diff --git a/CVE-2019-17566.patch b/CVE-2019-17566.patch deleted file mode 100644 index 38381ee2631c3105d8afb5d3956f0e8b43c1ba0a..0000000000000000000000000000000000000000 --- a/CVE-2019-17566.patch +++ /dev/null @@ -1,116 +0,0 @@ -From bc6078ca949039e2076cd08b4cb169c84c1179b1 Mon Sep 17 00:00:00 2001 -From: Simon Steiner -Date: Mon, 9 Dec 2019 12:24:18 +0000 -Subject: [PATCH] BATIK-1276: Allow blocking of external resources - -git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk@1871084 13f79535-47bb-0310-9956-ffa450edef68 ---- - .../apache/batik/apps/rasterizer/Main.java | 17 +++++++++++++++++ - .../batik/apps/rasterizer/SVGConverter.java | 6 ++++++ - .../transcoder/SVGAbstractTranscoder.java | 19 +++++++++++++++++++ - 3 files changed, 42 insertions(+) - -diff --git a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java -index c70b4dd691..a4248b527d 100644 ---- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java -+++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java -@@ -501,6 +501,12 @@ public Color parseARGB(String argbVal){ - public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION - = Messages.get("Main.cl.option.constrain.script.origin.description", "No description"); - -+ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES -+ = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources"); -+ -+ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION -+ = Messages.get("Main.cl.option.block.external.resources.description", "No description"); -+ - /** - * Option to turn off secure execution of scripts - */ -@@ -829,6 +835,17 @@ public String getOptionDescription(){ - return CL_OPTION_SECURITY_OFF_DESCRIPTION; - } - }); -+ -+ optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES, -+ new NoValueOptionHandler(){ -+ public void handleOption(SVGConverter c){ -+ c.allowExternalResources = false; -+ } -+ -+ public String getOptionDescription(){ -+ return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION; -+ } -+ }); - } - - /** -diff --git a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java -index 324c3abcfe..9ec2135458 100644 ---- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java -+++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java -@@ -253,6 +253,8 @@ Licensed to the Apache Software Foundation (ASF) under one or more - the document which references them. */ - protected boolean constrainScriptOrigin = true; - -+ protected boolean allowExternalResources = true; -+ - /** Controls whether scripts should be run securely or not */ - protected boolean securityOff = false; - -@@ -925,6 +927,10 @@ protected Map computeTranscodingHints(){ - map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE); - } - -+ if (!allowExternalResources) { -+ map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE); -+ } -+ - return map; - } - -diff --git a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java -index 65d983bfae..8d6ffe3b1f 100644 ---- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java -+++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java -@@ -33,8 +33,10 @@ Licensed to the Apache Software Foundation (ASF) under one or more - import org.apache.batik.bridge.BridgeContext; - import org.apache.batik.bridge.BridgeException; - import org.apache.batik.bridge.DefaultScriptSecurity; -+import org.apache.batik.bridge.ExternalResourceSecurity; - import org.apache.batik.bridge.GVTBuilder; - import org.apache.batik.bridge.NoLoadScriptSecurity; -+import org.apache.batik.bridge.NoLoadExternalResourceSecurity; - import org.apache.batik.bridge.RelaxedScriptSecurity; - import org.apache.batik.bridge.SVGUtilities; - import org.apache.batik.bridge.ScriptSecurity; -@@ -877,6 +879,9 @@ protected void setImageSize(float docWidth, float docHeight) { - = new BooleanKey(); - - -+ public static final TranscodingHints.Key KEY_ALLOW_EXTERNAL_RESOURCES -+ = new BooleanKey(); -+ - /** - * A user agent implementation for PrintTranscoder. - */ -@@ -1109,5 +1114,19 @@ protected void computeAllowedScripts(){ - } - } - -+ public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) { -+ if (isAllowExternalResources()) { -+ return super.getExternalResourceSecurity(resourceURL, docURL); -+ } -+ return new NoLoadExternalResourceSecurity(); -+ } -+ -+ public boolean isAllowExternalResources() { -+ Boolean b = (Boolean)SVGAbstractTranscoder.this.hints.get(KEY_ALLOW_EXTERNAL_RESOURCES); -+ if (b != null) { -+ return b; -+ } -+ return true; -+ } - } - } diff --git a/CVE-2020-11987.patch b/CVE-2020-11987.patch deleted file mode 100644 index a8beb22cd967e92941ab9aeb90ffef8877ad0c19..0000000000000000000000000000000000000000 --- a/CVE-2020-11987.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 0ef5b661a1f77772d1110877ea9e0287987098f6 Mon Sep 17 00:00:00 2001 -From: Simon Steiner -Date: Tue, 2 Jun 2020 13:59:37 +0000 -Subject: [PATCH] BATIK-1284: Dont load DTDs in NodePickerPanel - -git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk@1878396 13f79535-47bb-0310-9956-ffa450edef68 ---- - .../org/apache/batik/apps/svgbrowser/NodePickerPanel.java | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/NodePickerPanel.java b/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/NodePickerPanel.java -index 2a93e95a43..a5ad8e8b11 100644 ---- a/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/NodePickerPanel.java -+++ b/batik-svgbrowser/src/main/java/org/apache/batik/apps/svgbrowser/NodePickerPanel.java -@@ -847,8 +847,10 @@ private Element parseXml(String xmlString) { - Document doc = null; - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - try { -- javax.xml.parsers.DocumentBuilder parser = factory -- .newDocumentBuilder(); -+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false); -+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); -+ factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); -+ javax.xml.parsers.DocumentBuilder parser = factory.newDocumentBuilder(); - parser.setErrorHandler(new ErrorHandler() { - public void error(SAXParseException exception) - throws SAXException { diff --git a/CVE-2022-41704.patch b/CVE-2022-41704.patch deleted file mode 100644 index 1e5a1d4123c87e21f0d4abb6cfeeb2276a12ea89..0000000000000000000000000000000000000000 --- a/CVE-2022-41704.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Markus Koschany -Date: Sat, 29 Oct 2022 08:28:58 +0200 -Subject: CVE-2022-41704 - -Origin: http://svn.apache.org/viewvc?view=revision&revision=1904320 ---- - .../src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java -index cab8e0e..a3daa0d 100644 ---- a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java -+++ b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java -@@ -19,6 +19,7 @@ - package org.apache.batik.bridge; - - import org.apache.batik.util.ParsedURL; -+import static org.apache.batik.util.SVGConstants.SVG_SCRIPT_TYPE_JAVA; - - /** - * Default implementation for the ScriptSecurity interface. -@@ -76,7 +77,7 @@ public class DefaultScriptSecurity implements ScriptSecurity { - ParsedURL docURL){ - // Make sure that the archives comes from the same host - // as the document itself -- if (docURL == null) { -+ if (docURL == null || SVG_SCRIPT_TYPE_JAVA.equals(scriptType)) { - se = new SecurityException - (Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL, - new Object[]{scriptURL})); diff --git a/CVE-2022-42890.patch b/CVE-2022-42890.patch deleted file mode 100644 index 3c5b6da86a4aa5c9d92fc6bc398bab4ee145c404..0000000000000000000000000000000000000000 --- a/CVE-2022-42890.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Markus Koschany -Date: Sat, 29 Oct 2022 08:13:38 +0200 -Subject: CVE-2022-42890 - -Origin: http://svn.apache.org/viewvc?view=revision&revision=1904549 ---- - .../main/java/org/apache/batik/script/rhino/RhinoClassShutter.java | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java -index 3f95e5d..733061a 100644 ---- a/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java -+++ b/batik-script/src/main/java/org/apache/batik/script/rhino/RhinoClassShutter.java -@@ -19,6 +19,8 @@ - package org.apache.batik.script.rhino; - - import org.mozilla.javascript.ClassShutter; -+import java.util.Arrays; -+import java.util.List; - - /** - * Class shutter that restricts access to Batik internals from script. -@@ -27,6 +29,7 @@ import org.mozilla.javascript.ClassShutter; - * @version $Id: RhinoClassShutter.java 1733416 2016-03-03 07:07:13Z gadams $ - */ - public class RhinoClassShutter implements ClassShutter { -+ private static final List WHITELIST = Arrays.asList("java.io.PrintStream", "java.lang.System", "java.net.URL"); - - /* - public RhinoClassShutter() { -@@ -55,6 +58,10 @@ public class RhinoClassShutter implements ClassShutter { - * Returns whether the given class is visible to scripts. - */ - public boolean visibleToScripts(String fullClassName) { -+ if (fullClassName.startsWith("java.") && !WHITELIST.contains(fullClassName) && !fullClassName.endsWith("Permission")) { -+ return false; -+ } -+ - // Don't let them mess with script engine's internals. - if (fullClassName.startsWith("org.mozilla.javascript")) - return false; diff --git a/batik-src-1.10.zip b/batik-src-1.17.zip similarity index 67% rename from batik-src-1.10.zip rename to batik-src-1.17.zip index 6dd539a11c2272b7210fce090710ce751f099df0..3bad9143aa01917f2c0792ac4c757ff44d251164 100644 Binary files a/batik-src-1.10.zip and b/batik-src-1.17.zip differ diff --git a/batik.spec b/batik.spec index cfa1701cf5ba3a7120188a1072301366a2d19ca7..692040c76f4e5d972af093387a1688108985411f 100644 --- a/batik.spec +++ b/batik.spec @@ -1,7 +1,7 @@ %global classpath batik:xml-commons-apis:xml-commons-apis-ext:xmlgraphics-commons Name: batik -Version: 1.10 -Release: 8 +Version: 1.17 +Release: 1 Summary: Batik is an inline templating engine for CoffeeScript License: Apache-2.0 and W3C and MPL-1.1 and GPL-2.0-or-later and Apache-1.1 URL: https://xmlgraphics.apache.org/batik/ @@ -9,15 +9,12 @@ Source0: http://archive.apache.org/dist/xmlgraphics/batik/source/batik-sr Source1: %{name}-security.policy Patch1: 0001-Fix-imageio-codec-lookup.patch -Patch6000: CVE-2019-17566.patch -Patch6001: CVE-2020-11987.patch -Patch6002: CVE-2022-41704.patch -Patch6003: CVE-2022-42890.patch BuildArch: noarch BuildRequires: maven-local junit apache-parent rhino maven-assembly-plugin BuildRequires: jython xalan-j2 xml-commons-apis maven-plugin-bundle xmlgraphics-commons +BuildRequires: maven-dependency-plugin Requires: java-1.8.0-openjdk Recommends: jai-imageio-core @@ -56,18 +53,13 @@ install -p %{SOURCE1} \ install -p %{SOURCE1} \ batik-svgbrowser/src/main/resources/org/apache/batik/apps/svgbrowser/resources/svgbrowser.policy -%{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_xpath_inject \ - pom:dependency 'true' batik-all -%{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_xpath_inject \ - 'pom:dependency[pom:artifactId="xmlgraphics-commons"]' 'true' batik-css +%pom_xpath_inject 'pom:dependency[pom:artifactId="xmlgraphics-commons"]' 'true' batik-css cp -a batik-i18n/src/main/java/org/apache/batik/i18n batik-util/src/main/java/org/apache/batik/ - -%{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_remove_dep :batik-i18n batik-util +%pom_remove_dep :batik-i18n batik-util for pom in `find -mindepth 2 -name pom.xml -not -path ./batik-all/pom.xml`; do - %{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_add_plugin org.apache.felix:maven-bundle-plugin \ - $pom " + %pom_add_plugin org.apache.felix:maven-bundle-plugin $pom " true @@ -75,28 +67,43 @@ for pom in `find -mindepth 2 -name pom.xml -not -path ./batik-all/pom.xml`; do " - %{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_xpath_inject pom:project \ - 'bundle' $pom + %pom_xpath_inject pom:project 'bundle' $pom done -%{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_xpath_set pom:Bundle-SymbolicName \ - org.apache.batik.util.gui batik-gui-util -%{_bindir}/python3 %{_datadir}/java-utils/pom_editor.py pom_disable_module batik-test-old - -%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-squiggle squiggle -%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-squiggle-ext squiggle -%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-svgpp svgpp -%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-ttf2svg ttf2svg -%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-rasterizer rasterizer -%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-rasterizer-ext rasterizer -%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-slideshow slideshow -%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py :batik-css css -%{_bindir}/python3 %{_datadir}/java-utils/mvn_package.py ':batik-test*' __noinstall - -%{_bindir}/python3 %{_datadir}/java-utils/mvn_file.py :batik-all batik-all +%pom_xpath_set pom:Bundle-SymbolicName org.apache.batik.util.gui batik-gui-util +%pom_disable_module batik-test-old + +%pom_remove_dep :rhino batik-{bridge,script} +%pom_remove_dep :jython batik-script +rm -rf batik-script/src/main/java/org/apache/batik/script/{jpython,rhino} +rm batik-bridge/src/main/java/org/apache/batik/bridge/BatikWrapFactory.java +rm batik-bridge/src/main/java/org/apache/batik/bridge/SVG12RhinoInterpreter.java +rm batik-bridge/src/main/java/org/apache/batik/bridge/RhinoInterpreter.java +rm batik-bridge/src/main/java/org/apache/batik/bridge/RhinoInterpreterFactory.java +rm batik-bridge/src/main/java/org/apache/batik/bridge/EventTargetWrapper.java +rm batik-bridge/src/main/java/org/apache/batik/bridge/GlobalWrapper.java +rm batik-bridge/src/main/java/org/apache/batik/bridge/WindowWrapper.java + +%mvn_package :batik-squiggle squiggle +%mvn_package :batik-squiggle-ext squiggle +%mvn_package :batik-svgpp svgpp +%mvn_package :batik-ttf2svg ttf2svg +%mvn_package :batik-rasterizer rasterizer +%mvn_package :batik-rasterizer-ext rasterizer +%mvn_package :batik-slideshow slideshow +%mvn_package :batik-css css +%mvn_package :batik-constants util +%mvn_package :batik-shared-resources util +%mvn_package :batik-i18n util +%mvn_package :batik-util util +%mvn_package ':batik-test*' __noinstall + +%mvn_file :batik-all batik-all + +rm batik-script/src/main/java/org/apache/batik/script/jacl/JaclInterpreter.java %build -%{_bindir}/python3 %{_datadir}/java-utils/mvn_build.py +%mvn_build %install %mvn_install @@ -125,6 +132,9 @@ cp -a samples %{buildroot}/%{_datadir}/%{name}/ %doc CHANGES MAINTAIN README NOTICE %changelog +* Thu Sep 07 2023 yaoxin - 1.17-1 +- Update to 1.17 for fix CVE-2022-38398,CVE-2022-38648,CVE-2022-40146,CVE-2022-44729 and CVE-2022-44730 + * Fri Feb 3 2023 caodongxia - 1.10-8 - Add install require java-1.8.0-openjdk