[SCM] jenkins packaging branch, master, updated. debian/1.447.2+dfsg-1-4-gbd03136

James Page james.page at ubuntu.com
Tue Sep 25 18:21:10 UTC 2012 

The following commit has been merged in the master branch:
commit ec1071a091ac5367e0cb4e2b89544e389494ca65
Author: James Page <james.page at ubuntu.com>
Date:   Tue Sep 25 11:05:32 2012 +0100

    Fix multiple security issues in Jenkins core (Closes: #688298):
    
    * Fix multiple security issues in Jenkins core (Closes: #688298):
      - d/p/security/CVE-2012-4438_CVE-2012-4439.patch: Cherry picked
        fixes from 1.466.2 release to resolve remote code execution
        and XSS security vulnerabilities.
      - Fixes: CVE-2012-4438, CVE-2012-4439

diff --git a/debian/changelog b/debian/changelog
index f3710db..7a1cd3f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+jenkins (1.447.2+dfsg-2) unstable; urgency=low
+
+  * Fix multiple security issues in Jenkins core (Closes: #688298):
+    - d/p/security/CVE-2012-4438_CVE-2012-4439.patch: Cherry picked
+      fixes from 1.466.2 release to resolve remote code execution
+      and XSS security vulnerabilities.
+    - Fixes: CVE-2012-4438, CVE-2012-4439
+
+ -- James Page <james.page at ubuntu.com>  Tue, 25 Sep 2012 11:01:53 +0100
+
 jenkins (1.447.2+dfsg-1) unstable; urgency=low
 
   * New upstream release. 
diff --git a/debian/patches/security/CVE-2012-4438_CVE-2012-4439.patch b/debian/patches/security/CVE-2012-4438_CVE-2012-4439.patch
new file mode 100644
index 0000000..cdcd68e
--- /dev/null
+++ b/debian/patches/security/CVE-2012-4438_CVE-2012-4439.patch
@@ -0,0 +1,191 @@
+Decription: Cherry picked fixes from 1.466.2 to resolve
+ two security issues:
+    - CVE-2012-4438 jenkins remote code execution
+    - CVE-2012-4439 jenkins XSS
+Origin: Upstream, commits fb73bac50f22526a3d3b...43ff1688eee6ea
+Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688298
+
+--- a/core/src/main/java/hudson/model/DownloadService.java
++++ b/core/src/main/java/hudson/model/DownloadService.java
+@@ -61,7 +61,8 @@ public class DownloadService extends Pag
+      */
+     public String generateFragment() {
+     	if (neverUpdate) return "";
+-    	
++        if (doesNotSupportPostMessage())  return "";
++
+         StringBuilder buf = new StringBuilder();
+         if(Jenkins.getInstance().hasPermission(Jenkins.READ)) {
+             long now = System.currentTimeMillis();
+@@ -88,6 +89,23 @@ public class DownloadService extends Pag
+         return buf.toString();
+     }
+ 
++    private boolean doesNotSupportPostMessage() {
++        StaplerRequest req = Stapler.getCurrentRequest();
++        if (req==null)      return false;
++
++        String ua = req.getHeader("User-Agent");
++        if (ua==null)       return false;
++
++        // according to http://caniuse.com/#feat=x-doc-messaging, IE <=7 doesn't support pstMessage
++        // see http://www.useragentstring.com/pages/Internet%20Explorer/ for user agents
++
++        // we want to err on the cautious side here.
++        // Because of JENKINS-15105, we can't serve signed metadata from JSON, which means we need to be
++        // using a modern browser as a vehicle to request these data. This check is here to prevent Jenkins
++        // from using older browsers that are known not to support postMessage as the vehicle.
++        return ua.contains("Windows") && (ua.contains(" MSIE 5.") || ua.contains(" MSIE 6.") || ua.contains(" MSIE 7."));
++    }
++
+     private String mapHttps(String url) {
+         /*
+             HACKISH:
+--- a/core/src/main/java/hudson/search/Search.java
++++ b/core/src/main/java/hudson/search/Search.java
+@@ -84,6 +84,7 @@ public class Search {
+      * See http://developer.mozilla.org/en/docs/Supporting_search_suggestions_in_search_plugins
+      */
+     public void doSuggestOpenSearch(StaplerRequest req, StaplerResponse rsp, @QueryParameter String q) throws IOException, ServletException {
++        rsp.setContentType(Flavor.JSON.contentType);
+         DataWriter w = Flavor.JSON.createDataWriter(null, rsp);
+         w.startArray();
+         w.value(q);
+--- a/core/src/main/java/hudson/tasks/junit/History.java
++++ b/core/src/main/java/hudson/tasks/junit/History.java
+@@ -293,4 +293,12 @@ public class History {
+ 
+     }
+ 
++    public static int asInt(String s, int defalutValue) {
++        if (s==null)    return defalutValue;
++        try {
++            return Integer.parseInt(s);
++        } catch (NumberFormatException e) {
++            return defalutValue;
++        }
++    }
+ }
+--- a/core/src/main/resources/hudson/tasks/junit/History/index.jelly
++++ b/core/src/main/resources/hudson/tasks/junit/History/index.jelly
+@@ -26,8 +26,8 @@ THE SOFTWARE.
+ <?jelly escape-by-default='true'?>
+ <j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler" xmlns:d="jelly:define" xmlns:l="/lib/layout" xmlns:t="/lib/hudson" xmlns:f="/lib/form" xmlns:i="jelly:fmt">
+   <l:layout title="${%title(it.testObject.displayName)}">
+-		<j:set var="start" value="${request.getParameter('start')?:0}"/>
+-		<j:set var="end" value="${request.getParameter('end')?:start+24}"/>
++		<j:set var="start" value="${it.asInt(request.getParameter('start'),0)}"/>
++		<j:set var="end" value="${it.asInt(request.getParameter('end'),start+24)}"/>
+ 		<j:set var="rangeParameters" value="start=${start}&end=${end+1}"/>
+ 		<script type="text/javascript">
+ 			function setCount() {
+--- a/war/src/main/webapp/scripts/hudson-behavior.js
++++ b/war/src/main/webapp/scripts/hudson-behavior.js
+@@ -2308,12 +2308,69 @@ function loadScript(href,callback) {
+     head.insertBefore( script, head.firstChild );
+ }
+ 
++/**
++ * Loads a dynamically created invisible IFRAME.
++ */
++function createIframe(src,callback) {
++    var iframe = document.createElement("iframe");
++    iframe.src = src;
++    iframe.style.display = "none";
++
++    var done = false;
++    iframe.onload = iframe.onreadystatechange = function() {
++        if ( !done && (!this.readyState ||
++                this.readyState === "loaded" || this.readyState === "complete") ) {
++            done = true;
++            callback();
++        }
++    };
++
++    document.body.appendChild(iframe);
++    return iframe;
++}
++
+ var downloadService = {
+     continuations: {},
+ 
+     download : function(id,url,info, postBack,completionHandler) {
+-        this.continuations[id] = {postBack:postBack,completionHandler:completionHandler};
+-        loadScript(url+"?"+Hash.toQueryString(info));
++        var tag = {id:id,postBack:postBack,completionHandler:completionHandler,received:false};
++        this.continuations[id] = tag;
++
++        // use JSONP to download the data
++        function fallback() {
++            loadScript(url+"?id="+id+'&'+Hash.toQueryString(info));
++        }
++
++        if (window.postMessage) {
++            // try downloading the postMessage version of the data,
++            // if we don't receive postMessage (which probably means the server isn't ready with these new datasets),
++            // fallback to JSONP
++            tag.iframe = createIframe(url+".html?id="+id+'&'+Hash.toQueryString(info),function() {
++                window.setTimeout(function() {
++                    if (!tag.received)
++                        fallback();
++                },100); // bit of delay in case onload on our side fires first
++            });
++        } else {
++            // this browser doesn't support postMessage
++            fallback();
++        }
++
++        // NOTE:
++        //   the only reason we even try fallback() is in case our server accepts the submission without a signature
++        //   (which it really shouldn't)
++    },
++
++    /**
++     * Call back to postMessage
++     */
++    receiveMessage : function(ev) {
++        var self = this;
++        Object.values(this.continuations).each(function(tag) {
++            if (tag.iframe.contentWindow==ev.source) {
++                self.post(tag.id,JSON.parse(ev.data));
++            }
++        })
+     },
+ 
+     post : function(id,data) {
+@@ -2322,15 +2379,22 @@ var downloadService = {
+             data = id;
+             id = data.id;
+         }
+-        var o = this.continuations[id];
++        var tag = this.continuations[id];
++        if (tag==undefined) {
++            console.log("Submission from update center that we don't know: "+id);
++            console.log("Likely mismatch between the registered ID vs ID in JSON");
++            return;
++        }
++        tag.received = true;
++
+         // send the payload back in the body. We used to send this in as a form submission, but that hits the form size check in Jetty.
+-        new Ajax.Request(o.postBack, {
++        new Ajax.Request(tag.postBack, {
+             contentType:"application/json",
+             encoding:"UTF-8",
+             postBody:Object.toJSON(data),
+             onSuccess: function() {
+-                if(o.completionHandler!=null)
+-                    o.completionHandler();
++                if(tag.completionHandler!=null)
++                    tag.completionHandler();
+                 else if(downloadService.completionHandler!=null)
+                     downloadService.completionHandler();
+             }
+@@ -2341,6 +2405,8 @@ var downloadService = {
+ // update center service. to remain compatible with earlier version of Hudson, aliased.
+ var updateCenter = downloadService;
+ 
++YAHOO.util.Event.addListener(window, "message", function(ev) { downloadService.receiveMessage(ev); })
++
+ /*
+ redirects to a page once the page is ready.
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 82f57f0..6ffa150 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -16,3 +16,4 @@ dependency-upgrades/asm3-upgrade.patch
 dependency-upgrades/animal-sniffer-upgrade.patch
 build/use-stock-jmdns.patch
 ubuntu/ubuntu-font.patch
+security/CVE-2012-4438_CVE-2012-4439.patch

-- 
jenkins packaging

More information about the pkg-java-commits mailing list