packages/batik
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!25 [sync] PR-21: Fix CVE-2022-41704 and CVE-2022-42890

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530
This commit is contained in:
openeuler-ci-bot 2022-12-28 07:05:02 +00:00 committed by Gitee
commit 5e7e632d1e
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 77 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
CVE-2022-41704.patch Normal file
View File

@ -0,0 +1,30 @@
From: Markus Koschany <apo@debian.org>
Date: Sat, 29 Oct 2022 08:28:58 +0200
Subject: CVE-2022-41704
Origin: http://svn.apache.org/viewvc?view=revision&revision=1904320
---
.../src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
index cab8e0e..a3daa0d 100644
--- a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
+++ b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
@@ -19,6 +19,7 @@
package org.apache.batik.bridge;
import org.apache.batik.util.ParsedURL;
+import static org.apache.batik.util.SVGConstants.SVG_SCRIPT_TYPE_JAVA;
/**
* Default implementation for the <code>ScriptSecurity</code> interface.
@@ -76,7 +77,7 @@ public class DefaultScriptSecurity implements ScriptSecurity {
ParsedURL docURL){
// Make sure that the archives comes from the same host
// as the document itself
- if (docURL == null) {
+ if (docURL == null || SVG_SCRIPT_TYPE_JAVA.equals(scriptType)) {
se = new SecurityException
(Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL,
new Object[]{scriptURL}));

41
CVE-2022-42890.patch Normal file
View File

@ -0,0 +1,41 @@
From: Markus Koschany <apo@debian.org>
Date: Sat, 29 Oct 2022 08:13:38 +0200
Subject: CVE-2022-42890
Origin: http://svn.apache.org/viewvc?view=revision&revision=1904549
---
.../main/java/org/apache/batik/script/rhino/RhinoClassShutter.java | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
index 3f95e5d..733061a 100644
--- a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
+++ b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
@@ -19,6 +19,8 @@
package org.apache.batik.script.rhino;
import org.mozilla.javascript.ClassShutter;
+import java.util.Arrays;
+import java.util.List;
/**
* Class shutter that restricts access to Batik internals from script.
@@ -27,6 +29,7 @@ import org.mozilla.javascript.ClassShutter;
* @version $Id: RhinoClassShutter.java 1733416 2016-03-03 07:07:13Z gadams $
*/
public class RhinoClassShutter implements ClassShutter {
+ private static final List<String> WHITELIST = Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL");
/*
public RhinoClassShutter() {
@@ -55,6 +58,10 @@ public class RhinoClassShutter implements ClassShutter {
* Returns whether the given class is visible to scripts.
*/
public boolean visibleToScripts(String fullClassName) {
+ if (fullClassName.startsWith("java.") && !WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission")) {
+ return false;
+ }
+
// Don't let them mess with script engine's internals.
if (fullClassName.startsWith("org.mozilla.javascript"))
return false;

7
batik.spec
View File

@ -1,7 +1,7 @@
%global classpath batik:xml-commons-apis:xml-commons-apis-ext:xmlgraphics-commons %global classpath batik:xml-commons-apis:xml-commons-apis-ext:xmlgraphics-commons
Name: batik Name: batik
Version: 1.10 Version: 1.10
Release: 6 Release: 7
Summary: Batik is an inline templating engine for CoffeeScript Summary: Batik is an inline templating engine for CoffeeScript
License: Apache-2.0 and W3C and MPL-1.1 and GPL-2.0-or-later and Apache-1.1 License: Apache-2.0 and W3C and MPL-1.1 and GPL-2.0-or-later and Apache-1.1
URL: https://xmlgraphics.apache.org/batik/ URL: https://xmlgraphics.apache.org/batik/
@ -11,6 +11,8 @@ Source1: %{name}-security.policy
Patch1: 0001-Fix-imageio-codec-lookup.patch Patch1: 0001-Fix-imageio-codec-lookup.patch
Patch6000: CVE-2019-17566.patch Patch6000: CVE-2019-17566.patch
Patch6001: CVE-2020-11987.patch Patch6001: CVE-2020-11987.patch
Patch6002: CVE-2022-41704.patch
Patch6003: CVE-2022-42890.patch
BuildArch: noarch BuildArch: noarch
@ -122,6 +124,9 @@ cp -a samples %{buildroot}/%{_datadir}/%{name}/
%doc CHANGES MAINTAIN README NOTICE %doc CHANGES MAINTAIN README NOTICE
%changelog %changelog
* Wed Dec 28 2022 jiangpeng <jiangpeng01@ncti-gba.cn> - 1.10-7
- Fix CVE-2022-41704 and CVE-2022-42890
* Wed Mar 31 2021 lingsheng <lingsheng@huawei.com> - 1.10-6 * Wed Mar 31 2021 lingsheng <lingsheng@huawei.com> - 1.10-6
- Remove unneeded rhino and jai_imageio in classpath - Remove unneeded rhino and jai_imageio in classpath