[arch-security] [ASA-201504-5] java-batik: xml external entity injection

Levente Polyak anthraxx at archlinux.org
Sat Apr 4 13:54:01 UTC 2015


Arch Linux Security Advisory ASA-201504-5
=========================================

Severity: Medium
Date    : 2015-04-04
CVE-ID  : CVE-2015-0250
Package : java-batik
Type    : xml external entity injection
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package java-batik before version 1.8-1 is vulnerable to xml
external entity injection.

Resolution
==========

Upgrade to 1.8-1.

# pacman -Syu "java-batik>=1.8-1"

The problem has been fixed upstream in version 1.8.

Workaround
==========

None.

Description
===========

Batik offers several classes for SVG to PNG/JPG conversion, which suffer
from a XML External Entity Injection due to the evaluation of external
entities within the given SVG file. If an application offers the
possibility to upload a SVG file an attacker can put in a malicious
formed file and retrieve sensitive information such as the content of
files of the respective server. The type of file that can be retrieved
depends on the user context in which the application is running.

Impact
======

A remote attacker is able to use a specially crafted SVG file to read
arbitrary files or cause a denial of service.

References
==========

http://seclists.org/fulldisclosure/2015/Mar/142
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0250
https://bugs.archlinux.org/task/44410

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150404/f5903fec/attachment.asc>


More information about the arch-security mailing list