packages/batik
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!39 [sync] PR-33: Update to 1.17 for fix CVE-2022-38398,CVE-2022-38648,CVE-2022-40146,CVE-2022-44729 and CVE-2022-44730

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @cherry530 
Signed-off-by: @cherry530
This commit is contained in:
openeuler-ci-bot 2023-09-08 03:27:48 +00:00 committed by Gitee
commit 9d82eacd64
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
6 changed files with 40 additions and 244 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

116
CVE-2019-17566.patch
View File

@ -1,116 +0,0 @@
From bc6078ca949039e2076cd08b4cb169c84c1179b1 Mon Sep 17 00:00:00 2001
From: Simon Steiner <ssteiner@apache.org>
Date: Mon, 9 Dec 2019 12:24:18 +0000
Subject: [PATCH] BATIK-1276: Allow blocking of external resources
git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk@1871084 13f79535-47bb-0310-9956-ffa450edef68
---
.../apache/batik/apps/rasterizer/Main.java | 17 +++++++++++++++++
.../batik/apps/rasterizer/SVGConverter.java | 6 ++++++
.../transcoder/SVGAbstractTranscoder.java | 19 +++++++++++++++++++
3 files changed, 42 insertions(+)
diff --git a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
index c70b4dd691..a4248b527d 100644
--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
+++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
@@ -501,6 +501,12 @@ public Color parseARGB(String argbVal){
public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
= Messages.get("Main.cl.option.constrain.script.origin.description", "No description");
+ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
+ = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources");
+
+ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
+ = Messages.get("Main.cl.option.block.external.resources.description", "No description");
+
/**
* Option to turn off secure execution of scripts
*/
@@ -829,6 +835,17 @@ public String getOptionDescription(){
return CL_OPTION_SECURITY_OFF_DESCRIPTION;
}
});
+
+ optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
+ new NoValueOptionHandler(){
+ public void handleOption(SVGConverter c){
+ c.allowExternalResources = false;
+ }
+
+ public String getOptionDescription(){
+ return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
+ }
+ });
}
/**
diff --git a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
index 324c3abcfe..9ec2135458 100644
--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
+++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
@@ -253,6 +253,8 @@ Licensed to the Apache Software Foundation (ASF) under one or more
the document which references them. */
protected boolean constrainScriptOrigin = true;
+ protected boolean allowExternalResources = true;
+
/** Controls whether scripts should be run securely or not */
protected boolean securityOff = false;
@@ -925,6 +927,10 @@ protected Map computeTranscodingHints(){
map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE);
}
+ if (!allowExternalResources) {
+ map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE);
+ }
+
return map;
}
diff --git a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
index 65d983bfae..8d6ffe3b1f 100644
--- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
+++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
@@ -33,8 +33,10 @@ Licensed to the Apache Software Foundation (ASF) under one or more
import org.apache.batik.bridge.BridgeContext;
import org.apache.batik.bridge.BridgeException;
import org.apache.batik.bridge.DefaultScriptSecurity;
+import org.apache.batik.bridge.ExternalResourceSecurity;
import org.apache.batik.bridge.GVTBuilder;
import org.apache.batik.bridge.NoLoadScriptSecurity;
+import org.apache.batik.bridge.NoLoadExternalResourceSecurity;
import org.apache.batik.bridge.RelaxedScriptSecurity;
import org.apache.batik.bridge.SVGUtilities;
import org.apache.batik.bridge.ScriptSecurity;
@@ -877,6 +879,9 @@ protected void setImageSize(float docWidth, float docHeight) {
= new BooleanKey();
+ public static final TranscodingHints.Key KEY_ALLOW_EXTERNAL_RESOURCES
+ = new BooleanKey();
+
/**
* A user agent implementation for <code>PrintTranscoder</code>.
*/
@@ -1109,5 +1114,19 @@ protected void computeAllowedScripts(){
}
}
+ public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) {
+ if (isAllowExternalResources()) {
+ return super.getExternalResourceSecurity(resourceURL, docURL);
+ }
+ return new NoLoadExternalResourceSecurity();
+ }
+
+ public boolean isAllowExternalResources() {
+ Boolean b = (Boolean)SVGAbstractTranscoder.this.hints.get(KEY_ALLOW_EXTERNAL_RESOURCES);
+ if (b != null) {
+ return b;
+ }
+ return true;
+ }
}
}

27
CVE-2020-11987.patch
View File

@ -1,27 +0,0 @@
From 0ef5b661a1f77772d1110877ea9e0287987098f6 Mon Sep 17 00:00:00 2001
From: Simon Steiner <ssteiner@apache.org>
Date: Tue, 2 Jun 2020 13:59:37 +0000
Subject: [PATCH] BATIK-1284: Dont load DTDs in NodePickerPanel
git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk@1878396 13f79535-47bb-0310-9956-ffa450edef68
---
.../org/apache/batik/apps/svgbrowser/NodePickerPanel.java | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/NodePickerPanel.java b/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/NodePickerPanel.java
index 2a93e95a43..a5ad8e8b11 100644
--- a/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/NodePickerPanel.java
+++ b/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/NodePickerPanel.java
@@ -847,8 +847,10 @@ private Element parseXml(String xmlString) {
Document doc = null;
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
try {
- javax.xml.parsers.DocumentBuilder parser = factory
- .newDocumentBuilder();
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+ javax.xml.parsers.DocumentBuilder parser = factory.newDocumentBuilder();
parser.setErrorHandler(new ErrorHandler() {
public void error(SAXParseException exception)
throws SAXException {

30
CVE-2022-41704.patch
View File

@ -1,30 +0,0 @@
From: Markus Koschany <apo@debian.org>
Date: Sat, 29 Oct 2022 08:28:58 +0200
Subject: CVE-2022-41704
Origin: http://svn.apache.org/viewvc?view=revision&revision=1904320
---
.../src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
index cab8e0e..a3daa0d 100644
--- a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
+++ b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
@@ -19,6 +19,7 @@
package org.apache.batik.bridge;
import org.apache.batik.util.ParsedURL;
+import static org.apache.batik.util.SVGConstants.SVG_SCRIPT_TYPE_JAVA;
/**
* Default implementation for the <code>ScriptSecurity</code> interface.
@@ -76,7 +77,7 @@ public class DefaultScriptSecurity implements ScriptSecurity {
ParsedURL docURL){
// Make sure that the archives comes from the same host
// as the document itself
- if (docURL == null) {
+ if (docURL == null || SVG_SCRIPT_TYPE_JAVA.equals(scriptType)) {
se = new SecurityException
(Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL,
new Object[]{scriptURL}));

41
CVE-2022-42890.patch
View File

@ -1,41 +0,0 @@
From: Markus Koschany <apo@debian.org>
Date: Sat, 29 Oct 2022 08:13:38 +0200
Subject: CVE-2022-42890
Origin: http://svn.apache.org/viewvc?view=revision&revision=1904549
---
.../main/java/org/apache/batik/script/rhino/RhinoClassShutter.java | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
index 3f95e5d..733061a 100644
--- a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
+++ b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java
@@ -19,6 +19,8 @@
package org.apache.batik.script.rhino;
import org.mozilla.javascript.ClassShutter;
+import java.util.Arrays;
+import java.util.List;
/**
* Class shutter that restricts access to Batik internals from script.
@@ -27,6 +29,7 @@ import org.mozilla.javascript.ClassShutter;
* @version $Id: RhinoClassShutter.java 1733416 2016-03-03 07:07:13Z gadams $
*/
public class RhinoClassShutter implements ClassShutter {
+ private static final List<String> WHITELIST = Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL");
/*
public RhinoClassShutter() {
@@ -55,6 +58,10 @@ public class RhinoClassShutter implements ClassShutter {
* Returns whether the given class is visible to scripts.
*/
public boolean visibleToScripts(String fullClassName) {
+ if (fullClassName.startsWith("java.") && !WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission")) {
+ return false;
+ }
+
// Don't let them mess with script engine's internals.
if (fullClassName.startsWith("org.mozilla.javascript"))
return false;

BIN
batik-src-1.10.zip → batik-src-1.17.zip
View File

Binary file not shown.

70
batik.spec
View File

@ -1,7 +1,7 @@
%global classpath batik:xml-commons-apis:xml-commons-apis-ext:xmlgraphics-commons
Name: batik
Version: 1.10
Release: 8
Version: 1.17
Release: 1
Summary: Batik is an inline templating engine for CoffeeScript
License: Apache-2.0 and W3C and MPL-1.1 and GPL-2.0-or-later and Apache-1.1
URL: https://xmlgraphics.apache.org/batik/
@ -9,15 +9,12 @@ Source0: http://archive.apache.org/dist/xmlgraphics/batik/source/batik-sr
Source1: %{name}-security.policy
Patch1: 0001-Fix-imageio-codec-lookup.patch
Patch6000: CVE-2019-17566.patch
Patch6001: CVE-2020-11987.patch
Patch6002: CVE-2022-41704.patch
Patch6003: CVE-2022-42890.patch
BuildArch: noarch
BuildRequires: maven-local junit apache-parent rhino maven-assembly-plugin
BuildRequires: jython xalan-j2 xml-commons-apis maven-plugin-bundle xmlgraphics-commons
BuildRequires: maven-dependency-plugin
Requires: java-1.8.0-openjdk
Recommends: jai-imageio-core
@ -56,18 +53,13 @@ install -p %{SOURCE1} \
install -p %{SOURCE1} \
batik-svgbrowser/src/main/resources/org/apache/batik/apps/svgbrowser/resources/svgbrowser.policy
%{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_xpath_inject \
pom:dependency '<optional>true</optional>' batik-all
%{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_xpath_inject \
'pom:dependency[pom:artifactId="xmlgraphics-commons"]' '<optional>true</optional>' batik-css
%pom_xpath_inject 'pom:dependency[pom:artifactId="xmlgraphics-commons"]' '<optional>true</optional>' batik-css
cp -a batik-i18n/src/main/java/org/apache/batik/i18n batik-util/src/main/java/org/apache/batik/
%{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_remove_dep :batik-i18n batik-util
%pom_remove_dep :batik-i18n batik-util
for pom in `find -mindepth 2 -name pom.xml -not -path ./batik-all/pom.xml`; do
%{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_add_plugin org.apache.felix:maven-bundle-plugin \
$pom "
%pom_add_plugin org.apache.felix:maven-bundle-plugin $pom "
<extensions>true</extensions>
<configuration>
<instructions>
@ -75,28 +67,43 @@ for pom in `find -mindepth 2 -name pom.xml -not -path ./batik-all/pom.xml`; do
</instructions>
</configuration>
"
%{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_xpath_inject pom:project \
'<packaging>bundle</packaging>' $pom
%pom_xpath_inject pom:project '<packaging>bundle</packaging>' $pom
done
%{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_xpath_set pom:Bundle-SymbolicName \
org.apache.batik.util.gui batik-gui-util
%{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_disable_module batik-test-old
%pom_xpath_set pom:Bundle-SymbolicName org.apache.batik.util.gui batik-gui-util
%pom_disable_module batik-test-old
%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-squiggle squiggle
%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-squiggle-ext squiggle
%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-svgpp svgpp
%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-ttf2svg ttf2svg
%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-rasterizer rasterizer
%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-rasterizer-ext rasterizer
%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-slideshow slideshow
%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-css css
%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py ':batik-test*' __noinstall
%pom_remove_dep :rhino batik-{bridge,script}
%pom_remove_dep :jython batik-script
rm -rf batik-script/src/main/java/org/apache/batik/script/{jpython,rhino}
rm batik-bridge/src/main/java/org/apache/batik/bridge/BatikWrapFactory.java
rm batik-bridge/src/main/java/org/apache/batik/bridge/SVG12RhinoInterpreter.java
rm batik-bridge/src/main/java/org/apache/batik/bridge/RhinoInterpreter.java
rm batik-bridge/src/main/java/org/apache/batik/bridge/RhinoInterpreterFactory.java
rm batik-bridge/src/main/java/org/apache/batik/bridge/EventTargetWrapper.java
rm batik-bridge/src/main/java/org/apache/batik/bridge/GlobalWrapper.java
rm batik-bridge/src/main/java/org/apache/batik/bridge/WindowWrapper.java
%{_bindir}/python3 %{_datadir}/java-utils/mvn_file.py :batik-all batik-all
%mvn_package :batik-squiggle squiggle
%mvn_package :batik-squiggle-ext squiggle
%mvn_package :batik-svgpp svgpp
%mvn_package :batik-ttf2svg ttf2svg
%mvn_package :batik-rasterizer rasterizer
%mvn_package :batik-rasterizer-ext rasterizer
%mvn_package :batik-slideshow slideshow
%mvn_package :batik-css css
%mvn_package :batik-constants util
%mvn_package :batik-shared-resources util
%mvn_package :batik-i18n util
%mvn_package :batik-util util
%mvn_package ':batik-test*' __noinstall
%mvn_file :batik-all batik-all
rm batik-script/src/main/java/org/apache/batik/script/jacl/JaclInterpreter.java
%build
%{_bindir}/python3 %{_datadir}/java-utils/mvn_build.py
%mvn_build
%install
%mvn_install
@ -125,6 +132,9 @@ cp -a samples %{buildroot}/%{_datadir}/%{name}/
%doc CHANGES MAINTAIN README NOTICE
%changelog
* Thu Sep 07 2023 yaoxin <yao_xin001@hoperun.com> - 1.17-1
- Update to 1.17 for fix CVE-2022-38398,CVE-2022-38648,CVE-2022-40146,CVE-2022-44729 and CVE-2022-44730
* Fri Feb 3 2023 caodongxia <caodongxia@h-partners.com> - 1.10-8
- Add install require java-1.8.0-openjdk