'[jira] [Commented] (BATIK-1048) BATIK includes signed classes from commons-io causing security confl'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       batik-dev
Subject:    [jira] [Commented] (BATIK-1048) BATIK includes signed classes from commons-io causing security confl
From:       "Sean Carroll (JIRA)" <jira () apache ! org>
Date:       2016-01-12 14:41:40
Message-ID: JIRA.12654009.1371761824000.85158.1452609700058 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/BATIK-1048?page=com.atlassian.jira.plugin. \
system.issuetabpanels:comment-tabpanel&focusedCommentId=15093972#comment-15093972 ] 

Sean Carroll commented on BATIK-1048:
-------------------------------------

I know this is fairly old but recently stumbled upon this when using the birt runtime \
which has a dependency on org.apache.batik.pdf and was curious if any there are plans \
to address this?

> BATIK includes signed classes from commons-io causing security conflicts
> ------------------------------------------------------------------------
> 
> Key: BATIK-1048
> URL: https://issues.apache.org/jira/browse/BATIK-1048
> Project: Batik
> Issue Type: Bug
> Affects Versions: 1.6
> Reporter: Jim Garrison
> 
> batik-pdf includes, embedded within it, some classes from org.apache.commons.io, \
> specifically CopyUtils and IOUtils.  The jar file is signed.  When this jar file is \
> used in a system that also includes the unsigned commons-io.jar it is possible to \
> get a SecurityException because the JVM may try to load one of these classes from \
> the unsigned jar after having loaded the other one from Batik's jar.  I think this \
> problem is exacerbated by OSGi. In any event, commons-io should be a dependency, \
> NOT partially embedded in batik-pdf.  If you must embed it, then change the package \
> name so it does not conflict. See also \
> https://bugs.eclipse.org/bugs/show_bug.cgi?id=363903 -- the real issue is here in \
> the batik-pdf jar file (and possibly in other Batik jar files as well).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic