Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Hi, This update addresses CVE-2019-17566. Since there may be legitimate uses for SVG files with external resources, the upstream fix is to add an option that disables those. I have verified that those are fetched without the option and that with it, they are blocked. debdiff attached, package uploaded. Thanks, Emilio
diff -Nru batik-1.10/debian/changelog batik-1.10/debian/changelog --- batik-1.10/debian/changelog 2018-12-20 00:28:22.000000000 +0100 +++ batik-1.10/debian/changelog 2020-07-10 19:28:13.000000000 +0200 @@ -1,3 +1,11 @@ +batik (1.10-2+deb10u1) buster; urgency=medium + + * Non-maintainer upload. + * CVE-2019-17566: Server-side request forgery via xlink:href attributes. + (Closes: #964510) + + -- Emilio Pozuelo Monfort <po...@debian.org> Fri, 10 Jul 2020 19:28:13 +0200 + batik (1.10-2) unstable; urgency=medium * Team upload. diff -Nru batik-1.10/debian/patches/CVE-2019-17566.patch batik-1.10/debian/patches/CVE-2019-17566.patch --- batik-1.10/debian/patches/CVE-2019-17566.patch 1970-01-01 01:00:00.000000000 +0100 +++ batik-1.10/debian/patches/CVE-2019-17566.patch 2020-07-10 18:24:04.000000000 +0200 @@ -0,0 +1,98 @@ +--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java 2019/12/09 12:10:03 1871083 ++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java 2019/12/09 12:24:18 1871084 +@@ -501,6 +501,12 @@ + public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION + = Messages.get("Main.cl.option.constrain.script.origin.description", "No description"); + ++ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES ++ = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources"); ++ ++ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION ++ = Messages.get("Main.cl.option.block.external.resources.description", "No description"); ++ + /** + * Option to turn off secure execution of scripts + */ +@@ -829,6 +835,17 @@ + return CL_OPTION_SECURITY_OFF_DESCRIPTION; + } + }); ++ ++ optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES, ++ new NoValueOptionHandler(){ ++ public void handleOption(SVGConverter c){ ++ c.allowExternalResources = false; ++ } ++ ++ public String getOptionDescription(){ ++ return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION; ++ } ++ }); + } + + /** +--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java 2019/12/09 12:10:03 1871083 ++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java 2019/12/09 12:24:18 1871084 +@@ -253,6 +253,8 @@ + the document which references them. */ + protected boolean constrainScriptOrigin = true; + ++ protected boolean allowExternalResources = true; ++ + /** Controls whether scripts should be run securely or not */ + protected boolean securityOff = false; + +@@ -925,6 +927,10 @@ + map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE); + } + ++ if (!allowExternalResources) { ++ map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE); ++ } ++ + return map; + } + +--- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java 2019/12/09 12:10:03 1871083 ++++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java 2019/12/09 12:24:18 1871084 +@@ -33,8 +33,10 @@ + import org.apache.batik.bridge.BridgeContext; + import org.apache.batik.bridge.BridgeException; + import org.apache.batik.bridge.DefaultScriptSecurity; ++import org.apache.batik.bridge.ExternalResourceSecurity; + import org.apache.batik.bridge.GVTBuilder; + import org.apache.batik.bridge.NoLoadScriptSecurity; ++import org.apache.batik.bridge.NoLoadExternalResourceSecurity; + import org.apache.batik.bridge.RelaxedScriptSecurity; + import org.apache.batik.bridge.SVGUtilities; + import org.apache.batik.bridge.ScriptSecurity; +@@ -877,6 +879,9 @@ + = new BooleanKey(); + + ++ public static final TranscodingHints.Key KEY_ALLOW_EXTERNAL_RESOURCES ++ = new BooleanKey(); ++ + /** + * A user agent implementation for <code>PrintTranscoder</code>. + */ +@@ -1109,5 +1114,19 @@ + } + } + ++ public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) { ++ if (isAllowExternalResources()) { ++ return super.getExternalResourceSecurity(resourceURL, docURL); ++ } ++ return new NoLoadExternalResourceSecurity(); ++ } ++ ++ public boolean isAllowExternalResources() { ++ Boolean b = (Boolean)SVGAbstractTranscoder.this.hints.get(KEY_ALLOW_EXTERNAL_RESOURCES); ++ if (b != null) { ++ return b; ++ } ++ return true; ++ } + } + } diff -Nru batik-1.10/debian/patches/series batik-1.10/debian/patches/series --- batik-1.10/debian/patches/series 2018-12-20 00:20:31.000000000 +0100 +++ batik-1.10/debian/patches/series 2020-07-10 18:24:10.000000000 +0200 @@ -1,3 +1,4 @@ 06_fix_paths_in_policy_files.patch no-Jython-support.patch 09_java11_compatibility.patch +CVE-2019-17566.patch