You are viewing a plain text version of this content. The canonical link for it is here.

Posted to batik-dev@xmlgraphics.apache.org by Rich Quist <rq...@mathworks.com> on 2022/04/08 16:14:48 UTC

Backporting fixes for CVEs to Batik 1.12

Greetings.
I've been asked to check whether it is possible to backport the fixes for a couple of critical security vulnerabilities that have been reported against Batik 1.12:
1. Reported fixed in Batik 1.14 - CVE-2020-11987: improper input validation by the NodePickerPanel and
2. Reported fixed in Batik 1.13 - CVE-2019-17566: improper input validation by the "xlink:href" attributes

I tried searching through both the dev and commits mailing list archives to see if I could identify/isolate the specific changes that addressed these CVEs, but could not find any related messages based on the CVE #s above.

Can anyone point me towards the changed files that provided the fixes?

Thanks

RE: Backporting fixes for CVEs to Batik 1.12

Posted by si...@gmail.com.

Hi,

 

They are:

https://issues.apache.org/jira/browse/BATIK-1284

https://issues.apache.org/jira/browse/BATIK-1276

 

Thanks

 

From: Rich Quist <rq...@mathworks.com> 
Sent: 08 April 2022 17:15
To: batik-dev@xmlgraphics.apache.org
Subject: Backporting fixes for CVEs to Batik 1.12

 

Greetings.

I've been asked to check whether it is possible to backport the fixes for a
couple of critical security vulnerabilities that have been reported against
Batik 1.12:
1. Reported fixed in Batik 1.14 - CVE-2020-11987: improper input validation
by the NodePickerPanel and 

2. Reported fixed in Batik 1.13 - CVE-2019-17566: improper input validation
by the "xlink:href" attributes

 

I tried searching through both the dev and commits mailing list archives to
see if I could identify/isolate the specific changes that addressed these
CVEs, but could not find any related messages based on the CVE #s above. 

 

Can anyone point me towards the changed files that provided the fixes?

 

Thanks