tfr42
commented
2 years ago There are PR #1262 and #1263 to resolve known security issues CVE-2020-11987 in Apache Batik < 1.14 (deegree uses 1.7). Users are advised to verify that their installations are not effected by this vulnerability and may consider to disable SVG support (https://download.deegree.org/documentation/current/html/#_advanced_symbolization).
The following classes do have references to Apache Batik:
- https://github.com/deegree/deegree3/blob/327e7876b43c3885747840d5edc83df2940bc36a/deegree-core/deegree-core-style/src/main/java/org/deegree/style/utils/ShapeHelper.java
- https://github.com/deegree/deegree3/blob/327e7876b43c3885747840d5edc83df2940bc36a/deegree-core/deegree-core-rendering-2d/src/main/java/org/deegree/rendering/r2d/SvgRenderer.java
- https://github.com/deegree/deegree3/blob/327e7876b43c3885747840d5edc83df2940bc36a/deegree-core/deegree-core-rendering-2d/src/main/java/org/deegree/rendering/r2d/context/SvgRenderContext.java
using the following types of Batik API:
import org.apache.batik.dom.GenericDOMImplementation;
import org.apache.batik.svggen.SVGGraphics2D;
import org.apache.batik.transcoder.TranscoderException;
import org.apache.batik.transcoder.TranscoderInput;
import org.apache.batik.transcoder.TranscoderOutput;
import org.apache.batik.transcoder.image.PNGTranscoder;
import org.apache.batik.bridge.BridgeContext;
import org.apache.batik.bridge.DocumentLoader;
import org.apache.batik.bridge.GVTBuilder;
import org.apache.batik.bridge.UserAgent;
import org.apache.batik.bridge.UserAgentAdapter;
import org.apache.batik.dom.svg.SAXSVGDocumentFactory;
import org.apache.batik.gvt.GVTTreeWalker;
import org.apache.batik.gvt.GraphicsNode;
import org.apache.batik.gvt.RootGraphicsNode;
stephanr
deegree currently uses Apache Batik for SVG support. We need a lightweight replacement for Apache Batik. @tfr42 written by