Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 543858 (CVE-2015-0250) - <dev-java/batik-1.8: incorrect SVG file handling (CVE-2015-0250)
Summary: <dev-java/batik-1.8: incorrect SVG file handling (CVE-2015-0250)
Status: RESOLVED FIXED
Alias: CVE-2015-0250
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 551952 551964 553370
Blocks:
  Show dependency tree
 
Reported: 2015-03-20 08:50 UTC by Agostino Sarubbo
Modified: 2015-06-29 20:24 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-03-20 08:50:00 UTC
From ${URL} :

The following flaw was found in Apache Batik:

Files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who 
send maliciously formed SVG files. The file types that can be shown depend on the user context in 
which the exploitable application is running. If the user is root a full compromise of the 
server--including confidential or sensitive files--would be possible.

XXE can also be used to attack the availability of the server via denial of service as the 
references within a xml document can trivially trigger an amplification attack.

Additional information:

http://seclists.org/oss-sec/2015/q1/864

External References:

http://xmlgraphics.apache.org/security.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-03-28 17:11:29 UTC
CVE-2015-0250 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0250):
  XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG
  conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to
  read arbitrary files or cause a denial of service via a crafted SVG file.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2015-03-28 17:13:30 UTC
As per URL:
Fixed in Batik 1.8
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2015-06-07 13:43:36 UTC
Ping on Ebuild for this. Has been around for some time.
Comment 4 Patrice Clement gentoo-dev 2015-06-07 23:39:36 UTC
+*batik-1.8 (07 Jun 2015)
+
+  07 Jun 2015; Patrice Clement <monsieurp@gentoo.org> +batik-1.8.ebuild:
+  Version bump. Fix security bug 543858.
+

Please stabilise this package ASAP for the following platforms:
- amd64 
- ppc
- ppc64
- x86
Comment 5 Patrice Clement gentoo-dev 2015-06-12 21:57:57 UTC
=dev-java/batik-1.8
Stable target: amd64 ppc ppc64 x86
Comment 6 Agostino Sarubbo gentoo-dev 2015-06-16 07:19:30 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-06-17 07:32:43 UTC
x86 stable
Comment 8 Patrice Clement gentoo-dev 2015-06-20 14:40:59 UTC
ping @ppc @ppc64
Comment 9 Agostino Sarubbo gentoo-dev 2015-06-22 08:23:52 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-06-22 08:24:10 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Patrice Clement gentoo-dev 2015-06-22 08:33:15 UTC
+  22 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -batik-1.7-r3.ebuild:
+  Remove vulnerable version. Fix security bug 551952.
+
Comment 12 Patrice Clement gentoo-dev 2015-06-22 12:09:11 UTC
I did remove batik-1.7 but we have the following ebuilds relying on it:

app-misc/freemind/freemind-1.0.1.ebuild
dev-java/fop/fop-1.1.ebuild
dev-java/jcharts/jcharts-0.7.5-r2.ebuild

Sorry, we can't clean it up just yet.
Comment 13 Patrice Clement gentoo-dev 2015-06-27 18:37:26 UTC
I've revbumped batik-1.8 and stabilised it while at it cause of a new dep on xmlgraphics-common:2.0 (see bug 553370).

+*batik-1.8-r1 (27 Jun 2015)
+
+  27 Jun 2015; Patrice Clement <monsieurp@gentoo.org> +batik-1.8-r1.ebuild:
+  xmlgraphics-common dependency bump from :1.5 to :2.
+

Dependencies clean up:

+  27 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -freemind-0.9.0-r1.ebuild,
+  -freemind-1.0.0-r1.ebuild, -freemind-1.0.1.ebuild:
+  Remove old.
+

+  27 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -fop-0.95.ebuild,
+  -fop-1.1.ebuild:
+  Remove old.
+

+  27 Jun 2015; Patrice Clement <monsieurp@gentoo.org>
+  -files/xmlgraphics-commons-1.5-disable-iccprofile-test.patch,
+  -xmlgraphics-commons-1.2-r1.ebuild, -xmlgraphics-commons-1.3.1.ebuild,
+  -xmlgraphics-commons-1.5.ebuild:
+  Remove old.
+

Vulnerable version clean up:
+  27 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -batik-1.7-r3.ebuild,
+  -batik-1.8.ebuild, batik-1.8-r1.ebuild:
+  Remove vulnerable version. Fix security bug 543858.
+

Clean up done.

Security, please vote.
Comment 14 Patrice Clement gentoo-dev 2015-06-27 18:39:48 UTC
I missed this bit in my last comment:

+  27 Jun 2015; Patrice Clement <monsieurp@gentoo.org> -jcharts-0.7.5-r2.ebuild:
+  Remove old.
+
Comment 15 Kristian Fiskerstrand gentoo-dev Security 2015-06-29 17:46:30 UTC
GLSA Vote: No
Comment 16 Yury German Gentoo Infrastructure gentoo-dev Security 2015-06-29 20:24:48 UTC
GLSA Vote: No

Thank you all. Closing as noglsa.