diff -Nru batik-1.7.ubuntu/debian/changelog batik-1.7.ubuntu/debian/changelog
--- batik-1.7.ubuntu/debian/changelog	2017-05-04 16:50:52.000000000 +0000
+++ batik-1.7.ubuntu/debian/changelog	2018-05-28 18:21:44.000000000 +0000
@@ -1,3 +1,12 @@
+batik (1.7.ubuntu-8ubuntu2.14.04.3) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: Information disclosure vulnerability
+    - debian/patches/CVE-2018-8013.patch: fix in
+      sources/org/apache/batik/dom/AbstractDocument.java.
+    - CVE-2018-8013
+
+ -- Leonidas S. Barbosa <leo.barbosa@canonical.com>  Mon, 28 May 2018 14:08:13 -0300
+
 batik (1.7.ubuntu-8ubuntu2.14.04.2) trusty-security; urgency=medium
 
   * SECURITY UPDATE: SSRF through external DTD resolution
diff -Nru batik-1.7.ubuntu/debian/patches/CVE-2018-8013.patch batik-1.7.ubuntu/debian/patches/CVE-2018-8013.patch
--- batik-1.7.ubuntu/debian/patches/CVE-2018-8013.patch	1970-01-01 00:00:00.000000000 +0000
+++ batik-1.7.ubuntu/debian/patches/CVE-2018-8013.patch	2018-05-28 18:19:47.000000000 +0000
@@ -0,0 +1,32 @@
+From: Markus Koschany <apo@debian.org>
+Date: Fri, 25 May 2018 16:35:42 +0200
+Subject: CVE-2018-8013
+
+Bug-Debian: https://bugs.debian.org/899374
+Bug-Upstream: https://issues.apache.org/jira/browse/BATIK-1222
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1831241
+---
+ sources/org/apache/batik/dom/AbstractDocument.java | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/sources/org/apache/batik/dom/AbstractDocument.java b/sources/org/apache/batik/dom/AbstractDocument.java
+index 421e6b2..64a5269 100644
+--- a/sources/org/apache/batik/dom/AbstractDocument.java
++++ b/sources/org/apache/batik/dom/AbstractDocument.java
+@@ -2722,9 +2722,13 @@ public abstract class AbstractDocument
+             Method m = c.getMethod("getDOMImplementation", (Class[])null);
+             implementation = (DOMImplementation)m.invoke(null, (Object[])null);
+         } catch (Exception e) {
+-            try {
+-                implementation = (DOMImplementation)c.newInstance();
+-            } catch (Exception ex) {
++            if (DOMImplementation.class.isAssignableFrom(c)) {
++                try {
++                    implementation = (DOMImplementation)c.newInstance();
++                } catch (Exception ex) {
++                }
++            } else {
++                throw new SecurityException("Trying to create object that is not a DOMImplementation.");
+             }
+         }
+     }
diff -Nru batik-1.7.ubuntu/debian/patches/series batik-1.7.ubuntu/debian/patches/series
--- batik-1.7.ubuntu/debian/patches/series	2017-05-04 16:48:19.000000000 +0000
+++ batik-1.7.ubuntu/debian/patches/series	2018-05-28 18:19:47.000000000 +0000
@@ -2,3 +2,4 @@
 source-1.5.patch
 cve_2015_0250.patch
 CVE-2017-5662.patch
+CVE-2018-8013.patch