
=====================================
debian/control
=====================================
@@ -8,7 +8,7 @@ Uploaders:
Onkar Shinde <onkarshinde at ubuntu.com>
Build-Depends:
ant,
- debhelper (>= 11),
+ debhelper-compat (= 13),
default-jdk,
javahelper,
libmaven-assembly-plugin-java,
@@ -17,7 +17,7 @@ Build-Depends:
libxmlgraphics-commons-java (>= 2.0.1),
maven-debian-helper (>= 2.2.3),
rhino
-Standards-Version: 4.2.1
+Standards-Version: 4.5.0
Vcs-Git: https://salsa.debian.org/java-team/batik.git
Vcs-Browser: https://salsa.debian.org/java-team/batik
Homepage: https://xmlgraphics.apache.org/batik/
=====================================
debian/manifest
=====================================
@@ -3,7 +3,7 @@ usr/share/java/batik-bridge.jar:
Bundle-Name: Batik Bridge
Bundle-Vendor: Debian.org
Bundle-SymbolicName: org.apache.batik.bridge
- Bundle-Version: 1.8.0
+ Bundle-Version: 1.12.0
Export-Package: org.apache.batik.bridge,org.apache.batik.bridge.svg12
usr/share/java/batik-css.jar:
@@ -11,7 +11,7 @@ usr/share/java/batik-css.jar:
Bundle-Name: Batik CSS
Bundle-Vendor: Debian.org
Bundle-SymbolicName: org.apache.batik.css
- Bundle-Version: 1.8.0
+ Bundle-Version: 1.12.0
Require-Bundle: org.apache.batik.util;bundle-version="[1.7.0,1.9.0)",org.w3c.css.sac
Export-Package: org.apache.batik.css.dom,org.apache.batik.css.engine,org.apache.batik.css.engine.sac,org.apache.batik.css.engine.value,org.apache.batik.css.engine.value.css2,org.apache.batik.css.engine.value.svg,org.apache.batik.css.engine.value.svg12,org.apache.batik.css.parser
@@ -20,7 +20,7 @@ usr/share/java/batik-svg-dom.jar:
Bundle-Name: Batik SVG DOM
Bundle-Vendor: Debian.org
Bundle-SymbolicName: org.apache.batik.dom.svg
- Bundle-Version: 1.8.0
+ Bundle-Version: 1.12.0
Export-Package: org.apache.batik.dom.anim,org.apache.batik.dom.svg,org.apache.batik.dom.svg12
usr/share/java/batik-dom.jar:
@@ -28,7 +28,7 @@ usr/share/java/batik-dom.jar:
Bundle-Name: Batik DOM
Bundle-Vendor: Debian.org
Bundle-SymbolicName: org.apache.batik.dom
- Bundle-Version: 1.8.0
+ Bundle-Version: 1.12.0
Export-Package: org.apache.batik.dom,org.apache.batik.dom.events,org.apache.batik.dom.traversal,org.apache.batik.dom.util,org.apache.batik.dom.xbl
usr/share/java/batik-awt-util.jar:
@@ -36,7 +36,7 @@ usr/share/java/batik-awt-util.jar:
Bundle-Name: Batik AWT Util
Bundle-Vendor: Debian.org
Bundle-SymbolicName: org.apache.batik.ext.awt
- Bundle-Version: 1.8.0
+ Bundle-Version: 1.12.0
Export-Package: org.apache.batik.ext.awt,org.apache.batik.ext.awt.color,org.apache.batik.ext.awt.font,org.apache.batik.ext.awt.g2d,org.apache.batik.ext.awt.geom,org.apache.batik.ext.awt.image,org.apache.batik.ext.awt.image.renderable,org.apache.batik.ext.awt.image.rendered,org.apache.batik.ext.awt.image.spi,org.apache.batik.ext.swing
usr/share/java/batik-parser.jar:
@@ -44,7 +44,7 @@ usr/share/java/batik-parser.jar:
Bundle-Name: Batik Parser
Bundle-Vendor: Debian.org
Bundle-SymbolicName: org.apache.batik.parser
- Bundle-Version: 1.8.0
+ Bundle-Version: 1.12.0
Export-Package: org.apache.batik.parser
usr/share/java/batik-svggen.jar:
@@ -52,7 +52,7 @@ usr/share/java/batik-svggen.jar:
Bundle-Name: Batik SVG Gen
Bundle-Vendor: Debian.org
Bundle-SymbolicName: org.apache.batik.svggen
- Bundle-Version: 1.8.0
+ Bundle-Version: 1.12.0
Export-Package: org.apache.batik.svggen,org.apache.batik.svggen.font,org.apache.batik.svggen.font.table
usr/share/java/batik-transcoder.jar:
@@ -60,7 +60,7 @@ usr/share/java/batik-transcoder.jar:
Bundle-Name: Batik Parser
Bundle-Vendor: Debian.org
Bundle-SymbolicName: org.apache.batik.transcoder
- Bundle-Version: 1.8.0
+ Bundle-Version: 1.12.0
Export-Package: org.apache.batik.transcoder,org.apache.batik.transcoder.image,org.apache.batik.transcoder.keys,org.apache.batik.transcoder.print,org.apache.batik.transcoder.svg2svg,org.apache.batik.transcoder.wmf,org.apache.batik.transcoder.wmf.tosvg
usr/share/java/batik-gui-util.jar:
@@ -68,7 +68,7 @@ usr/share/java/batik-gui-util.jar:
Bundle-Name: Batik GUI Util
Bundle-Vendor: Debian.org
Bundle-SymbolicName: org.apache.batik.util.gui
- Bundle-Version: 1.8.0
+ Bundle-Version: 1.12.0
Export-Package: org.apache.batik.util.gui,org.apache.batik.util.gui.resource,org.apache.batik.util.gui.xmleditor
usr/share/java/batik-util.jar:
@@ -76,7 +76,7 @@ usr/share/java/batik-util.jar:
Bundle-Name: Batik Util
Bundle-Vendor: Debian.org
Bundle-SymbolicName: org.apache.batik.util
- Bundle-Version: 1.8.0
+ Bundle-Version: 1.12.0
Require-Bundle: org.apache.batik.util.gui;bundle-version="[1.7.0,1.9.0)"
Export-Package: org.apache.batik,org.apache.batik.i18n,org.apache.batik.util,org.apache.batik.util.io,org.apache.batik.util.resources
@@ -85,5 +85,5 @@ usr/share/java/batik-xml.jar:
Bundle-Name: Batik XML
Bundle-Vendor: Debian.org
Bundle-SymbolicName: org.apache.batik.xml
- Bundle-Version: 1.8.0
+ Bundle-Version: 1.12.0
Export-Package: org.apache.batik.xml
=====================================
debian/patches/CVE-2019-17566.patch
=====================================
@@ -0,0 +1,98 @@
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java 2019/12/09 12:10:03 1871083
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java 2019/12/09 12:24:18 1871084
+@@ -501,6 +501,12 @@
+ public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
+ = Messages.get("Main.cl.option.constrain.script.origin.description", "No description");
+
++ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
++ = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources");
++
++ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
++ = Messages.get("Main.cl.option.block.external.resources.description", "No description");
++
+ /**
+ * Option to turn off secure execution of scripts
+ */
+@@ -829,6 +835,17 @@
+ return CL_OPTION_SECURITY_OFF_DESCRIPTION;
+ }
+ });
++
++ optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
++ new NoValueOptionHandler(){
++ public void handleOption(SVGConverter c){
++ c.allowExternalResources = false;
++ }
++
++ public String getOptionDescription(){
++ return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
++ }
++ });
+ }
+
+ /**
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java 2019/12/09 12:10:03 1871083
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java 2019/12/09 12:24:18 1871084
+@@ -253,6 +253,8 @@
+ the document which references them. */
+ protected boolean constrainScriptOrigin = true;
+
++ protected boolean allowExternalResources = true;
++
+ /** Controls whether scripts should be run securely or not */
+ protected boolean securityOff = false;
+
+@@ -925,6 +927,10 @@
+ map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE);
+ }
+
++ if (!allowExternalResources) {
++ map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE);
++ }
++
+ return map;
+ }
+
+--- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java 2019/12/09 12:10:03 1871083
++++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java 2019/12/09 12:24:18 1871084
+@@ -33,8 +33,10 @@
+ import org.apache.batik.bridge.BridgeContext;
+ import org.apache.batik.bridge.BridgeException;
+ import org.apache.batik.bridge.DefaultScriptSecurity;
++import org.apache.batik.bridge.ExternalResourceSecurity;
+ import org.apache.batik.bridge.GVTBuilder;
+ import org.apache.batik.bridge.NoLoadScriptSecurity;
++import org.apache.batik.bridge.NoLoadExternalResourceSecurity;
+ import org.apache.batik.bridge.RelaxedScriptSecurity;
+ import org.apache.batik.bridge.SVGUtilities;
+ import org.apache.batik.bridge.ScriptSecurity;
+@@ -877,6 +879,9 @@
+ = new BooleanKey();
+
+
++ public static final TranscodingHints.Key KEY_ALLOW_EXTERNAL_RESOURCES
++ = new BooleanKey();
++
+ /**
+ * A user agent implementation for <code>PrintTranscoder</code>.
+ */
+@@ -1109,5 +1114,19 @@
+ }
+ }
+
++ public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) {
++ if (isAllowExternalResources()) {
++ return super.getExternalResourceSecurity(resourceURL, docURL);
++ }
++ return new NoLoadExternalResourceSecurity();
++ }
++
++ public boolean isAllowExternalResources() {
++ Boolean b = (Boolean)SVGAbstractTranscoder.this.hints.get(KEY_ALLOW_EXTERNAL_RESOURCES);
++ if (b != null) {
++ return b;
++ }
++ return true;
++ }
+ }
+ }
=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
06_fix_paths_in_policy_files.patch
no-Jython-support.patch
+CVE-2019-17566.patch
=====================================
debian/rules
=====================================
@@ -3,4 +3,4 @@
export JAVA_HOME = /usr/lib/jvm/default-java
%:
- dh $@ --buildsystem=maven
+ dh $@ --buildsystem=maven --with javahelper
View it on GitLab: https://salsa.debian.org/java-team/batik/-/compare/87ff5f2e0d74bbd48cdfec9d858d2f8556755a68...9a20d44daacb7061a68feec14cd602370eebaf85
--
View it on GitLab: https://salsa.debian.org/java-team/batik/-/compare/87ff5f2e0d74bbd48cdfec9d858d2f8556755a68...9a20d44daacb7061a68feec14cd602370eebaf85
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20200904/afaad814/attachment.html>
More information about the pkg-java-commits
mailing list