Debian Bug report logs -
#860566
batik: CVE-2017-5662: information disclosure vulnerability
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#860566
; Package src:batik
.
(Tue, 18 Apr 2017 18:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Tue, 18 Apr 2017 18:03:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: batik
Version: 1.5beta2-1
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for batik.
CVE-2017-5662[0]:
| In Apache Batik before 1.9, files lying on the filesystem of the
| server which uses batik can be revealed to arbitrary users who send
| maliciously formed SVG files. The file types that can be shown depend
| on the user context in which the exploitable application is running.
| If the user is root a full compromise of the server - including
| confidential or sensitive files - would be possible. XXE can also be
| used to attack the availability of the server via denial of service as
| the references within a xml document can trivially trigger an
| amplification attack.
The issue was annonced in [1], but at the time of writing this
bugreport I have no upstream reference apart [2].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-5662
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5662
[1] http://www.openwall.com/lists/oss-security/2017/04/18/1
[2] https://xmlgraphics.apache.org/security.html
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#860566
; Package src:batik
.
(Wed, 26 Apr 2017 18:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupré <anarcat@orangeseeds.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Wed, 26 Apr 2017 18:24:03 GMT) (full text, mbox, link).
Message #10 received at 860566@bugs.debian.org (full text, mbox, reply):
On 2017-04-23 23:06:57, Emilio Pozuelo Monfort wrote:
> On 23/04/17 21:50, Ola Lundqvist wrote:
>> Dear maintainer(s),
>>
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of batik:
>> https://security-tracker.debian.org/tracker/CVE-2017-5662
>
> FWIW I investigated this a bit and there doesn't seem to be any details other
> than what is in the advisory: i.e. I couldn't find the commit that fixes this
> (looking at the svn repository) or an upstream bug report. I found a
> security-related one, reported by Lars Krapf (as mentioned in the oss-security
> mail) but that seemed different than CVE-2017-5662 and much older (see [1]).
Why do you believe it is different?
I looked in the [list of bugs][] fixed upstream in the 1.9 release, and
I couldn't find anything else. The related issue, [BATIK-1018][],
explicitly says:
The impact of this vulnerability range form denial of service to
file disclosure. Under Windows, it can also be used to steal LM/NTLM
hashes.
... which seems to match pretty well what the advisory says. This was
reported as affecting Batik 1.8, which is not that old: it's the
previous release, uploaded in Debian in July 2015.
I'm preparing an update to wheezy based on those issues right now and I
updated the security tracker with links to those patches.
A.
[list of bugs]: https://issues.apache.org/jira/browse/BATIK-1091?jql=project%20%3D%20BATIK%20AND%20fixVersion%20%3D%201.9%20ORDER%20BY%20updated%20DESC%2C%20priority%20DESC%2C%20created%20ASC
[BATIK-1018]: https://issues.apache.org/jira/browse/BATIK-1018
--
Government is the Entertainment division of the military-industrial
complex.
- Frank Zappa
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#860566
; Package src:batik
.
(Wed, 26 Apr 2017 18:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to anarcat@orangeseeds.org (Antoine Beaupré)
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Wed, 26 Apr 2017 18:51:03 GMT) (full text, mbox, link).
Message #15 received at 860566@bugs.debian.org (full text, mbox, reply):
Hi,
As previously mentioned, I have worked on an update for the Batik
package. I have basically assumed the issue is the upstream BATIK-1139
issue, and used the patches refered to there:
https://issues.apache.org/jira/browse/BATIK-1139
That may be incorrect and because we don't have a reproducer associated
with the CVE, there's no direct way for me to test this. Since Batik
seems to be a rather complex piece of software, I haven't attempted to
reproduce the issue documented there.
I have, however, uploaded a patched version of the Debian package for
wheezy users to test, in my usual location:
https://people.debian.org/~anarcat/debian/wheezy-lts/
Thank you for your attention,
A.
--
The illusion of freedom will continue as long as it's profitable to
continue the illusion. At the point where the illusion becomes too
expensive to maintain, they will just take down the scenery, they will
pull back the curtains, they will move the tables and chairs out of
the way and you will see the brick wall at the back of the theater.
- Frank Zappa
Added tag(s) patch.
Request was from Antoine Beaupré <anarcat@debian.org>
to control@bugs.debian.org
.
(Wed, 26 Apr 2017 19:42:08 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#860566
; Package src:batik
.
(Sun, 03 Sep 2017 19:12:03 GMT) (full text, mbox, link).
Message #22 received at 860566@bugs.debian.org (full text, mbox, reply):
tag 860566 + pending
thanks
Some bugs in the batik package are closed in revision
3985be1982175e4e17c6b6fdb63bf325338bbbf2 in branch 'master' by
Christopher Hoskin
The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/batik.git/commit/?id=3985be1
Commit message:
New upstream (1.9)
* New upstream (1.9)
+ Fix "CVE-2017-5662: information disclosure vulnerability" Upstream claim
BATIK-1139 is fixed in 1.9 (Closes: #860566)
Added tag(s) pending.
Request was from pkg-java-maintainers@lists.alioth.debian.org
to control@bugs.debian.org
.
(Sun, 03 Sep 2017 19:12:05 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#860566.
(Sun, 03 Sep 2017 19:12:09 GMT) (full text, mbox, link).
Reply sent
to Christopher Hoskin <mans0954@debian.org>
:
You have taken responsibility.
(Mon, 04 Sep 2017 06:21:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Mon, 04 Sep 2017 06:21:05 GMT) (full text, mbox, link).
Message #32 received at 860566-close@bugs.debian.org (full text, mbox, reply):
Source: batik
Source-Version: 1.9-1
We believe that the bug you reported is fixed in the latest version of
batik, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 860566@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christopher Hoskin <mans0954@debian.org> (supplier of updated batik package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 04 Sep 2017 06:57:58 +0100
Source: batik
Binary: libbatik-java
Architecture: source
Version: 1.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Christopher Hoskin <mans0954@debian.org>
Description:
libbatik-java - xml.apache.org SVG Library
Closes: 605063 860566
Changes:
batik (1.9-1) unstable; urgency=medium
.
* Team upload.
* Moved the package to Git
* Updated signing keys from https://www.apache.org/dist/xmlgraphics/batik/KEYS
* Exclude jar files from documentation-sources
* Add repack script to remove non-free ICC profiles
* New upstream (1.9)
+ Fix "CVE-2017-5662: information disclosure vulnerability" Upstream claim
BATIK-1139 is fixed in 1.9 (Closes: #860566)
* Disable old patches, pending further investigation
* Get package building again
+ maven-artifacts is no longer a target, explicitly add jars to
DEB_ANT_BUILD_TARGET
+ Add debian/debian/libbatik-java.poms, call mh_install to install jars
and poms, for closer alignment to other pkg-java packages
* Fix spellings in debian/manpages/rasterizer.1
* Remove redundant remove-js.patch
* Fix "batik is crashing (libbatik-java)" by patching build.xml to specify
classpaths as appropriate for Debian (Closes: #605063)
* Update Standards-Version from 3.9.8 to 4.0.0 (no change required)
* Update 06_fix_paths_in_policy_files.patch
* Remove bug805469.patch (fixed upstream
http://svn.apache.org/viewvc?view=revision&revision=1687506)
* Update debian/copyright
* Remove unnecessary greater-than versioned dependencies from debian/control
Checksums-Sha1:
6bb3201e990bc0061b7356a09d2c148908bd54c5 2195 batik_1.9-1.dsc
eb839782910346fe98b50052438fefb52fd37943 5665818 batik_1.9.orig.tar.gz
b567bf2f9110d0cfbb4f62c1a2f7bb4eaa90180c 32800 batik_1.9-1.debian.tar.xz
34c2600a113eb576ec5141724c581e8c54493b1b 10649 batik_1.9-1_amd64.buildinfo
Checksums-Sha256:
44e8df4c8abce1c285a83542d3efe655f5ae890cd0e5946097c10457252f96ba 2195 batik_1.9-1.dsc
a5ec2a8652411db69218ca3cbcaab877735e684af63de6c08f6629321f1b3761 5665818 batik_1.9.orig.tar.gz
b94691cd86c0833671e72765756829628ac16de7263d86fd51f85d4fb5653275 32800 batik_1.9-1.debian.tar.xz
95e714f25d3ac34414859c5119b23a7d6f218fde777342ff58507bda40052e5b 10649 batik_1.9-1_amd64.buildinfo
Files:
168ee81bc4e667c28d8657727cf0e745 2195 java optional batik_1.9-1.dsc
7c94980690cecd4b86bbde1c72d4e54f 5665818 java optional batik_1.9.orig.tar.gz
9bb270c7e492a329c1d171bf6bd07c81 32800 java optional batik_1.9-1.debian.tar.xz
6bc3fd4a13958e32a6babe31bb3cc67c 10649 java optional batik_1.9-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbctJ5K6JlvFsvhGhf6qUsnUUSpoFAlms7WIACgkQf6qUsnUU
Spr9oRAAlCtm1hHJjr0jorNTtomouiF7BfJv8l03T8L+UXQmi+DdIkJvCDluYF3n
ut92kLPaZvUCmQMr4Tf++QrT8AEpUxb6cL73OYjO/HxPBR92QUn8LRHC38I8UPxs
YCw8ZXKvMlWbsptG3V5hY27aqiPX27UsHUU3/Qpc3maI5PbpAY4Tfa/vv7jTCmAN
8krvhThSGLa087Hl0FOeKtRVSMGCWESv5psw8Pd52C6YsnSS3QDUFQP3L869M8vc
PgPV4hdA/86k13IXrbrpEvK7jsNLttwiB4xkcBXAtZl5Sdx3xwBsDhk+sryrhsVr
O4ghzf23nLQokfxsfQRg+H6m/FJS9VW/qh54E23xSwoan4qaXShxPZ9m6ewBQPPI
ZmUybev3/tChfr/tyY0U1CZf3W9Z9KLNkvr7IK7qja2Ol+e/XiYlQxKIj7ro6WpW
VL/45MG3qt2GV+bvbmGrwg/gb/vNMM4ol2d36H89FNsfxIoAsNjos8u8z5U7mRRg
4wVV8xn9fJxUvnzz5JXI+YPd+BovkPGNh47sjDDbOgbhoSymnZhDW5czcHSnNVRD
/Y37e0BQu42HoJI7hzVXOzU/Qf6znFoVzPTVIwCyMCtSwQXuN3xnzNWpTgHBz4dx
iXpoN9kqLzjG5BqD7HAYeion2UCa4P1C2KsA+vgG8FO0M3H+k2w=
=k5Jp
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#860566
; Package src:batik
.
(Sun, 01 Oct 2017 09:48:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Sun, 01 Oct 2017 09:48:07 GMT) (full text, mbox, link).
Message #37 received at 860566@bugs.debian.org (full text, mbox, reply):
On Mon, Sep 04, 2017 at 06:19:28AM +0000, Christopher Hoskin wrote:
> Changes:
> batik (1.9-1) unstable; urgency=medium
[..]
> * New upstream (1.9)
> + Fix "CVE-2017-5662: information disclosure vulnerability" Upstream claim
> BATIK-1139 is fixed in 1.9 (Closes: #860566)
Hi,
this doesn't warrant a DSA, but there's still the possibility to fix this via a
stable point update [1], so I was wondering whether anything of that sort is planned by
you.
Cheers,
Moritz
[1] https://www.debian.org/doc/manuals/developers-reference/ch05.html#upload-stable
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 05 Nov 2017 07:34:14 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:25:50 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.