Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 724534 (CVE-2018-8013, CVE-2019-17566, CVE-2020-11987) - <dev-java/batik-1.14: multiple vulnerabilities (CVE-2018-8013, CVE-2019-17566, CVE-2020-11987)
Summary: <dev-java/batik-1.14: multiple vulnerabilities (CVE-2018-8013, CVE-2019-17566...
Status: RESOLVED FIXED
Alias: CVE-2018-8013, CVE-2019-17566, CVE-2020-11987
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://xmlgraphics.apache.org/securi...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on: 831112 843278
Blocks:
  Show dependency tree
 
Reported: 2020-05-22 07:53 UTC by Sam James
Modified: 2024-01-07 10:20 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-22 07:53:43 UTC
Description:
"In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization."
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-06-15 16:54:20 UTC
Also CVE-2019-17566, https://seclists.org/oss-sec/2020/q2/189:

"The Apache Batik library is vulnerable to SSRF via "xlink:href" attributes that allow an attacker to cause the underlying server to make arbitrary GET requests.

Users should upgrade to Batik 1.13 or later and pass -blockExternalResources on the command line"
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-25 19:17:55 UTC
CVE-2020-11987:

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-14 01:45:50 UTC
Thanks!
Comment 4 Larry the Git Cow gentoo-dev 2024-01-07 10:19:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=eb961392a72f66e8ae09629ffa13ed5a59187746

commit eb961392a72f66e8ae09629ffa13ed5a59187746
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-07 10:19:19 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-07 10:19:40 +0000

    [ GLSA 202401-11 ] Apache Batik: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/724534
    Bug: https://bugs.gentoo.org/872689
    Bug: https://bugs.gentoo.org/918088
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-11.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)