Opened 6 months ago

Closed 5 months ago

#20501 closed enhancement (fixed)

fop-2.10

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: elevated Milestone: 12.3
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New minor version

Release notes: 

Major Changes in Version 2.10

    Add option to sign PDF
    Add image mask option for AFP
    Allow change of resource level for SVG in AFP
    Switch to Jakarta servlet API

Security fix: 

Severity: moderate

Affected versions:

- Apache XML Graphics FOP 2.9

Description:

Improper Restriction of XML External Entity Reference ('XXE') 
vulnerability in Apache XML Graphics FOP.

This issue affects Apache XML Graphics FOP: 2.9.

Users are recommended to upgrade to version 2.10, which fixes the issue.

This issue is being tracked as FOP-3168 

Credit:

c1gar of Shanxi Normal University (finder)

References:

https://xmlgraphics.apache.org/security.html
https://xmlgraphics.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-28168
https://issues.apache.org/jira/browse/FOP-3168

Change History (3)

comment:1 by Douglas R. Reno, 6 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 5 months ago

It fails to build with:

[javac] /sources/fop-2.10/fop-core/src/main/java/org/apache/fop/layoutmgr

/KnuthSequence.java:147: error: removeLast() in KnuthSequence cannot implement removeLast() in List

[javac] public ListElement removeLast() {

[javac] return type ListElement is not compatible with T

[javac] where E,T are type-variables:

[javac] E extends Object declared in interface List

[javac] /sources/fop-2.10/fop-core/src/main/java/org/apache/fop/layoutmgr/KnuthSequence.java:137: error: getLast() in KnuthSequence cannot implement getLast() in List

[javac] public ListElement getLast() {

[javac] return type ListElement is not compatible with T

[javac] where E,T are type-variables:

[javac] E extends Object declared in interface List

[javac] /sources/fop-2.10/fop-core/src/main/java/org/apache/fop/layoutmgr/BlockKnuthSequence.java:28: error: methods removeLast() from KnuthSequence and removeLast() from ArrayList are inherited with the same signature

[javac] public class BlockKnuthSequence extends KnuthSequence {

[javac]

[javac] where E is a type-variable:

While looking at this, it looks like there is a new Java version available that we can update to - 23.0.1. That does contain some security fixes in it, so I'll file a ticket for that.

Before I work on that and Libreoffice though, I would like a decision to be made regarding poppler since I'm really going to need that to be functional before I can update Libreoffice as well, and it makes sense to do Java/Libreoffice/Fop at the same time since I need to use Libreoffice and Fop as part of tests for Java. Inkscape does have a bug report for Poppler at least, but as far as I can see Libreoffice doesn't yet.

comment:3 by Douglas R. Reno, 5 months ago

Resolution: fixed
Status: assignedclosed

Fixed at 30c83f1a8c0dcd7c38e932a5bf6002d68673726e

SA-12.2-038 issued

Note: See TracTickets for help on using tickets.