[libpdfbox-java] 01/01: Imported Debian patch 1:1.7.0+dfsg-4+deb7u1
gregor herrmann
gregoa at debian.org
Fri Jun 10 19:50:04 UTC 2016
This is an automated email from the git hooks/post-receive script.
gregoa pushed a commit to branch wheezy
in repository libpdfbox-java.
commit 75e02365f84c0a19c4f4cddf313d8576021517c2
Author: Markus Koschany <apo at debian.org>
Date: Mon Jun 6 13:28:50 2016 +0200
Imported Debian patch 1:1.7.0+dfsg-4+deb7u1
---
debian/changelog | 13 +++++++
debian/patches/CVE-2016-2175.patch | 70 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 84 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index ba62e97..b9ef280 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+libpdfbox-java (1:1.7.0+dfsg-4+deb7u1) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2016-2175:
+ Apache PDFBox parses different XML data within PDF files such as XMP and
+ the initialization of the XML parsers did not protect against XML External
+ Entity (XXE) vulnerabilities. According to www.owasp.org: "This attack
+ may lead to the disclosure of confidential data, denial of service, server
+ side request forgery, port scanning from the perspective of the machine
+ where the parser is located, and other system impacts."
+
+ -- Markus Koschany <apo at debian.org> Mon, 06 Jun 2016 13:28:50 +0200
+
libpdfbox-java (1:1.7.0+dfsg-4) unstable; urgency=low
* Fix installation of CMap tables during build:
diff --git a/debian/patches/CVE-2016-2175.patch b/debian/patches/CVE-2016-2175.patch
new file mode 100644
index 0000000..bbee857
--- /dev/null
+++ b/debian/patches/CVE-2016-2175.patch
@@ -0,0 +1,70 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 6 Jun 2016 13:20:19 +0200
+Subject: CVE-2016-2175
+
+In addition to the original fix for the 1.8 branch,
+xmpbox/src/main/java/org/apache/padaf/xmpbox/parser/XMLUtil.java has been fixed
+similar to the other affected classes.
+
+xmpbox/src/main/java/org/apache/xmpbox/xml/DomXmpParser.java did not exist.
+pdfbox/src/main/java/org/apache/pdfbox/pdmodel/interactive/form/PDXFA.java was
+not affected.
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1739564
+---
+ jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java | 6 ++++++
+ pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java | 6 ++++++
+ xmpbox/src/main/java/org/apache/padaf/xmpbox/parser/XMLUtil.java | 6 ++++++
+ 3 files changed, 18 insertions(+)
+
+diff --git a/jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java b/jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java
+index 07db2b7..8759902 100644
+--- a/jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java
++++ b/jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java
+@@ -71,6 +71,12 @@ public class XMLUtil
+ try
+ {
+ DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
++ builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++ builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++ builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++ builderFactory.setXIncludeAware(false);
++ builderFactory.setExpandEntityReferences(false);
+ DocumentBuilder builder = builderFactory.newDocumentBuilder();
+ return builder.parse( is );
+ }
+diff --git a/pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java b/pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java
+index ae6c6df..49a207b 100644
+--- a/pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java
++++ b/pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java
+@@ -56,6 +56,12 @@ public class XMLUtil
+ try
+ {
+ DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
++ builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++ builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++ builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++ builderFactory.setXIncludeAware(false);
++ builderFactory.setExpandEntityReferences(false);
+ DocumentBuilder builder = builderFactory.newDocumentBuilder();
+ return builder.parse( is );
+ }
+diff --git a/xmpbox/src/main/java/org/apache/padaf/xmpbox/parser/XMLUtil.java b/xmpbox/src/main/java/org/apache/padaf/xmpbox/parser/XMLUtil.java
+index bbba959..3c9d145 100644
+--- a/xmpbox/src/main/java/org/apache/padaf/xmpbox/parser/XMLUtil.java
++++ b/xmpbox/src/main/java/org/apache/padaf/xmpbox/parser/XMLUtil.java
+@@ -75,6 +75,12 @@ public final class XMLUtil {
+ try {
+ DocumentBuilderFactory builderFactory = DocumentBuilderFactory
+ .newInstance();
++ builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++ builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++ builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++ builderFactory.setXIncludeAware(false);
++ builderFactory.setExpandEntityReferences(false);
+ DocumentBuilder builder = builderFactory.newDocumentBuilder();
+ return builder.parse(is);
+ } catch (Exception e) {
diff --git a/debian/patches/series b/debian/patches/series
index bfb7354..9deae95 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
build.xml.patch
build-subproject-docs.patch
+CVE-2016-2175.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libpdfbox-java.git
More information about the pkg-java-commits
mailing list