| Summary: | batik new security issue CVE-2020-11987 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, mageia, ouaurelien, sysadmin-bugs, tarazed25 |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | batik-1.13-1.mga8.src.rpm | CVE: | CVE-2020-11987 |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 26800, 28479, 28491 | ||
|
Description
David Walser
2021-02-25 21:28:14 CET
David Walser
2021-02-25 21:28:25 CET
Status comment:
(none) =>
Fixed upstream in 1.14 fixed in cauldron/mga8
src:
- batik-1.14-1.mga8
not yet fixed for mga 7Assignee:
java =>
bugsquad
Nicolas Lécureuil
2021-02-28 00:05:23 CET
Assignee:
bugsquad =>
java
David Walser
2021-02-28 15:08:00 CET
Blocks:
(none) =>
28479
Nicolas Lécureuil
2021-02-28 17:23:47 CET
Blocks:
(none) =>
28491 i cloned this bugreport for tracking this in mageia 7. Status comment:
Fixed upstream in 1.14 =>
(none) the new rpm i just uploaded fixes ( tries at least ) bug: https://bugs.mageia.org/show_bug.cgi?id=28479 Package list: batik-css-1.14-1.1.mga8 batik-util-1.14-1.1.mga8 batik-svgpp-1.14-1.1.mga8 batik-slideshow-1.14-1.1.mga8 batik-rasterizer-1.14-1.1.mga8 batik-squiggle-1.14-1.1.mga8 batik-ttf2svg-1.14-1.1.mga8 batik-1.14-1.1.mga8 batik-demo-1.14-1.1.mga8 batik-javadoc-1.14-1.1.mga8 Advisory: ======================== Updated batik packages fix security vulnerability: The Apache Batik library is vulnerable to SSRF via the NodePickerPanel that allow an attacker to cause the underlying server to make arbitrary GET requests (CVE-2020-11987). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11987 https://www.openwall.com/lists/oss-security/2021/02/24/2 https://xmlgraphics.apache.org/security.html mga8, X86_64 `locate batik` returns 5741 references /usr/share/batik/samples/samples/tests contains SVG files and other things https://xmlgraphics.apache.org/batik/using/ This is more than a toolkit for manipulating SVG format images but going any further than that requires too much time for a non-user. $ urpmq --whatrequires batik batik-demo batik-rasterizer batik-slideshow batik-squiggle batik-svgpp batik-ttf2svg fop publican Information about FOP: https://xmlgraphics.apache.org/fop/2.6/output.html A quick look at that shows that fop is very specialized and beyond our scope because it requires too much prior knowledge. The cli examples require data files to be prepared. batik-slideshow has a website: https://mvnrepository.com/artifact/batik/batik-slideshow and a pointer to a book: https://www.amazon.com/Java-Drawing-Apache-Batik-Tutorial/dp/..... publican again requires a course of instruction:. https://jfearn.fedorapeople.org/en-US/Publican/4.0/html/Users_Guide/pref-Publican-Users_Guide-Introduction.html <quote> Publican is a tool for publishing material authored in DocBook XML. This guide explains how to create and build books and articles using Publican. It is not a general DocBook XML tutorial; refer to DocBook: The Definitive Guide by Norman Walsh and Leonard Muellner, available at http://www.docbook.org/tdg/en/html/docbook.html for more general help with DocBook XML. </quote> Admitting defeat and going for a clean install. .... Preparing... ############################################# 1/9: batik-util ############################################# 2/9: batik-css ############################################# 3/9: batik ############################################# 4/9: batik-demo ############################################# 5/9: batik-ttf2svg ############################################# 6/9: batik-squiggle ############################################# 7/9: batik-rasterizer ############################################# 8/9: batik-slideshow ############################################# 9/9: batik-svgpp ############################################# Yep, that's fine. Whiteboard:
(none) =>
MGA7TOO MGA8-64-OK This bug involves MGA7 as well as MGA8, and was sent to QA as such. I don't see anything here about any MGA7 packages being ready, but decided to try, anyway. However, qarepo reports no packages in MGA7 updates_testing that fit the "batik*" search term. So, how to proceed? Bug 28479 is also waiting for an OK from QA, but that can't happen until this bug is taken care of. CC:
(none) =>
andrewsfarm OK then, validating this one. Advisory in Comment 5. CC:
(none) =>
sysadmin-bugs *** Bug 28491 has been marked as a duplicate of this bug. ***
David Walser
2021-03-14 15:14:42 CET
Blocks:
(none) =>
26800 Advisory pushed to SVN. Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0139.html Status:
NEW =>
RESOLVED Fedora has issued an advisory for this on March 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/ |