Version in base suite: 1.12-4 Base version: batik_1.12-4 Target version: batik_1.12-4+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/b/batik/batik_1.12-4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/b/batik/batik_1.12-4+deb11u1.dsc changelog | 9 ++++++ patches/06_fix_paths_in_policy_files.patch | 12 ++------ patches/CVE-2019-17566.patch | 26 +++++++++---------- patches/CVE-2022-41704.patch | 28 ++++++++++++++++++++ patches/CVE-2022-42890.patch | 39 +++++++++++++++++++++++++++++ patches/no-Jython-support.patch | 9 +----- patches/series | 2 + 7 files changed, 97 insertions(+), 28 deletions(-) diff -Nru batik-1.12/debian/changelog batik-1.12/debian/changelog --- batik-1.12/debian/changelog 2020-09-23 10:46:22.000000000 +0000 +++ batik-1.12/debian/changelog 2022-10-29 14:22:11.000000000 +0000 @@ -1,3 +1,12 @@ +batik (1.12-4+deb11u1) bullseye-security; urgency=high + + * Team upload. + * Fix CVE-2022-41704 and CVE-2022-42890: + It was discovered that Apache Batik, an SVG library for Java, allowed + attackers to run arbitrary Java code by processing a malicious SVG file. + + -- Markus Koschany Sat, 29 Oct 2022 16:22:11 +0200 + batik (1.12-4) unstable; urgency=medium * Team upload. diff -Nru batik-1.12/debian/patches/06_fix_paths_in_policy_files.patch batik-1.12/debian/patches/06_fix_paths_in_policy_files.patch --- batik-1.12/debian/patches/06_fix_paths_in_policy_files.patch 2020-09-23 09:21:17.000000000 +0000 +++ batik-1.12/debian/patches/06_fix_paths_in_policy_files.patch 2022-10-29 14:22:11.000000000 +0000 @@ -7,10 +7,8 @@ .../apache/batik/apps/rasterizer/resources/rasterizer.policy | 12 ++++++------ 2 files changed, 11 insertions(+), 11 deletions(-) -Index: batik/batik-svgrasterizer/src/main/resources/org/apache/batik/apps/rasterizer/resources/rasterizer.policy -=================================================================== ---- batik.orig/batik-svgrasterizer/src/main/resources/org/apache/batik/apps/rasterizer/resources/rasterizer.policy -+++ batik/batik-svgrasterizer/src/main/resources/org/apache/batik/apps/rasterizer/resources/rasterizer.policy +--- a/batik-svgrasterizer/src/main/resources/org/apache/batik/apps/rasterizer/resources/rasterizer.policy ++++ b/batik-svgrasterizer/src/main/resources/org/apache/batik/apps/rasterizer/resources/rasterizer.policy @@ -18,27 +18,27 @@ // $Id: rasterizer.policy 1855026 2019-03-08 09:57:56Z ssteiner $ // ----------------------------------------------------------------------------- @@ -45,10 +43,8 @@ permission java.lang.RuntimePermission "createClassLoader"; permission java.net.SocketPermission "*", "listen, connect, resolve, accept"; permission java.lang.RuntimePermission "accessDeclaredMembers"; -Index: batik/batik-svgbrowser/src/main/resources/org/apache/batik/apps/svgbrowser/resources/svgbrowser.policy -=================================================================== ---- batik.orig/batik-svgbrowser/src/main/resources/org/apache/batik/apps/svgbrowser/resources/svgbrowser.policy -+++ batik/batik-svgbrowser/src/main/resources/org/apache/batik/apps/svgbrowser/resources/svgbrowser.policy +--- a/batik-svgbrowser/src/main/resources/org/apache/batik/apps/svgbrowser/resources/svgbrowser.policy ++++ b/batik-svgbrowser/src/main/resources/org/apache/batik/apps/svgbrowser/resources/svgbrowser.policy @@ -18,19 +18,19 @@ // $Id: svgbrowser.policy 1855026 2019-03-08 09:57:56Z ssteiner $ // ----------------------------------------------------------------------------- diff -Nru batik-1.12/debian/patches/CVE-2019-17566.patch batik-1.12/debian/patches/CVE-2019-17566.patch --- batik-1.12/debian/patches/CVE-2019-17566.patch 2020-09-23 09:21:17.000000000 +0000 +++ batik-1.12/debian/patches/CVE-2019-17566.patch 2022-10-29 14:22:11.000000000 +0000 @@ -1,6 +1,6 @@ ---- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java 2019/12/09 12:10:03 1871083 -+++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java 2019/12/09 12:24:18 1871084 -@@ -501,6 +501,12 @@ +--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java ++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java +@@ -501,6 +501,12 @@ public class Main implements SVGConverte public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION = Messages.get("Main.cl.option.constrain.script.origin.description", "No description"); @@ -13,7 +13,7 @@ /** * Option to turn off secure execution of scripts */ -@@ -829,6 +835,17 @@ +@@ -829,6 +835,17 @@ public class Main implements SVGConverte return CL_OPTION_SECURITY_OFF_DESCRIPTION; } }); @@ -31,9 +31,9 @@ } /** ---- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java 2019/12/09 12:10:03 1871083 -+++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java 2019/12/09 12:24:18 1871084 -@@ -253,6 +253,8 @@ +--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java ++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java +@@ -253,6 +253,8 @@ public class SVGConverter { the document which references them. */ protected boolean constrainScriptOrigin = true; @@ -42,7 +42,7 @@ /** Controls whether scripts should be run securely or not */ protected boolean securityOff = false; -@@ -925,6 +927,10 @@ +@@ -925,6 +927,10 @@ public class SVGConverter { map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE); } @@ -53,9 +53,9 @@ return map; } ---- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java 2019/12/09 12:10:03 1871083 -+++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java 2019/12/09 12:24:18 1871084 -@@ -33,8 +33,10 @@ +--- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java ++++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java +@@ -33,8 +33,10 @@ import org.apache.batik.bridge.BaseScrip import org.apache.batik.bridge.BridgeContext; import org.apache.batik.bridge.BridgeException; import org.apache.batik.bridge.DefaultScriptSecurity; @@ -66,7 +66,7 @@ import org.apache.batik.bridge.RelaxedScriptSecurity; import org.apache.batik.bridge.SVGUtilities; import org.apache.batik.bridge.ScriptSecurity; -@@ -877,6 +879,9 @@ +@@ -877,6 +879,9 @@ public abstract class SVGAbstractTransco = new BooleanKey(); @@ -76,7 +76,7 @@ /** * A user agent implementation for PrintTranscoder. */ -@@ -1109,5 +1114,19 @@ +@@ -1109,5 +1114,19 @@ public abstract class SVGAbstractTransco } } diff -Nru batik-1.12/debian/patches/CVE-2022-41704.patch batik-1.12/debian/patches/CVE-2022-41704.patch --- batik-1.12/debian/patches/CVE-2022-41704.patch 1970-01-01 00:00:00.000000000 +0000 +++ batik-1.12/debian/patches/CVE-2022-41704.patch 2022-10-29 14:22:11.000000000 +0000 @@ -0,0 +1,28 @@ +From: Markus Koschany +Date: Sat, 29 Oct 2022 08:28:58 +0200 +Subject: CVE-2022-41704 + +Origin: http://svn.apache.org/viewvc?view=revision&revision=1904320 +--- + .../src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java ++++ b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java +@@ -19,6 +19,7 @@ + package org.apache.batik.bridge; + + import org.apache.batik.util.ParsedURL; ++import static org.apache.batik.util.SVGConstants.SVG_SCRIPT_TYPE_JAVA; + + /** + * Default implementation for the ScriptSecurity interface. +@@ -76,7 +77,7 @@ public class DefaultScriptSecurity imple + ParsedURL docURL){ + // Make sure that the archives comes from the same host + // as the document itself +- if (docURL == null) { ++ if (docURL == null || SVG_SCRIPT_TYPE_JAVA.equals(scriptType)) { + se = new SecurityException + (Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL, + new Object[]{scriptURL})); diff -Nru batik-1.12/debian/patches/CVE-2022-42890.patch batik-1.12/debian/patches/CVE-2022-42890.patch --- batik-1.12/debian/patches/CVE-2022-42890.patch 1970-01-01 00:00:00.000000000 +0000 +++ batik-1.12/debian/patches/CVE-2022-42890.patch 2022-10-29 14:22:11.000000000 +0000 @@ -0,0 +1,39 @@ +From: Markus Koschany +Date: Sat, 29 Oct 2022 08:13:38 +0200 +Subject: CVE-2022-42890 + +Origin: http://svn.apache.org/viewvc?view=revision&revision=1904549 +--- + .../main/java/org/apache/batik/script/rhino/RhinoClassShutter.java | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java ++++ b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java +@@ -19,6 +19,8 @@ + package org.apache.batik.script.rhino; + + import org.mozilla.javascript.ClassShutter; ++import java.util.Arrays; ++import java.util.List; + + /** + * Class shutter that restricts access to Batik internals from script. +@@ -27,6 +29,7 @@ import org.mozilla.javascript.ClassShutt + * @version $Id: RhinoClassShutter.java 1733416 2016-03-03 07:07:13Z gadams $ + */ + public class RhinoClassShutter implements ClassShutter { ++ private static final List WHITELIST = Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL"); + + /* + public RhinoClassShutter() { +@@ -55,6 +58,10 @@ public class RhinoClassShutter implement + * Returns whether the given class is visible to scripts. + */ + public boolean visibleToScripts(String fullClassName) { ++ if (fullClassName.startsWith("java.") && !WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission")) { ++ return false; ++ } ++ + // Don't let them mess with script engine's internals. + if (fullClassName.startsWith("org.mozilla.javascript")) + return false; diff -Nru batik-1.12/debian/patches/no-Jython-support.patch batik-1.12/debian/patches/no-Jython-support.patch --- batik-1.12/debian/patches/no-Jython-support.patch 2020-09-23 09:21:17.000000000 +0000 +++ batik-1.12/debian/patches/no-Jython-support.patch 2022-10-29 14:22:11.000000000 +0000 @@ -12,9 +12,6 @@ 2 files changed, 2 insertions(+), 107 deletions(-) delete mode 100644 batik-script/src/main/java/org/apache/batik/script/jpython/JPythonInterpreter.java -diff --git a/batik-script/src/main/java/org/apache/batik/script/jpython/JPythonInterpreter.java b/batik-script/src/main/java/org/apache/batik/script/jpython/JPythonInterpreter.java -deleted file mode 100644 -index 7065386..0000000 --- a/batik-script/src/main/java/org/apache/batik/script/jpython/JPythonInterpreter.java +++ /dev/null @@ -1,105 +0,0 @@ @@ -123,11 +120,9 @@ - return null; - } -} -diff --git a/batik-script/src/main/java/org/apache/batik/script/jpython/JPythonInterpreterFactory.java b/batik-script/src/main/java/org/apache/batik/script/jpython/JPythonInterpreterFactory.java -index 3004921..a80c7a8 100644 --- a/batik-script/src/main/java/org/apache/batik/script/jpython/JPythonInterpreterFactory.java +++ b/batik-script/src/main/java/org/apache/batik/script/jpython/JPythonInterpreterFactory.java -@@ -56,7 +56,7 @@ public class JPythonInterpreterFactory implements InterpreterFactory { +@@ -56,7 +56,7 @@ public class JPythonInterpreterFactory i * @param svg12 whether the document is an SVG 1.2 document */ public Interpreter createInterpreter(URL documentURL, boolean svg12) { @@ -136,7 +131,7 @@ } /** -@@ -69,6 +69,6 @@ public class JPythonInterpreterFactory implements InterpreterFactory { +@@ -69,6 +69,6 @@ public class JPythonInterpreterFactory i */ public Interpreter createInterpreter(URL documentURL, boolean svg12, ImportInfo imports) { diff -Nru batik-1.12/debian/patches/series batik-1.12/debian/patches/series --- batik-1.12/debian/patches/series 2020-09-23 09:21:17.000000000 +0000 +++ batik-1.12/debian/patches/series 2022-10-29 14:22:11.000000000 +0000 @@ -1,3 +1,5 @@ 06_fix_paths_in_policy_files.patch no-Jython-support.patch CVE-2019-17566.patch +CVE-2022-41704.patch +CVE-2022-42890.patch