From general-return-2977-archive-asf-public=cust-asf.ponee.io@xmlgraphics.apache.org Wed May 23 14:16:06 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 7522C18077B for ; Wed, 23 May 2018 14:16:05 +0200 (CEST) Received: (qmail 38867 invoked by uid 500); 23 May 2018 12:16:04 -0000 Mailing-List: contact general-help@xmlgraphics.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: general@xmlgraphics.apache.org Delivered-To: mailing list general@xmlgraphics.apache.org Received: (qmail 38776 invoked by uid 99); 23 May 2018 12:16:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 23 May 2018 12:16:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 3E2AA18065E; Wed, 23 May 2018 12:16:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.348 X-Spam-Level: X-Spam-Status: No, score=0.348 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, KAM_MANYTO=0.2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id ZIq6_W-5Ww1B; Wed, 23 May 2018 12:16:02 +0000 (UTC) Received: from mail-wr0-f175.google.com (mail-wr0-f175.google.com [209.85.128.175]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 3C0685F23C; Wed, 23 May 2018 12:16:02 +0000 (UTC) Received: by mail-wr0-f175.google.com with SMTP id x9-v6so23227646wrl.13; Wed, 23 May 2018 05:16:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding:thread-index:content-language; bh=wD6hYiI7+e0NbK+rmFNoeus8h6MN6I/AXEY9UGwHhjc=; b=d1ow8zKDV8qRH1cxyUVHhUIGU5vL8FMRjb9S4UILVeQWT6BZOwmHCv7biwdGUtsVXc 1W/1IZeoFdZqfeJUcilqo7woRem7ZhoAfWetXoZO3JmyENOvzF8qb+00TcBEuaDD90sr TjAk3xjfe4JXoxSusohyo8eDqT8eZ73wQlwFt9Q/U5lsxTUnziW8M2DcxF30Y1tBEPQs cauqwNa2zS5B6pk6W8T+nD0UMwQIuvjFIF/XCX/Qdb5IWPXWVe4WByoX2IFCZ38qpGEW BELyQE7IpLuZ1UGgLDtLYikKJYBXbSrNg74Kc4GK4tRlWhqr8WooRFH09oxhGTVLj2ZL p9bA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding:thread-index:content-language; bh=wD6hYiI7+e0NbK+rmFNoeus8h6MN6I/AXEY9UGwHhjc=; b=fjI9RKQjeveGcUXVq4tBF/dHEcYLBwjCvZSF9187Plbr+Cwic+zjtj5gF9F6FtsBBc E9rP+2udXbrHIsIWN+vfFmeyJmDUHSgQiMJ7XyMYPsyugExl290a1J2mcfJwTJDrUFNO k3mP/byQfQAFo/tOfZchs4rpiFxJu75bOARGGkbYHP1/ZjS+yAICp/UjQG8y54HJO60b JIqdEc3nluYk6/i9SCMo0h6O6PMqQZHBSKEOMe3GRyR9LjTrVFzSqBKH5Ay7Al2pNLfl a02sBFMyakfxuEZ872iu8Ya8A5KaowOvcv8+vp4lFD3xNhqLYkVRi+EYm7R7WLN2wchC rKgA== X-Gm-Message-State: ALKqPweQ2Kp96IyWyWmH6WOOqM7vAORDRblSrPs1/Syo9nwny4dX8C0W YOx1OYgcitM6egM23PQDPJKWbQgO X-Google-Smtp-Source: AB8JxZqN3UNfq9TeETKZmH66OFxI5b9Tx5S5a6ywwSfdlpH3PJNRcvLl7nCkPsaQsHR/fzu0iY/Pyg== X-Received: by 2002:adf:afe4:: with SMTP id y36-v6mr2171358wrd.107.1527077761021; Wed, 23 May 2018 05:16:01 -0700 (PDT) Received: from sswin ([213.78.96.130]) by smtp.gmail.com with ESMTPSA id 89-v6sm7622402wri.37.2018.05.23.05.16.00 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 23 May 2018 05:16:00 -0700 (PDT) From: "Simon Steiner" To: , , , , , , Subject: [CVE-2018-8013] Apache Batik information disclosure vulnerability Date: Wed, 23 May 2018 13:16:00 +0100 Message-ID: <000701d3f28f$d01860a0$704921e0$@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 16.0 Thread-Index: AdPyjpW15mpVsRR4RmeDT6bpMyWZ9g== Content-Language: en-gb CVE-2018-8013: Apache Batik information disclosure vulnerability Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Batik 1.0 - 1.9.1 Description: When deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization. Mitigation: Users should upgrade to Batik 1.10+ Credit: This issue was independently reported by Man Yue Mo. References: http://xmlgraphics.apache.org/security.html The Apache XML Graphics team. --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscribe@xmlgraphics.apache.org For additional commands, e-mail: general-help@xmlgraphics.apache.org