From ${URL} : The following flaw was found in Apache Batik: Files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server--including confidential or sensitive files--would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack. Additional information: http://seclists.org/oss-sec/2015/q1/864 External References: http://xmlgraphics.apache.org/security.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2015-0250 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0250): XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
As per URL: Fixed in Batik 1.8
Ping on Ebuild for this. Has been around for some time.
+*batik-1.8 (07 Jun 2015) + + 07 Jun 2015; Patrice Clement <monsieurp@gentoo.org> +batik-1.8.ebuild: + Version bump. Fix security bug 543858. + Please stabilise this package ASAP for the following platforms: - amd64 - ppc - ppc64 - x86
=dev-java/batik-1.8 Stable target: amd64 ppc ppc64 x86
amd64 stable
x86 stable
ping @ppc @ppc64
ppc stable
ppc64 stable. Maintainer(s), please cleanup. Security, please vote.
+ 22 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -batik-1.7-r3.ebuild: + Remove vulnerable version. Fix security bug 551952. +
I did remove batik-1.7 but we have the following ebuilds relying on it: app-misc/freemind/freemind-1.0.1.ebuild dev-java/fop/fop-1.1.ebuild dev-java/jcharts/jcharts-0.7.5-r2.ebuild Sorry, we can't clean it up just yet.
I've revbumped batik-1.8 and stabilised it while at it cause of a new dep on xmlgraphics-common:2.0 (see bug 553370). +*batik-1.8-r1 (27 Jun 2015) + + 27 Jun 2015; Patrice Clement <monsieurp@gentoo.org> +batik-1.8-r1.ebuild: + xmlgraphics-common dependency bump from :1.5 to :2. + Dependencies clean up: + 27 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -freemind-0.9.0-r1.ebuild, + -freemind-1.0.0-r1.ebuild, -freemind-1.0.1.ebuild: + Remove old. + + 27 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -fop-0.95.ebuild, + -fop-1.1.ebuild: + Remove old. + + 27 Jun 2015; Patrice Clement <monsieurp@gentoo.org> + -files/xmlgraphics-commons-1.5-disable-iccprofile-test.patch, + -xmlgraphics-commons-1.2-r1.ebuild, -xmlgraphics-commons-1.3.1.ebuild, + -xmlgraphics-commons-1.5.ebuild: + Remove old. + Vulnerable version clean up: + 27 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -batik-1.7-r3.ebuild, + -batik-1.8.ebuild, batik-1.8-r1.ebuild: + Remove vulnerable version. Fix security bug 543858. + Clean up done. Security, please vote.
I missed this bit in my last comment: + 27 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -jcharts-0.7.5-r2.ebuild: + Remove old. +
GLSA Vote: No
GLSA Vote: No Thank you all. Closing as noglsa.