Bug 15566

Summary: batik new security issue CVE-2015-0250
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, pterjan, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/637862/
Whiteboard: mga4-64-ok advisory
Source RPM: batik-1.8-0.1.svn1230816.9.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-03-25 17:26:23 CET 
Upstream has issued an advisory on March 17:
http://openwall.com/lists/oss-security/2015/03/17/4

Ubuntu has issued an advisory for this today (March 25):
http://www.ubuntu.com/usn/usn-2548-1/

The issue is fixed upstream in the final 1.8 release (we have an SVN snapshot), and Ubuntu has linked the upstream commit from here:
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0250.html

Mageia 4 and Mageia 5 are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-25 17:26:40 CET

CC: (none) => geiger.david68210, pterjan
Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-03-30 16:22:00 CEST 
Upstream patch checked into Mageia 4 and Cauldron SVN.

Freeze push requested for Cauldron.
Comment 2 David Walser 2015-03-30 18:15:05 CEST 
Patched packages uploaded for Mageia 4 and Cauldron.

There is a PoC linked from here:
https://security-tracker.debian.org/tracker/CVE-2015-0250

Advisory:
========================

Updated batik packages fix security vulnerability:

Nicolas Gregoire and Kevin Schaller discovered that Batik would load XML
external entities by default. If a user or automated system were tricked into
opening a specially crafted SVG file, an attacker could possibly obtain access
to arbitrary files or cause resource consumption (CVE-2015-0250).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0250
http://openwall.com/lists/oss-security/2015/03/17/4
http://www.ubuntu.com/usn/usn-2548-1/
========================

Updated packages in core/updates_testing:
========================
batik-1.8-0.1.svn1230816.10.mga4
batik-squiggle-1.8-0.1.svn1230816.10.mga4
batik-svgpp-1.8-0.1.svn1230816.10.mga4
batik-ttf2svg-1.8-0.1.svn1230816.10.mga4
batik-rasterizer-1.8-0.1.svn1230816.10.mga4
batik-slideshow-1.8-0.1.svn1230816.10.mga4
batik-javadoc-1.8-0.1.svn1230816.10.mga4
batik-demo-1.8-0.1.svn1230816.10.mga4

from batik-1.8-0.1.svn1230816.10.mga4.src.rpm

Version: Cauldron => 4
Assignee: dmorganec => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 3 claire robinson 2015-04-07 19:06:13 CEST 
PoC classpath will need to be altered to the packaged paths in start.sh.

I'll look tomorrow
Comment 4 claire robinson 2015-04-08 15:45:38 CEST 
Testing mga4 64

As most java stuff I'm unable to get anything out of this.
Just ensuring the packages update cleanly, which they do.

Whiteboard: (none) => mga4-64-ok

Comment 5 claire robinson 2015-04-08 17:32:50 CEST 
validating. advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: mga4-64-ok => mga4-64-ok advisory
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-04-10 00:45:03 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0138.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED