Bug#964807: marked as done (buster-pu: package batik/1.10-2)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #964807,
regarding buster-pu: package batik/1.10-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
964807: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964807
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: buster-pu: package batik/1.10-2
• From: Emilio Pozuelo Monfort <pochu@debian.org>
• Date: Fri, 10 Jul 2020 19:36:11 +0200
• Message-id: <159440257173.1323.18206662578357634795.reportbug@andromeda>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

This update addresses CVE-2019-17566. Since there may be legitimate uses
for SVG files with external resources, the upstream fix is to add an
option that disables those. I have verified that those are fetched without
the option and that with it, they are blocked.

debdiff attached, package uploaded.

Thanks,
Emilio

diff -Nru batik-1.10/debian/changelog batik-1.10/debian/changelog
--- batik-1.10/debian/changelog	2018-12-20 00:28:22.000000000 +0100
+++ batik-1.10/debian/changelog	2020-07-10 19:28:13.000000000 +0200
@@ -1,3 +1,11 @@
+batik (1.10-2+deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2019-17566: Server-side request forgery via xlink:href attributes.
+    (Closes: #964510)
+
+ -- Emilio Pozuelo Monfort <pochu@debian.org>  Fri, 10 Jul 2020 19:28:13 +0200
+
 batik (1.10-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru batik-1.10/debian/patches/CVE-2019-17566.patch batik-1.10/debian/patches/CVE-2019-17566.patch
--- batik-1.10/debian/patches/CVE-2019-17566.patch	1970-01-01 01:00:00.000000000 +0100
+++ batik-1.10/debian/patches/CVE-2019-17566.patch	2020-07-10 18:24:04.000000000 +0200
@@ -0,0 +1,98 @@
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java	2019/12/09 12:10:03	1871083
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java	2019/12/09 12:24:18	1871084
+@@ -501,6 +501,12 @@
+     public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
+         = Messages.get("Main.cl.option.constrain.script.origin.description", "No description");
+ 
++    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
++            = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources");
++
++    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
++            = Messages.get("Main.cl.option.block.external.resources.description", "No description");
++
+     /**
+      * Option to turn off secure execution of scripts
+      */
+@@ -829,6 +835,17 @@
+                               return CL_OPTION_SECURITY_OFF_DESCRIPTION;
+                           }
+                       });
++
++        optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
++                new NoValueOptionHandler(){
++                    public void handleOption(SVGConverter c){
++                        c.allowExternalResources = false;
++                    }
++
++                    public String getOptionDescription(){
++                        return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
++                    }
++                });
+     }
+ 
+     /**
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java	2019/12/09 12:10:03	1871083
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java	2019/12/09 12:24:18	1871084
+@@ -253,6 +253,8 @@
+         the document which references them. */
+     protected boolean constrainScriptOrigin = true;
+ 
++    protected boolean allowExternalResources = true;
++
+     /** Controls whether scripts should be run securely or not */
+     protected boolean securityOff = false;
+ 
+@@ -925,6 +927,10 @@
+             map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE);
+         }
+ 
++        if (!allowExternalResources) {
++            map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE);
++        }
++
+         return map;
+     }
+ 
+--- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java	2019/12/09 12:10:03	1871083
++++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java	2019/12/09 12:24:18	1871084
+@@ -33,8 +33,10 @@
+ import org.apache.batik.bridge.BridgeContext;
+ import org.apache.batik.bridge.BridgeException;
+ import org.apache.batik.bridge.DefaultScriptSecurity;
++import org.apache.batik.bridge.ExternalResourceSecurity;
+ import org.apache.batik.bridge.GVTBuilder;
+ import org.apache.batik.bridge.NoLoadScriptSecurity;
++import org.apache.batik.bridge.NoLoadExternalResourceSecurity;
+ import org.apache.batik.bridge.RelaxedScriptSecurity;
+ import org.apache.batik.bridge.SVGUtilities;
+ import org.apache.batik.bridge.ScriptSecurity;
+@@ -877,6 +879,9 @@
+         = new BooleanKey();
+ 
+ 
++    public static final TranscodingHints.Key KEY_ALLOW_EXTERNAL_RESOURCES
++            = new BooleanKey();
++
+     /**
+      * A user agent implementation for <code>PrintTranscoder</code>.
+      */
+@@ -1109,5 +1114,19 @@
+             }
+         }
+ 
++        public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) {
++            if (isAllowExternalResources()) {
++                return super.getExternalResourceSecurity(resourceURL, docURL);
++            }
++            return new NoLoadExternalResourceSecurity();
++        }
++
++        public boolean isAllowExternalResources() {
++            Boolean b = (Boolean)SVGAbstractTranscoder.this.hints.get(KEY_ALLOW_EXTERNAL_RESOURCES);
++            if (b != null) {
++                return b;
++            }
++            return true;
++        }
+     }
+ }
diff -Nru batik-1.10/debian/patches/series batik-1.10/debian/patches/series
--- batik-1.10/debian/patches/series	2018-12-20 00:20:31.000000000 +0100
+++ batik-1.10/debian/patches/series	2020-07-10 18:24:10.000000000 +0200
@@ -1,3 +1,4 @@
 06_fix_paths_in_policy_files.patch
 no-Jython-support.patch
 09_java11_compatibility.patch
+CVE-2019-17566.patch

--- End Message ---

--- Begin Message ---

• To: 931678-done@bugs.debian.org, 947351-done@bugs.debian.org, 947758-done@bugs.debian.org, 948652-done@bugs.debian.org, 953763-done@bugs.debian.org, 954020-done@bugs.debian.org, 954716-done@bugs.debian.org, 959661-done@bugs.debian.org, 959890-done@bugs.debian.org, 960020-done@bugs.debian.org, 960376-done@bugs.debian.org, 960395-done@bugs.debian.org, 960575-done@bugs.debian.org, 960600-done@bugs.debian.org, 960804-done@bugs.debian.org, 960806-done@bugs.debian.org, 960836-done@bugs.debian.org, 960885-done@bugs.debian.org, 960974-done@bugs.debian.org, 961019-done@bugs.debian.org, 961212-done@bugs.debian.org, 961275-done@bugs.debian.org, 961379-done@bugs.debian.org, 961439-done@bugs.debian.org, 961441-done@bugs.debian.org, 961514-done@bugs.debian.org, 961803-done@bugs.debian.org, 961833-done@bugs.debian.org, 961921-done@bugs.debian.org, 961936-done@bugs.debian.org, 961944-done@bugs.debian.org, 961978-done@bugs.debian.org, 962059-done@bugs.debian.org, 962067-done@bugs.debian.org, 962160-done@bugs.debian.org, 962227-done@bugs.debian.org, 962237-done@bugs.debian.org, 962255-done@bugs.debian.org, 962306-done@bugs.debian.org, 962982-done@bugs.debian.org, 963024-done@bugs.debian.org, 963267-done@bugs.debian.org, 963591-done@bugs.debian.org, 963595-done@bugs.debian.org, 963694-done@bugs.debian.org, 963796-done@bugs.debian.org, 963940-done@bugs.debian.org, 963986-done@bugs.debian.org, 964146-done@bugs.debian.org, 964158-done@bugs.debian.org, 964228-done@bugs.debian.org, 964338-done@bugs.debian.org, 964346-done@bugs.debian.org, 964350-done@bugs.debian.org, 964397-done@bugs.debian.org, 964412-done@bugs.debian.org, 964417-done@bugs.debian.org, 964422-done@bugs.debian.org, 964435-done@bugs.debian.org, 964574-done@bugs.debian.org, 964589-done@bugs.debian.org, 964712-done@bugs.debian.org, 964714-done@bugs.debian.org, 964715-done@bugs.debian.org, 964726-done@bugs.debian.org, 964740-done@bugs.debian.org, 964792-done@bugs.debian.org, 964807-done@bugs.debian.org, 964808-done@bugs.debian.org, 964860-done@bugs.debian.org, 964868-done@bugs.debian.org, 964898-done@bugs.debian.org, 964986-done@bugs.debian.org, 965116-done@bugs.debian.org, 965117-done@bugs.debian.org, 965257-done@bugs.debian.org, 965377-done@bugs.debian.org, 966151-done@bugs.debian.org, 966213-done@bugs.debian.org, 966247-done@bugs.debian.org, 966272-done@bugs.debian.org, 966310-done@bugs.debian.org
• Subject: Closing bugs for fixes included in 10.5 point release
• From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
• Date: Sat, 01 Aug 2020 12:51:28 +0100
• Message-id: <43535efb498a168cf81452ca0c326f004f46adc6.camel@adam-barratt.org.uk>

Package: release.debian.org
Version: 10.5

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam

--- End Message ---