Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 918088 (CVE-2022-44729, CVE-2022-44730)

Summary: <dev-java/batik-1.17: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: java
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/34074
Whiteboard: B3 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 916015    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-23 17:44:39 UTC 
CVE-2022-44729 (https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2):

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.

On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.

CVE-2022-44730 (https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0):

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.

A malicious SVG can probe user profile / data and send it directly as parameter to a URL.

Fixes in 1.17, please stabilize.
Comment 1 Larry the Git Cow gentoo-dev 2023-12-01 09:24:33 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67360a9f1185fd830c04928220a967508e630f09

commit 67360a9f1185fd830c04928220a967508e630f09
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2023-12-01 05:16:01 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-12-01 09:23:46 +0000

    dev-java/batik: drop 1.16-r2
    
    Bug: https://bugs.gentoo.org/918088
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/batik/Manifest             |   2 -
 dev-java/batik/batik-1.16-r2.ebuild | 247 ------------------------------------
 2 files changed, 249 deletions(-)
Comment 2 Larry the Git Cow gentoo-dev 2024-01-07 10:19:45 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=eb961392a72f66e8ae09629ffa13ed5a59187746

commit eb961392a72f66e8ae09629ffa13ed5a59187746
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-07 10:19:19 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-07 10:19:40 +0000

    [ GLSA 202401-11 ] Apache Batik: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/724534
    Bug: https://bugs.gentoo.org/872689
    Bug: https://bugs.gentoo.org/918088
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-11.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)