Bug 26800 - batik new security issue CVE-2019-17566 and CVE-2020-11987
Summary: batik new security issue CVE-2019-17566 and CVE-2020-11987
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on: 28439 28479 28491
Blocks:
  Show dependency treegraph
 
Reported: 2020-06-15 15:05 CEST by David Walser
Modified: 2021-04-02 22:26 CEST (History)
5 users (show)

See Also:
Source RPM: batik-1.10-1.mga7.src.rpm
CVE: CVE-2019-17566, CVE-2020-11987
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-06-15 15:05:10 CEST 
Apache has issued an advisory today (June 15):
https://www.openwall.com/lists/oss-security/2020/06/15/2

The issue is fixed upstream in 1.13.

Mageia 7 is also affected.
David Walser 2020-06-15 15:05:22 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 1.13

Comment 1 David Walser 2020-06-24 00:06:51 CEST 
openSUSE has issued an advisory for this today (June 23):
https://lists.opensuse.org/opensuse-updates/2020-06/msg00093.html
Comment 2 David Walser 2020-09-03 22:58:24 CEST 
batik-1.13-1.mga8 uploaded for Cauldron by David Geiger.

Fedora has issued an advisory for this on August 31:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N3V3MJVGDUNTVPXXGYR335PZJJK7LDXC/

Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
CC: (none) => geiger.david68210

David Walser 2021-03-01 17:41:24 CET

Depends on: (none) => 28491

David Walser 2021-03-01 17:42:15 CET

Source RPM: batik-1.11-2.mga8.src.rpm => batik-1.10-1.mga7.src.rpm

Comment 3 Nicolas Lécureuil 2021-03-14 09:44:51 CET 
*** Bug 28491 has been marked as a duplicate of this bug. ***

CC: (none) => mageia

Nicolas Lécureuil 2021-03-14 09:45:14 CET

Summary: batik new security issue CVE-2019-17566 => batik new security issue CVE-2019-17566 and CVE-2020-11987

Comment 4 Nicolas Lécureuil 2021-03-14 09:46:55 CET 
this is fixed in mga7:

src:
    - batik-1.13-1.1.mga7

Assignee: java => qa-bugs

Comment 5 David Walser 2021-03-14 15:13:13 CET 
Apache has issued an advisory on February 24: https://www.openwall.com/lists/oss-security/2021/02/24/2

The issue is fixed upstream in 1.14: https://xmlgraphics.apache.org/security.html

Status comment: Fixed upstream in 1.13 => (none)

David Walser 2021-03-14 15:14:42 CET

Depends on: (none) => 28439

Comment 6 David Walser 2021-03-14 15:58:36 CET 
Saving advisory, but CVE-2020-11987 is not fixed.

Advisory:
========================

Updated batik packages fix security vulnerabilities:

A flaw was found in the Apache Batik library, where it is vulnerable to a
Server-Side Request Forgery attack (SSRF) via "xlink:href" attributes. This
flaw allows an attacker to cause the underlying server to make arbitrary GET
requests. The highest threat from this vulnerability is to system integrity
(CVE-2019-17566).

The Apache Batik library is vulnerable to SSRF via the NodePickerPanel that
allow an attacker to cause the underlying server to make arbitrary GET requests
(CVE-2020-11987).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17566
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11987
https://www.openwall.com/lists/oss-security/2021/02/24/2
https://xmlgraphics.apache.org/security.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/N3V3MJVGDUNTVPXXGYR335PZJJK7LDXC/

Status comment: (none) => Fixed upstream in 1.14
Assignee: qa-bugs => java

Comment 7 David Walser 2021-03-14 16:12:08 CET 
Now patched in:
batik-1.13-1.1.mga7
batik-util-1.13-1.1.mga7
batik-css-1.13-1.1.mga7
batik-squiggle-1.13-1.1.mga7
batik-svgpp-1.13-1.1.mga7
batik-ttf2svg-1.13-1.1.mga7
batik-rasterizer-1.13-1.1.mga7
batik-slideshow-1.13-1.1.mga7
batik-javadoc-1.13-1.1.mga7
batik-demo-1.13-1.1.mga7

from batik-1.13-1.1.mga7.src.rpm

Assignee: java => qa-bugs
Status comment: Fixed upstream in 1.14 => (none)

David Walser 2021-03-25 03:48:45 CET

Depends on: (none) => 28479

Comment 8 David Walser 2021-03-25 03:49:30 CET 
Rebuilt to also fix Bug 28479.

batik-1.13-1.2.mga7
batik-util-1.13-1.2.mga7
batik-css-1.13-1.2.mga7
batik-squiggle-1.13-1.2.mga7
batik-svgpp-1.13-1.2.mga7
batik-ttf2svg-1.13-1.2.mga7
batik-rasterizer-1.13-1.2.mga7
batik-slideshow-1.13-1.2.mga7
batik-javadoc-1.13-1.2.mga7
batik-demo-1.13-1.2.mga7

from batik-1.13-1.2.mga7.src.rpm
Comment 9 David GEIGER 2021-03-26 04:49:20 CET 
Again rebuilt to also fix Bug 28479.


Packages in 7/core/updates_testing:
========================
batik-1.13-1.3.mga7
batik-css-1.13-1.3.mga7
batik-util-1.13-1.3.mga7
batik-svgpp-1.13-1.3.mga7
batik-slideshow-1.13-1.3.mga7
batik-rasterizer-1.13-1.3.mga7
batik-squiggle-1.13-1.3.mga7
batik-ttf2svg-1.13-1.3.mga7
batik-demo-1.13-1.3.mga7
batik-javadoc-1.13-1.3.mga7


Source RPM: 
========================
batik-1.13-1.3.mga7.src.rpm
Comment 10 Aurelien Oudelet 2021-03-30 18:07:42 CEST 
MGA7-64

Not familiar.
Install well over existing packages (batik-1.13-1.3.mga7)

Not sure if need more tests.
Advisory committed.

CVE: (none) => CVE-2019-17566, CVE-2020-11987
CC: (none) => ouaurelien
Whiteboard: (none) => MGA7-64-OK

Aurelien Oudelet 2021-03-30 18:08:03 CEST

Keywords: (none) => advisory

Comment 11 Thomas Andrews 2021-04-02 17:15:44 CEST 
We validated in mga8 on a clean install, so it should be OK here, too.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 12 Mageia Robot 2021-04-02 22:26:32 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0168.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.