[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1050537: marked as done (bookworm-pu: package batik/1.16+dfsg-1+deb12u1)

Your message dated Sat, 07 Oct 2023 09:59:40 +0000
with message-id <E1qp460-00A4Db-Di@coccia.debian.org>
and subject line Released with 12.2
has caused the Debian Bug report #1050537,
regarding bookworm-pu: package batik/1.16+dfsg-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1050537: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050537
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: batik@packages.debian.org
Control: affects -1 + src:batik

Dear Release Team,

I would like to propose an upload of batik in the next point release.

[ Reason ]
CVE-2022-44729 and CVE-2022-44730 have been filed against batik. They are fixed
in sid (and soon trixie). I discussed with Security team, they said a DSA is
not needed but suggested to fix the CVE in bookworm in a point release.

The two CVE are corrected by backporting upstream changes.

[ Impact ]
The two CVE would remain:
``A malicious SVG can probe user profile / data and send it directly as
parameter to a URL.''
and
``A malicious SVG could trigger loading external resources by default, causing
resource consumption or in some cases even information disclosure.''

[ Tests ]
The rdepss using the classes touched by upstream corrections were rebuilt in a bookworm chroot. No additional tests were made.

[ Risks ]
Code is quite trivial and it is a direct backport of changes made in version
1.17, currently in sid. Risks due to the changes in the code are quite limited
in my opinion, but batik has many rdeps so you might consider the security
risks are not important enough to deserve an update in a point release.

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Changes are in 7 files and consist in:
- Blocking loading external resource by default
    http://svn.apache.org/viewvc?view=revision&revision=1905049
- Switching to empty whitelist of packages for the class RhinoClassShutter
    https://svn.apache.org/viewvc?view=revision&revision=1905011

Thanks for your attention,

-- 
Pierre

diff -Nru batik-1.16+dfsg/debian/changelog batik-1.16+dfsg/debian/changelog
--- batik-1.16+dfsg/debian/changelog	2022-10-27 18:27:37.000000000 +0200
+++ batik-1.16+dfsg/debian/changelog	2023-08-24 21:28:00.000000000 +0200
@@ -1,3 +1,9 @@
+batik (1.16+dfsg-1+deb12u1) bookworm; urgency=medium
+
+  * Fixing CVE-2022-44729 and CVE-2022-44730
+
+ -- Pierre Gruet <pgt@debian.org>  Thu, 24 Aug 2023 21:28:00 +0200
+
 batik (1.16+dfsg-1) unstable; urgency=medium
 
   * New upstream version 1.16+dfsg, fixing security issues:
diff -Nru batik-1.16+dfsg/debian/patches/CVE-2022-447xx.patch batik-1.16+dfsg/debian/patches/CVE-2022-447xx.patch
--- batik-1.16+dfsg/debian/patches/CVE-2022-447xx.patch	1970-01-01 01:00:00.000000000 +0100
+++ batik-1.16+dfsg/debian/patches/CVE-2022-447xx.patch	2023-08-24 21:27:27.000000000 +0200
@@ -0,0 +1,208 @@
+Description: fixing CVE-2022-44729 and CVE-2022-44730
+ by applying the file changes of upstream commits fixing the CVE
+Author: Pierre Gruet <pgt@debian.org>
+Origin: upstream, https://issues.apache.org/jira/browse/BATIK-1347 and https://issues.apache.org/jira/browse/BATIK-1349
+Forwarded: not-needed
+Last-Update: 2023-08-24
+
+--- a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
++++ b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
+@@ -77,6 +77,9 @@
+                                            ParsedURL docURL){
+         // Make sure that the archives comes from the same host
+         // as the document itself
++        if (DATA_PROTOCOL.equals(externalResourceURL.getProtocol())) {
++            return;
++        }
+         if (docURL == null) {
+             se = new SecurityException
+                 (Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL,
+--- a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
++++ b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
+@@ -21,6 +21,7 @@
+ import org.mozilla.javascript.ClassShutter;
+ 
+ import java.util.Arrays;
++import java.util.ArrayList;
+ import java.util.List;
+ 
+ /**
+@@ -30,7 +31,7 @@
+  * @version $Id: RhinoClassShutter.java 1904565 2022-10-13 11:05:28Z ssteiner $
+  */
+ public class RhinoClassShutter implements ClassShutter {
+-    private static final List<String> WHITELIST = Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL");
++     public static final List<String> WHITELIST = new ArrayList<>();
+ 
+     /*
+     public RhinoClassShutter() {
+@@ -59,56 +60,12 @@
+      * Returns whether the given class is visible to scripts.
+      */
+     public boolean visibleToScripts(String fullClassName) {
+-        if (!WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission") && !fullClassName.startsWith("org.")) {
+-            return false;
+-        }
+-
+-        // Don't let them mess with script engine's internals.
+-        if (fullClassName.startsWith("org.mozilla.javascript"))
+-            return false;
+-
+-        if (fullClassName.startsWith("org.apache.batik.")) {
+-            // Just get package within batik.
+-            String batikPkg = fullClassName.substring(17);
+-
+-            // Don't let them mess with Batik script internals.
+-            if (batikPkg.startsWith("script"))
+-                return false;
+-
+-            // Don't let them get global structures.
+-            if (batikPkg.startsWith("apps"))
+-                return false;
+-
+-            // Don't let them get scripting stuff from bridge, but specifically
+-            // allow access to:
+-            //
+-            //   o.a.b.bridge.ScriptingEnvironment$Window$IntervalScriptTimerTask
+-            //   o.a.b.bridge.ScriptingEnvironment$Window$IntervalRunnableTimerTask
+-            //   o.a.b.bridge.ScriptingEnvironment$Window$TimeoutScriptTimerTask
+-            //   o.a.b.bridge.ScriptingEnvironment$Window$TimeoutRunnableTimerTask
+-            //
+-            // since objects of these classes are returned by setInterval() and
+-            // setTimeout().
+-            if (batikPkg.startsWith("bridge.")) {
+-                String batikBridgeClass = batikPkg.substring(7);
+-                if (batikBridgeClass.startsWith("ScriptingEnvironment")) {
+-                    if (batikBridgeClass.startsWith("$Window$", 20)) {
+-                        String c = batikBridgeClass.substring(28);
+-                        if (c.equals("IntervalScriptTimerTask")
+-                                || c.equals("IntervalRunnableTimerTask")
+-                                || c.equals("TimeoutScriptTimerTask")
+-                                || c.equals("TimeoutRunnableTimerTask")) {
+-                            return true;
+-                        }
+-                    }
+-                    return false;
+-                }
+-                if (batikBridgeClass.startsWith("BaseScriptingEnvironment")) {
+-                    return false;
+-                }
+-            }
+-        }
++        for (String v : WHITELIST) {
++            if (fullClassName.matches(v)) {
++                return true;
++             }
++         }
+ 
+-        return true;
++        return false;
+     }
+ }
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
+@@ -501,11 +501,11 @@
+     public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
+         = Messages.get("Main.cl.option.constrain.script.origin.description", "No description");
+ 
+-    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
+-            = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources");
++    public static String CL_OPTION_ALLOW_EXTERNAL_RESOURCES
++            = Messages.get("Main.cl.option.allow.external.resources", "-allowExternalResources");
+ 
+-    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
+-            = Messages.get("Main.cl.option.block.external.resources.description", "No description");
++    public static String CL_OPTION_ALLOW_EXTERNAL_RESOURCES_DESCRIPTION
++            = Messages.get("Main.cl.option.allow.external.resources.description", "No description");
+ 
+     /**
+      * Option to turn off secure execution of scripts
+@@ -836,14 +836,14 @@
+                           }
+                       });
+ 
+-        optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
++        optionMap.put(CL_OPTION_ALLOW_EXTERNAL_RESOURCES,
+                 new NoValueOptionHandler(){
+                     public void handleOption(SVGConverter c){
+-                        c.allowExternalResources = false;
++                        c.allowExternalResources = true;
+                     }
+ 
+                     public String getOptionDescription(){
+-                        return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
++                        return CL_OPTION_ALLOW_EXTERNAL_RESOURCES_DESCRIPTION;
+                     }
+                 });
+     }
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
+@@ -253,7 +253,7 @@
+         the document which references them. */
+     protected boolean constrainScriptOrigin = true;
+ 
+-    protected boolean allowExternalResources = true;
++    protected boolean allowExternalResources;
+ 
+     /** Controls whether scripts should be run securely or not */
+     protected boolean securityOff = false;
+@@ -927,8 +927,8 @@
+             map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE);
+         }
+ 
+-        if (!allowExternalResources) {
+-            map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE);
++        if (allowExternalResources) {
++            map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.TRUE);
+         }
+ 
+         return map;
+--- a/batik-test-old/src/test/java/org/apache/batik/script/rhino/RhinoClassShutterTest.java
++++ b/batik-test-old/src/test/java/org/apache/batik/script/rhino/RhinoClassShutterTest.java
+@@ -25,5 +25,6 @@
+     @Test
+     public void testImports() {
+         Assert.assertFalse(new RhinoClassShutter().visibleToScripts("java.lang.Runtime"));
++        Assert.assertFalse(new RhinoClassShutter().visibleToScripts("org.x"));
+     }
+ }
+--- a/batik-test-old/src/test/java/org/apache/batik/test/xml/JUnitRunnerTestCase.java
++++ b/batik-test-old/src/test/java/org/apache/batik/test/xml/JUnitRunnerTestCase.java
+@@ -57,6 +57,9 @@
+         fos.close();
+         tmp.deleteOnExit();
+         System.setProperty("java.security.policy", tmp.getAbsolutePath());
++        RhinoClassShutter.WHITELIST.addAll(Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL",
++                ".*Permission", "org.w3c.dom.*", "org.apache.batik.w3c.*", "org.apache.batik.anim.*",
++                "org.apache.batik.dom.*", "org.apache.batik.css.*"));
+     }
+ 
+     @Parameterized.Parameters
+--- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
++++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
+@@ -32,6 +32,7 @@
+ import org.apache.batik.bridge.BaseScriptingEnvironment;
+ import org.apache.batik.bridge.BridgeContext;
+ import org.apache.batik.bridge.BridgeException;
++import org.apache.batik.bridge.DefaultExternalResourceSecurity;
+ import org.apache.batik.bridge.DefaultScriptSecurity;
+ import org.apache.batik.bridge.ExternalResourceSecurity;
+ import org.apache.batik.bridge.GVTBuilder;
+@@ -1118,7 +1119,7 @@
+             if (isAllowExternalResources()) {
+                 return super.getExternalResourceSecurity(resourceURL, docURL);
+             }
+-            return new NoLoadExternalResourceSecurity();
++            return new DefaultExternalResourceSecurity(resourceURL, docURL);
+         }
+ 
+         public boolean isAllowExternalResources() {
+@@ -1126,7 +1127,7 @@
+             if (b != null) {
+                 return b;
+             }
+-            return true;
++            return false;
+         }
+     }
+ }
diff -Nru batik-1.16+dfsg/debian/patches/series batik-1.16+dfsg/debian/patches/series
--- batik-1.16+dfsg/debian/patches/series	2022-07-19 14:38:12.000000000 +0200
+++ batik-1.16+dfsg/debian/patches/series	2023-08-24 15:42:50.000000000 +0200
@@ -1,2 +1,3 @@
 06_fix_paths_in_policy_files.patch
 no-Jython-support.patch
+CVE-2022-447xx.patch

--- End Message ---
--- Begin Message --- 
Version: 12.2

The upload requested in this bug has been released as part of 12.2.

--- End Message ---
Reply to: