[
https://issues.apache.org/jira/browse/XGC-149?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18071458#comment-18071458
]
Joshua Marquart edited comment on XGC-149 at 4/7/26 12:21 PM:
--------------------------------------------------------------
Found additional in xmlgraphics-commons, which is also being flagged by
Sonatype:
* PATCH "xgc-145-batik-defensive_input_validation" : applies to batik /
batik-transcoder / batik-codec
* PATCH "xgc-145-xmlgraphics-defensive_input_validation" : applies to
xmlgraphics-commons
was (Author: joshdm):
Found additional in xmlgraphics-commons, which is also being flagged by
Sonatype:
* PATCH "Added_defensive_input_validation_to_write_at_offset_for_length.patch"
- applies to batik / batik-transcoder / batik-codec
* PATCH
"xmlg-added_defensive_input_validation_toi_write_at_offset_for_len.patch" -
applies to xmlgraphics-commons
> Apache Batik-Codec implicated by CVE-2026-24806, CVE-2026-24807
> ---------------------------------------------------------------
>
> Key: XGC-149
> URL: https://issues.apache.org/jira/browse/XGC-149
> Project: XMLGraphicsCommons
> Issue Type: Bug
> Components: image writer
> Affects Versions: 2.11
> Reporter: Joshua Marquart
> Priority: Major
> Labels: security-issue
> Attachments: xgc-145-batik-defensive_input_validation.patch,
> xgc-145-xmlgraphics-defensive_input_validation.patch
>
>
> According to the National Vulnerability Database CVE-2026-24806,
> CVE-2026-24807 applies to batik-codec and xmlgraphics-commons
> https://nvd.nist.gov/vuln/detail/CVE-2026-24806
> https://nvd.nist.gov/vuln/detail/CVE-2026-24807
> https://www.sentinelone.com/vulnerability-database/cve-2026-24806/
> This was originally identified in the quick-media fork of batik-codec and was
> due to Input validation missing from the `public void write(byte[] b, int
> off, int len) throws IOException` methods of
> `org.apache.batik.ext.awt.image.codec.png.PNGImageEncoder.java` at line 91
> and `org.apache.batik.ext.awt.image.codec.util.SeekableOutputStream.java` at
> line 61
> {code:java}
> if (b == null) {
> throw new NullPointerException();
> }
> if (off < 0 || len < 0 || len > b.length - off) {
> throw new IndexOutOfBoundsException();
> }
> {code}
> Similar input validation does not exist for the same classes in the
> batik-codec 1.19 and xmlgraphics-commons 2.11 sources. This is causing the
> same components to be flagged with Medium vulnerability in Sonatype Lifecycle.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
