CVE-2018-8013

Priority
Description
In Apache Batik 1.x before 1.10, when deserializing subclass of
`AbstractDocument`, the class takes a string from the inputStream as the
class name which then use it to call the no-arg constructor of the class.
Fix was to check the class type before calling newInstance in
deserialization.
Bugs
huttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=899374
https://issues.apache.org/jira/browse/BATIK-1222
Assigned-to
leosilva
Package
Source: batik (LP Ubuntu Debian)
Upstream:released (1.10-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Trusty/esm:DNE (trusty was released [1.7.ubuntu-8ubuntu2.14.04.3])
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (1.10-1)
Ubuntu 19.04 (Disco Dingo):not-affected (1.10-1)
Ubuntu 19.10 (Eoan):not-affected (1.10-1)
Patches:
Other:https://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-dom/src/main/java/org/apache/batik/dom/AbstractDocument.java?r1=1831241&r2=1831240&pathrev=1831241
More Information

Updated: 2019-04-26 14:30:27 UTC (commit 30899e40836d26e1bb5f0b072d31fd87b6cf3bd4)