xmlgraphics-batik-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jay H. Hartley" <jay.hart...@veeva.com>
Subject Re: [CVE-2015-0250] Apache Batik information disclosure vulnerability
Date Fri, 17 Apr 2015 00:13:17 GMT
This fix in v1.8 still hasn't found its way to Maven Central. I
suspect I know why. I tried downloading the source and building the
maven-artifacts target. There is a directive in the build.xml file
that is incompatible with the version of Ant that is included in the
source distribution:

batik-1.8/build.xml:1837: The <jar> type doesn't support the
"flattenattributes" attribute.

According to the Ant documentation (
https://ant.apache.org/manual/Tasks/manifest.html) this attribute was
introduced in Ant 1.8. The packaged Ant version in lib/build is 1.6.5.

Wasn't sure if I should report this here as a "bug" or subscribe to the dev
list and report it there.

Jay Hartley

On Mar 17, 2015, at 4:02 PM, Mark Mynsted
<mmynsted_consult...@verizon.net> wrote:

> Any idea when the maven repositories will get updated with 1.8?
>>> On Mar 17, 2015, at 4:27 AM, Luis Bernardo <lbernardo@apache.org> wrote:>>
>> >> -----BEGIN PGP SIGNED MESSAGE----->> Hash: SHA1>> >> >>
CVE-2015-0250:>>         Apache Batik information disclosure vulnerability>> >>
>> Severity:>>         Medium>> >> >> Vendor:>>      
  The Apache Software Foundation>> >> >> Versions Affected:>>    
    Batik 1.0 - 1.7>> >> >> Description:>>         Files lying on
the filesystem of the server which uses batik can>>         be revealed to arbitrary
users who send maliciously formed SVG>>         files. The file types that can be shown
depend on the user context>>         in which the exploitable application is running.
If the user is root>>         a full compromise of the server--including confidential
or sensitive>>         files--would be possible.>> >>         XXE can also
be used to attack the availability of the server>>         via denial of service as
the references within a xml document>>         can trivially trigger an amplification
attack.>> >> >> Mitigation:>>         Users should upgrade to Batik
1.8+>> >> >> Credit:>>         This issue was independently reported
by Nicolas Gregoire of AGARRI>>         (www.agarri.fr) and Kevin Schaller of ERNW (www.ernw.de).>>
>> References:>>         http://xmlgraphics.apache.org/security.html>> >>
Luis Bernardo>> >> -----BEGIN PGP SIGNATURE----->> Version: GnuPG v1.4.12
(Darwin)>> >> iQEcBAEBAgAGBQJVB++5AAoJEIIDaYnVa18X7LUH/0c9UNsa27D+lUdH0a+ADqWm>>
molgIssNAw4oUmZSzm4VKRhE3poG+d0WLhL2l5HpSJDBpOXLbE3txlYuiEHWibjf>> Ho1ImstDLstsF3T933Gad8eseSU2GusFIqWbjnRVxdMwqK+en4EOXfNEFysofls8>>
zQk//K5s3nDog2YP272IZkQjfkyvwPF3v4pSzVSnIxcod7OffIMpqvQ4lFahq8H6>> cG84RhmJTQ2oo4I4v/tb+jELgZSTvN5U+owzQejwuQxYaCgyK18Rzpi3bi5TiEy5>>
TpH5Bq5jT7cOqG2IUNSE7W1tk1JeNP0iuxBQN+yFZK0YAXpWHP9yXUd2fe1mu3Y=>> =XBUb>> -----END

View raw message