!3 fix CVE-2019-17566

From: @zhanghua1831 Reviewed-by: @wangxiao65,@wangchong1995924 Signed-off-by: @wangchong1995924
2020-12-09 09:00:03 +08:00 · 2020-12-09 09:00:03 +08:00 · 95f712595c
commit 95f712595c
parent ef1f52fc55 56fc68f50e
2 changed files with 127 additions and 7 deletions
--- a/CVE-2019-17566.patch
+++ b/CVE-2019-17566.patch
@ -0,0 +1,116 @@
+From bc6078ca949039e2076cd08b4cb169c84c1179b1 Mon Sep 17 00:00:00 2001
+From: Simon Steiner <ssteiner@apache.org>
+Date: Mon, 9 Dec 2019 12:24:18 +0000
+Subject: [PATCH] BATIK-1276: Allow blocking of external resources
+
+git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk@1871084 13f79535-47bb-0310-9956-ffa450edef68
+---
+ .../apache/batik/apps/rasterizer/Main.java    | 17 +++++++++++++++++
+ .../batik/apps/rasterizer/SVGConverter.java   |  6 ++++++
+ .../transcoder/SVGAbstractTranscoder.java     | 19 +++++++++++++++++++
+ 3 files changed, 42 insertions(+)
+
+diff --git a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
+index c70b4dd691..a4248b527d 100644
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
+++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
+@@ -501,6 +501,12 @@ public Color parseARGB(String argbVal){
+     public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
+         = Messages.get("Main.cl.option.constrain.script.origin.description", "No description");
+ 
+    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
+            = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources");
+
+    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
+            = Messages.get("Main.cl.option.block.external.resources.description", "No description");
+
+     /**
+      * Option to turn off secure execution of scripts
+      */
+@@ -829,6 +835,17 @@ public String getOptionDescription(){
+                               return CL_OPTION_SECURITY_OFF_DESCRIPTION;
+                           }
+                       });
+
+        optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
+                new NoValueOptionHandler(){
+                    public void handleOption(SVGConverter c){
+                        c.allowExternalResources = false;
+                    }
+
+                    public String getOptionDescription(){
+                        return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
+                    }
+                });
+     }
+ 
+     /**
+diff --git a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
+index 324c3abcfe..9ec2135458 100644
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
+++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
+@@ -253,6 +253,8 @@ Licensed to the Apache Software Foundation (ASF) under one or more
+         the document which references them. */
+     protected boolean constrainScriptOrigin = true;
+ 
+    protected boolean allowExternalResources = true;
+
+     /** Controls whether scripts should be run securely or not */
+     protected boolean securityOff = false;
+ 
+@@ -925,6 +927,10 @@ protected Map computeTranscodingHints(){
+             map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE);
+         }
+ 
+        if (!allowExternalResources) {
+            map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE);
+        }
+
+         return map;
+     }
+ 
+diff --git a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
+index 65d983bfae..8d6ffe3b1f 100644
+--- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
+++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
+@@ -33,8 +33,10 @@ Licensed to the Apache Software Foundation (ASF) under one or more
+ import org.apache.batik.bridge.BridgeContext;
+ import org.apache.batik.bridge.BridgeException;
+ import org.apache.batik.bridge.DefaultScriptSecurity;
+import org.apache.batik.bridge.ExternalResourceSecurity;
+ import org.apache.batik.bridge.GVTBuilder;
+ import org.apache.batik.bridge.NoLoadScriptSecurity;
+import org.apache.batik.bridge.NoLoadExternalResourceSecurity;
+ import org.apache.batik.bridge.RelaxedScriptSecurity;
+ import org.apache.batik.bridge.SVGUtilities;
+ import org.apache.batik.bridge.ScriptSecurity;
+@@ -877,6 +879,9 @@ protected void setImageSize(float docWidth, float docHeight) {
+         = new BooleanKey();
+ 
+ 
+    public static final TranscodingHints.Key KEY_ALLOW_EXTERNAL_RESOURCES
+            = new BooleanKey();
+
+     /**
+      * A user agent implementation for <code>PrintTranscoder</code>.
+      */
+@@ -1109,5 +1114,19 @@ protected void computeAllowedScripts(){
+             }
+         }
+ 
+        public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) {
+            if (isAllowExternalResources()) {
+                return super.getExternalResourceSecurity(resourceURL, docURL);
+            }
+            return new NoLoadExternalResourceSecurity();
+        }
+
+        public boolean isAllowExternalResources() {
+            Boolean b = (Boolean)SVGAbstractTranscoder.this.hints.get(KEY_ALLOW_EXTERNAL_RESOURCES);
+            if (b != null) {
+                return b;
+            }
+            return true;
+        }
+     }
+ }
--- a/batik.spec
+++ b/batik.spec
@ -1,14 +1,15 @@
 %global classpath batik:rhino:xml-commons-apis:xml-commons-apis-ext:xmlgraphics-commons:jai_imageio
-Name:		batik
-Version:	1.10
-Release:	3
-Summary:	Batik is an inline templating engine for CoffeeScript
-License:	ASL 2.0 and W3C
-URL:		https://xmlgraphics.apache.org/batik/
-Source0:	http://archive.apache.org/dist/xmlgraphics/batik/source/batik-src-%{version}.zip
+Name:           batik
+Version:        1.10
+Release:        4
+Summary:        Batik is an inline templating engine for CoffeeScript
+License:        Apache-2.0 and W3C
+URL:            https://xmlgraphics.apache.org/batik/
+Source0:        http://archive.apache.org/dist/xmlgraphics/batik/source/batik-src-%{version}.zip
 Source1:        %{name}-security.policy

 Patch1:         0001-Fix-imageio-codec-lookup.patch
+Patch6000:      CVE-2019-17566.patch

 BuildArch:      noarch

@ -120,5 +121,8 @@ cp -a samples %{buildroot}/%{_datadir}/%{name}/
 %doc CHANGES MAINTAIN README NOTICE

 %changelog
+* Mon Dec 07 2020 zhanghua <zhanghua40@huawei.com> - 1.10-4
+- fix CVE-2019-17566
+
 * Tue Dec 10 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.10-3
 - Package init