Bug#860567: fop: CVE-2017-5661: information disclosure vulnerability
Salvatore Bonaccorso
carnil at debian.org
Tue Apr 18 18:28:41 UTC 2017
Source: fop
Version: 1:1.0.dfsg-1
Severity: important
Tags: upstream security
Hi,
the following vulnerability was published for fop.
CVE-2017-5661[0]:
| In Apache FOP before 2.2, files lying on the filesystem of the server
| which uses FOP can be revealed to arbitrary users who send maliciously
| formed SVG files. The file types that can be shown depend on the user
| context in which the exploitable application is running. If the user
| is root a full compromise of the server - including confidential or
| sensitive files - would be possible. XXE can also be used to attack
| the availability of the server via denial of service as the references
| within a xml document can trivially trigger an amplification attack.
I was not able to verify that myself, but it is claimed to affect all
fop version from 1.0 up to 2.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-5661
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5661
[1] http://www.openwall.com/lists/oss-security/2017/04/18/2
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list