Bug 28439 - batik new security issue CVE-2020-11987
Summary: batik new security issue CVE-2020-11987
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
: 28491 (view as bug list)
Depends on:
Blocks: 26800 28479 28491
  Show dependency treegraph
 
Reported: 2021-02-25 21:28 CET by David Walser
Modified: 2021-05-29 19:12 CEST (History)
5 users (show)

See Also:
Source RPM: batik-1.13-1.mga8.src.rpm
CVE: CVE-2020-11987
Status comment:


Attachments

Description David Walser 2021-02-25 21:28:14 CET
Apache has issued an advisory on February 24:
https://www.openwall.com/lists/oss-security/2021/02/24/2

The issue is fixed upstream in 1.14:
https://xmlgraphics.apache.org/security.html

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-02-25 21:28:25 CET

Status comment: (none) => Fixed upstream in 1.14
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Nicolas Lécureuil 2021-02-28 00:04:59 CET
fixed in cauldron/mga8

src:

     - batik-1.14-1.mga8


not yet fixed for mga 7

Assignee: java => bugsquad
CC: (none) => mageia
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8

Nicolas Lécureuil 2021-02-28 00:05:23 CET

Assignee: bugsquad => java

David Walser 2021-02-28 15:08:00 CET

Blocks: (none) => 28479

Nicolas Lécureuil 2021-02-28 17:23:47 CET

Blocks: (none) => 28491

Comment 2 Nicolas Lécureuil 2021-02-28 17:24:44 CET
i cloned this bugreport for tracking this in mageia 7.

Status comment: Fixed upstream in 1.14 => (none)
Assignee: java => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 3 Nicolas Lécureuil 2021-02-28 17:27:48 CET
the new rpm i just uploaded fixes ( tries at least ) bug: https://bugs.mageia.org/show_bug.cgi?id=28479
Comment 4 David Walser 2021-03-01 17:43:29 CET
Package list:
batik-css-1.14-1.1.mga8
batik-util-1.14-1.1.mga8
batik-svgpp-1.14-1.1.mga8
batik-slideshow-1.14-1.1.mga8
batik-rasterizer-1.14-1.1.mga8
batik-squiggle-1.14-1.1.mga8
batik-ttf2svg-1.14-1.1.mga8
batik-1.14-1.1.mga8
batik-demo-1.14-1.1.mga8
batik-javadoc-1.14-1.1.mga8
Comment 5 David Walser 2021-03-03 02:01:32 CET
Advisory:
========================

Updated batik packages fix security vulnerability:

The Apache Batik library is vulnerable to SSRF via the NodePickerPanel that
allow an attacker to cause the underlying server to make arbitrary GET requests
(CVE-2020-11987).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11987
https://www.openwall.com/lists/oss-security/2021/02/24/2
https://xmlgraphics.apache.org/security.html
Comment 6 Len Lawrence 2021-03-06 22:23:11 CET
mga8, X86_64

`locate batik` returns 5741 references
/usr/share/batik/samples/samples/tests contains SVG files and other things

https://xmlgraphics.apache.org/batik/using/

This is more than a toolkit for manipulating SVG format images but going any further than that requires too much time for a non-user.

$ urpmq --whatrequires batik
batik-demo
batik-rasterizer
batik-slideshow
batik-squiggle
batik-svgpp
batik-ttf2svg
fop
publican

Information about FOP:
https://xmlgraphics.apache.org/fop/2.6/output.html

A quick look at that shows that fop is very specialized and beyond our scope because it requires too much prior knowledge.  The cli examples require data files to be prepared.

batik-slideshow has a website:
https://mvnrepository.com/artifact/batik/batik-slideshow
and a pointer to a book:
https://www.amazon.com/Java-Drawing-Apache-Batik-Tutorial/dp/.....

publican again requires a course of instruction:. 
https://jfearn.fedorapeople.org/en-US/Publican/4.0/html/Users_Guide/pref-Publican-Users_Guide-Introduction.html
<quote>
Publican is a tool for publishing material authored in DocBook XML. This guide explains how to create and build books and articles using Publican. It is not a general DocBook XML tutorial; refer to DocBook: The Definitive Guide by Norman Walsh and Leonard Muellner, available at http://www.docbook.org/tdg/en/html/docbook.html for more general help with DocBook XML.
</quote>

Admitting defeat and going for a clean install.
....
Preparing...                     #############################################
      1/9: batik-util            #############################################
      2/9: batik-css             #############################################
      3/9: batik                 #############################################
      4/9: batik-demo            #############################################
      5/9: batik-ttf2svg         #############################################
      6/9: batik-squiggle        #############################################
      7/9: batik-rasterizer      #############################################
      8/9: batik-slideshow       #############################################
      9/9: batik-svgpp           #############################################

Yep, that's fine.

Whiteboard: (none) => MGA7TOO MGA8-64-OK
CC: (none) => tarazed25

Comment 7 Thomas Andrews 2021-03-11 16:56:31 CET
This bug involves MGA7 as well as MGA8, and was sent to QA as such. I don't see anything here about any MGA7 packages being ready, but decided to try, anyway. However, qarepo reports no packages in MGA7 updates_testing that fit the "batik*" search term.

So, how to proceed? Bug 28479 is also waiting for an OK from QA, but that can't happen until this bug is taken care of.

CC: (none) => andrewsfarm

Comment 8 David Walser 2021-03-11 16:59:43 CET
Mageia 7 got moved to Bug 28491.

Whiteboard: MGA7TOO MGA8-64-OK => MGA8-64-OK

Comment 9 Thomas Andrews 2021-03-11 18:24:45 CET
OK then, validating this one. Advisory in Comment 5.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 10 David Walser 2021-03-14 15:11:08 CET
*** Bug 28491 has been marked as a duplicate of this bug. ***
David Walser 2021-03-14 15:14:42 CET

Blocks: (none) => 26800

Comment 11 Aurelien Oudelet 2021-03-14 16:48:24 CET
Advisory pushed to SVN.

Keywords: (none) => advisory
CVE: (none) => CVE-2020-11987
CC: (none) => ouaurelien

Comment 12 Mageia Robot 2021-03-17 07:17:30 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0139.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 13 David Walser 2021-05-29 19:12:55 CEST
Fedora has issued an advisory for this on March 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/

Note You need to log in before you can comment on or make changes to this bug.