packages/batik
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!7 fix CVE-2020-11987

Browse Source 
From: @wang_yue111
Reviewed-by: @zhanghua1831,@wangchong1995924
Signed-off-by: @wangchong1995924
This commit is contained in:
openeuler-ci-bot 2021-03-11 15:56:01 +08:00 committed by Gitee
commit 53346012bf
2 changed files with 33 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
CVE-2020-11987.patch Normal file
View File

@ -0,0 +1,27 @@
From 0ef5b661a1f77772d1110877ea9e0287987098f6 Mon Sep 17 00:00:00 2001
From: Simon Steiner <ssteiner@apache.org>
Date: Tue, 2 Jun 2020 13:59:37 +0000
Subject: [PATCH] BATIK-1284: Dont load DTDs in NodePickerPanel
git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk@1878396 13f79535-47bb-0310-9956-ffa450edef68
---
.../org/apache/batik/apps/svgbrowser/NodePickerPanel.java | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/NodePickerPanel.java b/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/NodePickerPanel.java
index 2a93e95a43..a5ad8e8b11 100644
--- a/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/NodePickerPanel.java
+++ b/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/NodePickerPanel.java
@@ -847,8 +847,10 @@ private Element parseXml(String xmlString) {
Document doc = null;
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
try {
- javax.xml.parsers.DocumentBuilder parser = factory
- .newDocumentBuilder();
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+ javax.xml.parsers.DocumentBuilder parser = factory.newDocumentBuilder();
parser.setErrorHandler(new ErrorHandler() {
public void error(SAXParseException exception)
throws SAXException {

8
batik.spec
View File

@ -1,15 +1,16 @@
%global classpath batik:rhino:xml-commons-apis:xml-commons-apis-ext:xmlgraphics-commons:jai_imageio
Name: batik
Version: 1.10
Release: 4
Release: 5
Summary: Batik is an inline templating engine for CoffeeScript
License: Apache-2.0 and W3C
License: Apache-2.0 and W3C and MPL-1.1 and GPL-2.0-or-later and Apache-1.1
URL: https://xmlgraphics.apache.org/batik/
Source0: http://archive.apache.org/dist/xmlgraphics/batik/source/batik-src-%{version}.zip
Source1: %{name}-security.policy
Patch1: 0001-Fix-imageio-codec-lookup.patch
Patch6000: CVE-2019-17566.patch
Patch6001: CVE-2020-11987.patch
BuildArch: noarch
@ -121,6 +122,9 @@ cp -a samples %{buildroot}/%{_datadir}/%{name}/
%doc CHANGES MAINTAIN README NOTICE
%changelog
* Thu Mar 11 2021 wangyue <wangyue92@huawei.com> - 1.10-5
- fix CVE-2020-11987
* Mon Dec 07 2020 zhanghua <zhanghua40@huawei.com> - 1.10-4
- fix CVE-2019-17566