Upstream has issued an advisory on March 17: http://openwall.com/lists/oss-security/2015/03/17/4 Ubuntu has issued an advisory for this today (March 25): http://www.ubuntu.com/usn/usn-2548-1/ The issue is fixed upstream in the final 1.8 release (we have an SVN snapshot), and Ubuntu has linked the upstream commit from here: http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0250.html Mageia 4 and Mageia 5 are affected. Reproducible: Steps to Reproduce:
CC: (none) => geiger.david68210, pterjanWhiteboard: (none) => MGA5TOO, MGA4TOO
Upstream patch checked into Mageia 4 and Cauldron SVN. Freeze push requested for Cauldron.
Patched packages uploaded for Mageia 4 and Cauldron. There is a PoC linked from here: https://security-tracker.debian.org/tracker/CVE-2015-0250 Advisory: ======================== Updated batik packages fix security vulnerability: Nicolas Gregoire and Kevin Schaller discovered that Batik would load XML external entities by default. If a user or automated system were tricked into opening a specially crafted SVG file, an attacker could possibly obtain access to arbitrary files or cause resource consumption (CVE-2015-0250). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0250 http://openwall.com/lists/oss-security/2015/03/17/4 http://www.ubuntu.com/usn/usn-2548-1/ ======================== Updated packages in core/updates_testing: ======================== batik-1.8-0.1.svn1230816.10.mga4 batik-squiggle-1.8-0.1.svn1230816.10.mga4 batik-svgpp-1.8-0.1.svn1230816.10.mga4 batik-ttf2svg-1.8-0.1.svn1230816.10.mga4 batik-rasterizer-1.8-0.1.svn1230816.10.mga4 batik-slideshow-1.8-0.1.svn1230816.10.mga4 batik-javadoc-1.8-0.1.svn1230816.10.mga4 batik-demo-1.8-0.1.svn1230816.10.mga4 from batik-1.8-0.1.svn1230816.10.mga4.src.rpm
Version: Cauldron => 4Assignee: dmorganec => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
PoC classpath will need to be altered to the packaged paths in start.sh. I'll look tomorrow
Testing mga4 64 As most java stuff I'm unable to get anything out of this. Just ensuring the packages update cleanly, which they do.
Whiteboard: (none) => mga4-64-ok
validating. advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: mga4-64-ok => mga4-64-ok advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0138.html
Status: NEW => RESOLVEDResolution: (none) => FIXED