CVE-2018-8013

Priority
Description
In Apache Batik 1.x before 1.10, when deserializing subclass of
`AbstractDocument`, the class takes a string from the inputStream as the
class name which then use it to call the no-arg constructor of the class.
Fix was to check the class type before calling newInstance in
deserialization.
Bugs
huttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899374
https://issues.apache.org/jira/browse/BATIK-1222
Assigned-to
leosilva
Notes
Package
Source: batik (LP Ubuntu Debian)
Upstream:released (1.10-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was released [1.7.ubuntu-8ubuntu2.14.04.3])
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):not-affected (1.10-1)
Ubuntu 19.10 (Eoan):not-affected (1.10-1)
Patches:
Other:https://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-dom/src/main/java/org/apache/batik/dom/AbstractDocument.java?r1=1831241&r2=1831240&pathrev=1831241
More Information

Updated: 2019-10-18 02:42:13 UTC (commit cccfc4426d8c1fbf582a89d981fe7fc812124543)