Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id
<b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.ca...@adam-barratt.org.uk>
and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964809,
regarding stretch-pu: package batik/1.8-4+deb9u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
964809: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964809
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Hi,
This update addresses CVE-2019-17566. Since there may be legitimate uses
for SVG files with external resources, the upstream fix is to add an
option that disables those. I have verified that those are fetched without
the option and that with it, they are blocked.
debdiff attached, package uploaded.
Thanks,
Emilio
diff -Nru batik-1.8/debian/changelog batik-1.8/debian/changelog
--- batik-1.8/debian/changelog 2018-05-30 18:59:04.000000000 +0200
+++ batik-1.8/debian/changelog 2020-07-10 19:30:17.000000000 +0200
@@ -1,3 +1,11 @@
+batik (1.8-4+deb9u2) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2019-17566: Server-side request forgery via xlink:href attributes.
+ (Closes: #964510)
+
+ -- Emilio Pozuelo Monfort <po...@debian.org> Fri, 10 Jul 2020 19:30:17 +0200
+
batik (1.8-4+deb9u1) stretch-security; urgency=high
* Team upload.
diff -Nru batik-1.8/debian/patches/CVE-2019-17566.patch
batik-1.8/debian/patches/CVE-2019-17566.patch
--- batik-1.8/debian/patches/CVE-2019-17566.patch 1970-01-01
01:00:00.000000000 +0100
+++ batik-1.8/debian/patches/CVE-2019-17566.patch 2020-07-10
18:25:27.000000000 +0200
@@ -0,0 +1,98 @@
+--- a/sources/org/apache/batik/apps/rasterizer/Main.java
++++ b/sources/org/apache/batik/apps/rasterizer/Main.java
+@@ -502,6 +502,12 @@ public class Main implements SVGConverte
+ public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
+ = Messages.get("Main.cl.option.constrain.script.origin.description",
"No description");
+
++ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
++ = Messages.get("Main.cl.option.block.external.resources",
"-blockExternalResources");
++
++ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
++ =
Messages.get("Main.cl.option.block.external.resources.description", "No
description");
++
+ /**
+ * Option to turn off secure execution of scripts
+ */
+@@ -830,6 +836,17 @@ public class Main implements SVGConverte
+ return CL_OPTION_SECURITY_OFF_DESCRIPTION;
+ }
+ });
++
++ optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
++ new NoValueOptionHandler(){
++ public void handleOption(SVGConverter c){
++ c.allowExternalResources = false;
++ }
++
++ public String getOptionDescription(){
++ return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
++ }
++ });
+ }
+
+ /**
+--- a/sources/org/apache/batik/apps/rasterizer/SVGConverter.java
++++ b/sources/org/apache/batik/apps/rasterizer/SVGConverter.java
+@@ -253,6 +253,8 @@ public class SVGConverter {
+ the document which references them. */
+ protected boolean constrainScriptOrigin = true;
+
++ protected boolean allowExternalResources = true;
++
+ /** Controls whether scripts should be run securely or not */
+ protected boolean securityOff = false;
+
+@@ -925,6 +927,10 @@ public class SVGConverter {
+ map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN,
Boolean.FALSE);
+ }
+
++ if (!allowExternalResources) {
++ map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES,
Boolean.FALSE);
++ }
++
+ return map;
+ }
+
+--- a/sources/org/apache/batik/transcoder/SVGAbstractTranscoder.java
++++ b/sources/org/apache/batik/transcoder/SVGAbstractTranscoder.java
+@@ -33,8 +33,10 @@ import org.apache.batik.bridge.BaseScrip
+ import org.apache.batik.bridge.BridgeContext;
+ import org.apache.batik.bridge.BridgeException;
+ import org.apache.batik.bridge.DefaultScriptSecurity;
++import org.apache.batik.bridge.ExternalResourceSecurity;
+ import org.apache.batik.bridge.GVTBuilder;
+ import org.apache.batik.bridge.NoLoadScriptSecurity;
++import org.apache.batik.bridge.NoLoadExternalResourceSecurity;
+ import org.apache.batik.bridge.RelaxedScriptSecurity;
+ import org.apache.batik.bridge.SVGUtilities;
+ import org.apache.batik.bridge.ScriptSecurity;
+@@ -878,6 +880,9 @@ public abstract class SVGAbstractTransco
+ = new BooleanKey();
+
+
++ public static final TranscodingHints.Key KEY_ALLOW_EXTERNAL_RESOURCES
++ = new BooleanKey();
++
+ /**
+ * A user agent implementation for <code>PrintTranscoder</code>.
+ */
+@@ -1110,5 +1115,19 @@ public abstract class SVGAbstractTransco
+ }
+ }
+
++ public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL
resourceURL, ParsedURL docURL) {
++ if (isAllowExternalResources()) {
++ return super.getExternalResourceSecurity(resourceURL, docURL);
++ }
++ return new NoLoadExternalResourceSecurity();
++ }
++
++ public boolean isAllowExternalResources() {
++ Boolean b =
(Boolean)SVGAbstractTranscoder.this.hints.get(KEY_ALLOW_EXTERNAL_RESOURCES);
++ if (b != null) {
++ return b;
++ }
++ return true;
++ }
+ }
+ }
diff -Nru batik-1.8/debian/patches/series batik-1.8/debian/patches/series
--- batik-1.8/debian/patches/series 2018-05-30 18:59:04.000000000 +0200
+++ batik-1.8/debian/patches/series 2020-07-10 18:25:10.000000000 +0200
@@ -4,3 +4,4 @@
bug805469.patch
CVE-2017-5662.patch
CVE-2018-8013.patch
+CVE-2019-17566.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 9.13
Hi,
All of these requests relate to updates that were included in today's
stretch point release.
Regards,
Adam
--- End Message ---
