Bug#860566: Wheezy update of batik?

[Antoine Beaupré]

On 2017-04-23 23:06:57, Emilio Pozuelo Monfort wrote:
> On 23/04/17 21:50, Ola Lundqvist wrote:
>> Dear maintainer(s),
>> 
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of batik:
>> https://security-tracker.debian.org/tracker/CVE-2017-5662
>
> FWIW I investigated this a bit and there doesn't seem to be any details other
> than what is in the advisory: i.e. I couldn't find the commit that fixes this
> (looking at the svn repository) or an upstream bug report. I found a
> security-related one, reported by Lars Krapf (as mentioned in the oss-security
> mail) but that seemed different than CVE-2017-5662 and much older (see [1]).

Why do you believe it is different?

I looked in the [list of bugs][] fixed upstream in the 1.9 release, and
I couldn't find anything else. The related issue, [BATIK-1018][],
explicitly says:

The impact of this vulnerability range form denial of service to
file disclosure. Under Windows, it can also be used to steal LM/NTLM
hashes.

... which seems to match pretty well what the advisory says. This was
reported as affecting Batik 1.8, which is not that old: it's the
previous release, uploaded in Debian in July 2015.

I'm preparing an update to wheezy based on those issues right now and I
updated the security tracker with links to those patches.

A.

 [list of bugs]: 
https://issues.apache.org/jira/browse/BATIK-1091?jql=project%20%3D%20BATIK%20AND%20fixVersion%20%3D%201.9%20ORDER%20BY%20updated%20DESC%2C%20priority%20DESC%2C%20created%20ASC
 [BATIK-1018]: https://issues.apache.org/jira/browse/BATIK-1018

-- 
Government is the Entertainment division of the military-industrial
complex.
- Frank Zappa

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: Wheezy update of batik?

[Emilio Pozuelo Monfort]

On 23/04/17 21:50, Ola Lundqvist wrote:
> Dear maintainer(s),
> 
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of batik:
> https://security-tracker.debian.org/tracker/CVE-2017-5662

FWIW I investigated this a bit and there doesn't seem to be any details other
than what is in the advisory: i.e. I couldn't find the commit that fixes this
(looking at the svn repository) or an upstream bug report. I found a
security-related one, reported by Lars Krapf (as mentioned in the oss-security
mail) but that seemed different than CVE-2017-5662 and much older (see [1]).

Also our 1.8 and the upstream 1.9 tarballs have different layouts so it's hard
to compare them.

Cheers,
Emilio

[1] https://issues.apache.org/jira/browse/BATIK-1139

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.