Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 724534 (CVE-2018-8013, CVE-2019-17566, CVE-2020-11987)

Summary: <dev-java/batik-1.14: multiple vulnerabilities (CVE-2018-8013, CVE-2019-17566, CVE-2020-11987)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ajak, java, pavol.cupka
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://xmlgraphics.apache.org/security.html
See Also: https://bugs.gentoo.org/show_bug.cgi?id=710208
Whiteboard: B2 [glsa+ cve]
Package list:
Runtime testing required: ---
Bug Depends on: 831112, 843278    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-22 07:53:43 UTC
Description:
"In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-15 16:54:20 UTC
Also CVE-2019-17566, https://seclists.org/oss-sec/2020/q2/189:

"The Apache Batik library is vulnerable to SSRF via "xlink:href" attributes that allow an attacker to cause the underlying server to make arbitrary GET requests.

Users should upgrade to Batik 1.13 or later and pass -blockExternalResources on the command line"
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-25 19:17:55 UTC
CVE-2020-11987:

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-14 01:45:50 UTC
Thanks!
Comment 4 Larry the Git Cow gentoo-dev 2024-01-07 10:19:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=eb961392a72f66e8ae09629ffa13ed5a59187746

commit eb961392a72f66e8ae09629ffa13ed5a59187746
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-07 10:19:19 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-07 10:19:40 +0000

    [ GLSA 202401-11 ] Apache Batik: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/724534
    Bug: https://bugs.gentoo.org/872689
    Bug: https://bugs.gentoo.org/918088
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-11.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)