Bug#1050538: bullseye-pu: package batik/1.12-4+deb11u2
Pierre Gruet
pgt at debian.org
Fri Aug 25 21:27:14 BST 2023
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: batik at packages.debian.org
Control: affects -1 + src:batik
Dear Release Team,
I would like to propose an upload of batik in the next point release.
[ Reason ]
CVE-2022-44729 and CVE-2022-44730 have been filed against batik. They are fixed
in sid (and soon trixie). I discussed with Security team, they said a DSA is
not needed but suggested to fix the CVE in bullseye in a point release.
The two CVE are corrected by backporting upstream changes.
[ Impact ]
The two CVE would remain:
``A malicious SVG can probe user profile / data and send it directly as
parameter to a URL.''
and
``A malicious SVG could trigger loading external resources by default, causing
resource consumption or in some cases even information disclosure.''
[ Tests ]
The rdeps using the classes touched by upstream corrections were rebuilt in a bullseye chroot. No additional tests were made.
[ Risks ]
Code is quite trivial and it is a direct backport of changes made in version
1.17, currently in sid. Risks due to the changes in the code are quite limited
in my opinion, but batik has many rdeps so you might consider the security
risks are not important enough to deserve an update in a point release.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in oldstable
[X] the issue is verified as fixed in unstable
[ Changes ]
Changes are in 7 files and consist in:
- Blocking loading external resource by default
http://svn.apache.org/viewvc?view=revision&revision=1905049
- Switching to empty whitelist of packages for the class RhinoClassShutter
https://svn.apache.org/viewvc?view=revision&revision=1905011
Thanks for your attention,
--
Pierre
-------------- next part --------------
diff -Nru batik-1.12/debian/changelog batik-1.12/debian/changelog
--- batik-1.12/debian/changelog 2022-10-29 16:22:11.000000000 +0200
+++ batik-1.12/debian/changelog 2023-08-25 11:07:07.000000000 +0200
@@ -1,3 +1,10 @@
+batik (1.12-4+deb11u2) bullseye; urgency=medium
+
+ * Team upload.
+ * Fixing CVE-2022-44729 and CVE-2022-44730
+
+ -- Pierre Gruet <pgt at debian.org> Fri, 25 Aug 2023 11:07:07 +0200
+
batik (1.12-4+deb11u1) bullseye-security; urgency=high
* Team upload.
diff -Nru batik-1.12/debian/patches/CVE-2022-447xx.patch batik-1.12/debian/patches/CVE-2022-447xx.patch
--- batik-1.12/debian/patches/CVE-2022-447xx.patch 1970-01-01 01:00:00.000000000 +0100
+++ batik-1.12/debian/patches/CVE-2022-447xx.patch 2023-08-25 11:06:23.000000000 +0200
@@ -0,0 +1,199 @@
+Description: fixing CVE-2022-44729 and CVE-2022-44730
+ by applying the file changes of upstream commits fixing the CVE
+Author: Pierre Gruet <pgt at debian.org>
+Origin: upstream, https://issues.apache.org/jira/browse/BATIK-1347 and https://issues.apache.org/jira/browse/BATIK-1349
+Forwarded: not-needed
+Last-Update: 2023-08-24
+
+--- a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
++++ b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
+@@ -74,6 +74,9 @@
+ ParsedURL docURL){
+ // Make sure that the archives comes from the same host
+ // as the document itself
++ if (DATA_PROTOCOL.equals(externalResourceURL.getProtocol())) {
++ return;
++ }
+ if (docURL == null) {
+ se = new SecurityException
+ (Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL,
+--- a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
++++ b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
+@@ -20,6 +20,7 @@
+
+ import org.mozilla.javascript.ClassShutter;
+ import java.util.Arrays;
++import java.util.ArrayList;
+ import java.util.List;
+
+ /**
+@@ -29,7 +30,7 @@
+ * @version $Id: RhinoClassShutter.java 1733416 2016-03-03 07:07:13Z gadams $
+ */
+ public class RhinoClassShutter implements ClassShutter {
+- private static final List<String> WHITELIST = Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL");
++ public static final List<String> WHITELIST = new ArrayList<>();
+
+ /*
+ public RhinoClassShutter() {
+@@ -58,56 +59,12 @@
+ * Returns whether the given class is visible to scripts.
+ */
+ public boolean visibleToScripts(String fullClassName) {
+- if (fullClassName.startsWith("java.") && !WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission")) {
+- return false;
+- }
+-
+- // Don't let them mess with script engine's internals.
+- if (fullClassName.startsWith("org.mozilla.javascript"))
+- return false;
+-
+- if (fullClassName.startsWith("org.apache.batik.")) {
+- // Just get package within batik.
+- String batikPkg = fullClassName.substring(17);
+-
+- // Don't let them mess with Batik script internals.
+- if (batikPkg.startsWith("script"))
+- return false;
+-
+- // Don't let them get global structures.
+- if (batikPkg.startsWith("apps"))
+- return false;
+-
+- // Don't let them get scripting stuff from bridge, but specifically
+- // allow access to:
+- //
+- // o.a.b.bridge.ScriptingEnvironment$Window$IntervalScriptTimerTask
+- // o.a.b.bridge.ScriptingEnvironment$Window$IntervalRunnableTimerTask
+- // o.a.b.bridge.ScriptingEnvironment$Window$TimeoutScriptTimerTask
+- // o.a.b.bridge.ScriptingEnvironment$Window$TimeoutRunnableTimerTask
+- //
+- // since objects of these classes are returned by setInterval() and
+- // setTimeout().
+- if (batikPkg.startsWith("bridge.")) {
+- String batikBridgeClass = batikPkg.substring(7);
+- if (batikBridgeClass.startsWith("ScriptingEnvironment")) {
+- if (batikBridgeClass.startsWith("$Window$", 20)) {
+- String c = batikBridgeClass.substring(28);
+- if (c.equals("IntervalScriptTimerTask")
+- || c.equals("IntervalRunnableTimerTask")
+- || c.equals("TimeoutScriptTimerTask")
+- || c.equals("TimeoutRunnableTimerTask")) {
+- return true;
+- }
+- }
+- return false;
+- }
+- if (batikBridgeClass.startsWith("BaseScriptingEnvironment")) {
+- return false;
+- }
+- }
+- }
++ for (String v : WHITELIST) {
++ if (fullClassName.matches(v)) {
++ return true;
++ }
++ }
+
+- return true;
++ return false;
+ }
+ }
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
+@@ -501,11 +501,11 @@
+ public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
+ = Messages.get("Main.cl.option.constrain.script.origin.description", "No description");
+
+- public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
+- = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources");
++ public static String CL_OPTION_ALLOW_EXTERNAL_RESOURCES
++ = Messages.get("Main.cl.option.allow.external.resources", "-allowExternalResources");
+
+- public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
+- = Messages.get("Main.cl.option.block.external.resources.description", "No description");
++ public static String CL_OPTION_ALLOW_EXTERNAL_RESOURCES_DESCRIPTION
++ = Messages.get("Main.cl.option.allow.external.resources.description", "No description");
+
+ /**
+ * Option to turn off secure execution of scripts
+@@ -836,14 +836,14 @@
+ }
+ });
+
+- optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
++ optionMap.put(CL_OPTION_ALLOW_EXTERNAL_RESOURCES,
+ new NoValueOptionHandler(){
+ public void handleOption(SVGConverter c){
+- c.allowExternalResources = false;
++ c.allowExternalResources = true;
+ }
+
+ public String getOptionDescription(){
+- return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
++ return CL_OPTION_ALLOW_EXTERNAL_RESOURCES_DESCRIPTION;
+ }
+ });
+ }
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
+@@ -253,7 +253,7 @@
+ the document which references them. */
+ protected boolean constrainScriptOrigin = true;
+
+- protected boolean allowExternalResources = true;
++ protected boolean allowExternalResources;
+
+ /** Controls whether scripts should be run securely or not */
+ protected boolean securityOff = false;
+@@ -927,8 +927,8 @@
+ map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE);
+ }
+
+- if (!allowExternalResources) {
+- map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE);
++ if (allowExternalResources) {
++ map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.TRUE);
+ }
+
+ return map;
+--- a/batik-test-old/src/test/java/org/apache/batik/test/xml/JUnitRunnerTestCase.java
++++ b/batik-test-old/src/test/java/org/apache/batik/test/xml/JUnitRunnerTestCase.java
+@@ -57,6 +57,9 @@
+ fos.close();
+ tmp.deleteOnExit();
+ System.setProperty("java.security.policy", tmp.getAbsolutePath());
++ RhinoClassShutter.WHITELIST.addAll(Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL",
++ ".*Permission", "org.w3c.dom.*", "org.apache.batik.w3c.*", "org.apache.batik.anim.*",
++ "org.apache.batik.dom.*", "org.apache.batik.css.*"));
+ }
+
+ @Parameterized.Parameters
+--- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
++++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
+@@ -32,6 +32,7 @@
+ import org.apache.batik.bridge.BaseScriptingEnvironment;
+ import org.apache.batik.bridge.BridgeContext;
+ import org.apache.batik.bridge.BridgeException;
++import org.apache.batik.bridge.DefaultExternalResourceSecurity;
+ import org.apache.batik.bridge.DefaultScriptSecurity;
+ import org.apache.batik.bridge.ExternalResourceSecurity;
+ import org.apache.batik.bridge.GVTBuilder;
+@@ -1118,7 +1119,7 @@
+ if (isAllowExternalResources()) {
+ return super.getExternalResourceSecurity(resourceURL, docURL);
+ }
+- return new NoLoadExternalResourceSecurity();
++ return new DefaultExternalResourceSecurity(resourceURL, docURL);
+ }
+
+ public boolean isAllowExternalResources() {
+@@ -1126,7 +1127,7 @@
+ if (b != null) {
+ return b;
+ }
+- return true;
++ return false;
+ }
+ }
+ }
diff -Nru batik-1.12/debian/patches/series batik-1.12/debian/patches/series
--- batik-1.12/debian/patches/series 2022-10-29 16:22:11.000000000 +0200
+++ batik-1.12/debian/patches/series 2023-08-25 11:00:59.000000000 +0200
@@ -3,3 +3,4 @@
CVE-2019-17566.patch
CVE-2022-41704.patch
CVE-2022-42890.patch
+CVE-2022-447xx.patch
More information about the pkg-java-maintainers
mailing list