SVG support affected by CVE-2022-34169

danfickle / openhtmltopdf

An HTML to PDF library for the JVM. Based on Flying Saucer and Apache PDF-BOX 2. With SVG image support. Now also with accessible PDF support (WCAG, Section 508, PDF/UA)!

https://danfickle.github.io/pdf-templates/index.html

Other

1.93k stars 359 forks source link

SVG support affected by CVE-2022-34169 #863

Open ABeltramo opened 2 years ago

ABeltramo commented 2 years ago

See: https://www.cve.org/CVERecord?id=CVE-2022-34169

Apache Xalan is pulled by org.apache.xmlgraphics:batik-dom which is pulled by org.apache.xmlgraphics:batik-transcoder.

Unfortunately looks like Apache Xalan is being retired, so there are no plans to create any future release to address this issue.

Is there any way to move away from this dependency?

Diddern commented 2 years ago

Heavy plus on this. Need to move away from, or be able to exclude batik-transcoder

Diddern commented 2 years ago

For maven you can exclude it, given that you do not use any Xalan-features:

<dependency>
    <groupId>com.openhtmltopdf</groupId>
    <artifactId>openhtmltopdf-svg-support</artifactId>
    <version>${openhtml.version}</version>
    <exclusions>
        <exclusion>
            <groupId>xalan</groupId>
            <artifactId>xalan</artifactId>
            </exclusion>
        </exclusions>
    </dependency>
<dependency>

MoxxiManagarm commented 2 years ago

Apache Batik actually already removed Xalan https://github.com/apache/xmlgraphics-batik/commit/490aed3336882aae0eb7c39307f04d6d4b85c4ac

But it seems it is not released yet, open.batik.version 1.15 should do once it is available. (https://github.com/apache/xmlgraphics-batik/tags)

Any info on a release schedule here?

MoxxiManagarm commented 2 years ago

gradle exclude, given that you do not use any Xalan-features:

compile('com.openhtmltopdf:openhtmltopdf-svg-support:1.0.10') {
        exclude module: 'xalan' // cause: CVE-2022-34169
    }

MoxxiManagarm commented 2 years ago

Good news, batik released 1.15 today!

MoxxiManagarm commented 2 years ago

Ouch, CVE-2022-40146 now scores too, marking all batik deps 1.14 as vulnerable. @danfickle Are you well? Can you assist by providing an update?

achimgrimm commented 1 year ago

Batik 1.16 has been released on 2022/10/25. The Batik project page states, that the two last release includes security fixes. So it would be great to update the dependency to the latest version.

25 Oct 2022: Version 1.16 Released This is mainly a bug fix release, including 2 security fixes

22 Sept 2022: Version 1.15 Released This is mainly a bug fix release, including 3 security fixes

https://xmlgraphics.apache.org/batik/