batik: CVE-2017-5662: information disclosure vulnerability

Debian Bug report logs - #860566
batik: CVE-2017-5662: information disclosure vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: batik: CVE-2017-5662: information disclosure vulnerability

Date: Tue, 18 Apr 2017 20:00:49 +0200

Source: batik
Version: 1.5beta2-1
Severity: important
Tags: security upstream

Hi,

the following vulnerability was published for batik.

CVE-2017-5662[0]:
| In Apache Batik before 1.9, files lying on the filesystem of the
| server which uses batik can be revealed to arbitrary users who send
| maliciously formed SVG files. The file types that can be shown depend
| on the user context in which the exploitable application is running.
| If the user is root a full compromise of the server - including
| confidential or sensitive files - would be possible. XXE can also be
| used to attack the availability of the server via denial of service as
| the references within a xml document can trivially trigger an
| amplification attack.

The issue was annonced in [1], but at the time of writing this
bugreport I have no upstream reference apart [2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5662
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5662
[1] http://www.openwall.com/lists/oss-security/2017/04/18/1
[2] https://xmlgraphics.apache.org/security.html

Regards,
Salvatore

Message #10 received at 860566@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@orangeseeds.org>

To: Emilio Pozuelo Monfort <pochu@debian.org>, ola@inguza.com, batik@packages.debian.org

Cc: debian-lts@lists.debian.org, 860566@bugs.debian.org

Subject: Re: Wheezy update of batik?

Date: Wed, 26 Apr 2017 14:20:39 -0400

On 2017-04-23 23:06:57, Emilio Pozuelo Monfort wrote:
> On 23/04/17 21:50, Ola Lundqvist wrote:
>> Dear maintainer(s),
>> 
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of batik:
>> https://security-tracker.debian.org/tracker/CVE-2017-5662
>
> FWIW I investigated this a bit and there doesn't seem to be any details other
> than what is in the advisory: i.e. I couldn't find the commit that fixes this
> (looking at the svn repository) or an upstream bug report. I found a
> security-related one, reported by Lars Krapf (as mentioned in the oss-security
> mail) but that seemed different than CVE-2017-5662 and much older (see [1]).

Why do you believe it is different?

I looked in the [list of bugs][] fixed upstream in the 1.9 release, and
I couldn't find anything else. The related issue, [BATIK-1018][],
explicitly says:

    The impact of this vulnerability range form denial of service to
    file disclosure. Under Windows, it can also be used to steal LM/NTLM
    hashes.

... which seems to match pretty well what the advisory says. This was
reported as affecting Batik 1.8, which is not that old: it's the
previous release, uploaded in Debian in July 2015.

I'm preparing an update to wheezy based on those issues right now and I
updated the security tracker with links to those patches.

A.

 [list of bugs]: https://issues.apache.org/jira/browse/BATIK-1091?jql=project%20%3D%20BATIK%20AND%20fixVersion%20%3D%201.9%20ORDER%20BY%20updated%20DESC%2C%20priority%20DESC%2C%20created%20ASC
 [BATIK-1018]: https://issues.apache.org/jira/browse/BATIK-1018

-- 
Government is the Entertainment division of the military-industrial
complex.
                        - Frank Zappa

Message #15 received at 860566@bugs.debian.org (full text, mbox, reply):

From: anarcat@orangeseeds.org (Antoine Beaupré)

To: Emilio Pozuelo Monfort <pochu@debian.org>, ola@inguza.com, batik@packages.debian.org

Cc: debian-lts@lists.debian.org, 860566@bugs.debian.org

Subject: batik package ready for testing

Date: Wed, 26 Apr 2017 14:49:02 -0400

Hi,

As previously mentioned, I have worked on an update for the Batik
package. I have basically assumed the issue is the upstream BATIK-1139
issue, and used the patches refered to there:

https://issues.apache.org/jira/browse/BATIK-1139

That may be incorrect and because we don't have a reproducer associated
with the CVE, there's no direct way for me to test this. Since Batik
seems to be a rather complex piece of software, I haven't attempted to
reproduce the issue documented there.

I have, however, uploaded a patched version of the Debian package for
wheezy users to test, in my usual location:

https://people.debian.org/~anarcat/debian/wheezy-lts/

Thank you for your attention,

A.
-- 
The illusion of freedom will continue as long as it's profitable to
continue the illusion. At the point where the illusion becomes too
expensive to maintain, they will just take down the scenery, they will
pull back the curtains, they will move the tables and chairs out of
the way and you will see the brick wall at the back of the theater.
                         - Frank Zappa

Message #22 received at 860566@bugs.debian.org (full text, mbox, reply):

From: pkg-java-maintainers@lists.alioth.debian.org

To: 860566@bugs.debian.org, 860566-submitter@bugs.debian.org

Subject: Pending fixes for bugs in the batik package

Date: Sun, 03 Sep 2017 19:09:31 +0000

tag 860566 + pending
thanks

Some bugs in the batik package are closed in revision
3985be1982175e4e17c6b6fdb63bf325338bbbf2 in branch 'master' by
Christopher Hoskin

The full diff can be seen at
https://anonscm.debian.org/cgit/pkg-java/batik.git/commit/?id=3985be1

Commit message:

    New upstream (1.9)
    
    * New upstream (1.9)
        + Fix "CVE-2017-5662: information disclosure vulnerability" Upstream claim
          BATIK-1139 is fixed in 1.9 (Closes: #860566)

Message #32 received at 860566-close@bugs.debian.org (full text, mbox, reply):

From: Christopher Hoskin <mans0954@debian.org>

To: 860566-close@bugs.debian.org

Subject: Bug#860566: fixed in batik 1.9-1

Date: Mon, 04 Sep 2017 06:19:28 +0000

Source: batik
Source-Version: 1.9-1

We believe that the bug you reported is fixed in the latest version of
batik, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860566@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christopher Hoskin <mans0954@debian.org> (supplier of updated batik package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 04 Sep 2017 06:57:58 +0100
Source: batik
Binary: libbatik-java
Architecture: source
Version: 1.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Christopher Hoskin <mans0954@debian.org>
Description:
 libbatik-java - xml.apache.org SVG Library
Closes: 605063 860566
Changes:
 batik (1.9-1) unstable; urgency=medium
 .
   * Team upload.
   * Moved the package to Git
   * Updated signing keys from https://www.apache.org/dist/xmlgraphics/batik/KEYS
   * Exclude jar files from documentation-sources
   * Add repack script to remove non-free ICC profiles
   * New upstream (1.9)
       + Fix "CVE-2017-5662: information disclosure vulnerability" Upstream claim
         BATIK-1139 is fixed in 1.9 (Closes: #860566)
   * Disable old patches, pending further investigation
   * Get package building again
       +  maven-artifacts is no longer a target, explicitly add jars to
          DEB_ANT_BUILD_TARGET
       +  Add debian/debian/libbatik-java.poms, call mh_install to install jars
          and poms, for closer alignment to other pkg-java packages
   * Fix spellings in debian/manpages/rasterizer.1
   * Remove redundant remove-js.patch
   * Fix "batik is crashing (libbatik-java)" by patching build.xml to specify
     classpaths as appropriate for Debian (Closes: #605063)
   * Update Standards-Version from 3.9.8 to 4.0.0 (no change required)
   * Update 06_fix_paths_in_policy_files.patch
   * Remove bug805469.patch (fixed upstream
     http://svn.apache.org/viewvc?view=revision&revision=1687506)
   * Update debian/copyright
   * Remove unnecessary greater-than versioned dependencies from debian/control
Checksums-Sha1:
 6bb3201e990bc0061b7356a09d2c148908bd54c5 2195 batik_1.9-1.dsc
 eb839782910346fe98b50052438fefb52fd37943 5665818 batik_1.9.orig.tar.gz
 b567bf2f9110d0cfbb4f62c1a2f7bb4eaa90180c 32800 batik_1.9-1.debian.tar.xz
 34c2600a113eb576ec5141724c581e8c54493b1b 10649 batik_1.9-1_amd64.buildinfo
Checksums-Sha256:
 44e8df4c8abce1c285a83542d3efe655f5ae890cd0e5946097c10457252f96ba 2195 batik_1.9-1.dsc
 a5ec2a8652411db69218ca3cbcaab877735e684af63de6c08f6629321f1b3761 5665818 batik_1.9.orig.tar.gz
 b94691cd86c0833671e72765756829628ac16de7263d86fd51f85d4fb5653275 32800 batik_1.9-1.debian.tar.xz
 95e714f25d3ac34414859c5119b23a7d6f218fde777342ff58507bda40052e5b 10649 batik_1.9-1_amd64.buildinfo
Files:
 168ee81bc4e667c28d8657727cf0e745 2195 java optional batik_1.9-1.dsc
 7c94980690cecd4b86bbde1c72d4e54f 5665818 java optional batik_1.9.orig.tar.gz
 9bb270c7e492a329c1d171bf6bd07c81 32800 java optional batik_1.9-1.debian.tar.xz
 6bc3fd4a13958e32a6babe31bb3cc67c 10649 java optional batik_1.9-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbctJ5K6JlvFsvhGhf6qUsnUUSpoFAlms7WIACgkQf6qUsnUU
Spr9oRAAlCtm1hHJjr0jorNTtomouiF7BfJv8l03T8L+UXQmi+DdIkJvCDluYF3n
ut92kLPaZvUCmQMr4Tf++QrT8AEpUxb6cL73OYjO/HxPBR92QUn8LRHC38I8UPxs
YCw8ZXKvMlWbsptG3V5hY27aqiPX27UsHUU3/Qpc3maI5PbpAY4Tfa/vv7jTCmAN
8krvhThSGLa087Hl0FOeKtRVSMGCWESv5psw8Pd52C6YsnSS3QDUFQP3L869M8vc
PgPV4hdA/86k13IXrbrpEvK7jsNLttwiB4xkcBXAtZl5Sdx3xwBsDhk+sryrhsVr
O4ghzf23nLQokfxsfQRg+H6m/FJS9VW/qh54E23xSwoan4qaXShxPZ9m6ewBQPPI
ZmUybev3/tChfr/tyY0U1CZf3W9Z9KLNkvr7IK7qja2Ol+e/XiYlQxKIj7ro6WpW
VL/45MG3qt2GV+bvbmGrwg/gb/vNMM4ol2d36H89FNsfxIoAsNjos8u8z5U7mRRg
4wVV8xn9fJxUvnzz5JXI+YPd+BovkPGNh47sjDDbOgbhoSymnZhDW5czcHSnNVRD
/Y37e0BQu42HoJI7hzVXOzU/Qf6znFoVzPTVIwCyMCtSwQXuN3xnzNWpTgHBz4dx
iXpoN9kqLzjG5BqD7HAYeion2UCa4P1C2KsA+vgG8FO0M3H+k2w=
=k5Jp
-----END PGP SIGNATURE-----

Message #37 received at 860566@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Christopher Hoskin <mans0954@debian.org>

Cc: 860566@bugs.debian.org, carnil@debian.org

Subject: Re: Bug#860566: fixed in batik 1.9-1

Date: Sun, 1 Oct 2017 11:37:24 +0200

On Mon, Sep 04, 2017 at 06:19:28AM +0000, Christopher Hoskin wrote:
> Changes:
>  batik (1.9-1) unstable; urgency=medium

[..]

>    * New upstream (1.9)
>        + Fix "CVE-2017-5662: information disclosure vulnerability" Upstream claim
>          BATIK-1139 is fixed in 1.9 (Closes: #860566)

Hi,
this doesn't warrant a DSA, but there's still the possibility to fix this via a
stable point update [1], so I was wondering whether anything of that sort is planned by
you.

Cheers,
        Moritz

[1] https://www.debian.org/doc/manuals/developers-reference/ch05.html#upload-stable

Send a report that this bug log contains spam.