[Git][java-team/lucene-solr][master] 5 commits: add CVE-2019-0193.patch

Markus Koschany gitlab at salsa.debian.org
Thu Oct 10 23:06:16 BST 2019 


Markus Koschany pushed to branch master at Debian Java Maintainers / lucene-solr


Commits:
de9354f1 by Markus Koschany at 2019-10-09T16:21:55Z
add CVE-2019-0193.patch

- - - - -
147ba80a by Markus Koschany at 2019-10-09T16:22:07Z
Start new changelog entry

- - - - -
baa5cd20 by Markus Koschany at 2019-10-10T15:34:42Z
update the patch

- - - - -
af68bd46 by Markus Koschany at 2019-10-10T15:39:20Z
Update the changelog

- - - - -
486dde85 by Markus Koschany at 2019-10-10T15:40:58Z
Remove Jakub Adam, James Page and Mat Scales from Uploaders because they are

not active anymore. Add myself to Uploaders.

Declare compliance with Debian Policy 4.4.1.

- - - - -


4 changed files:

- debian/changelog
- debian/control
- + debian/patches/CVE-2019-0193.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,21 @@
+lucene-solr (3.6.2+dfsg-22) unstable; urgency=medium
+
+  * Add myself to Uploaders and remove Jakub Adam, James Page and Mat Scales
+    because they are not active anymore.
+  * Declare compliance with Debian Policy 4.4.1.
+  * Fix CVE-2019-0193:
+    The DataImportHandler, an optional but popular module to pull in data from
+    databases and other sources, has a feature in which the whole DIH
+    configuration can come from a request's "dataConfig" parameter. The debug
+    mode of the DIH admin screen uses this to allow convenient debugging /
+    development of a DIH config. Since a DIH config can contain scripts, this
+    parameter is a security risk. Starting from now on, use of this parameter
+    requires setting the Java System property "enable.dih.dataConfigParam" to
+    true. For example this can be achieved with solr-tomcat by adding
+    -Denable.dih.dataConfigParam=true to JAVA_OPTS in /etc/default/tomcat9.
+
+ -- Markus Koschany <apo at debian.org>  Thu, 10 Oct 2019 17:39:16 +0200
+
 lucene-solr (3.6.2+dfsg-21) unstable; urgency=high
 
   * Team upload.


=====================================
debian/control
=====================================
@@ -3,9 +3,7 @@ Section: java
 Priority: optional
 Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
 Uploaders:
- Mat Scales <mat at wibbly.org.uk>,
- James Page <james.page at ubuntu.com>,
- Jakub Adam <jakub.adam at ktknet.cz>
+ Markus Koschany <apo at debian.org>
 Build-Depends:
  ant,
  ant-optional,
@@ -46,7 +44,7 @@ Build-Depends:
  libxml-commons-resolver1.1-java,
  maven-repo-helper (>= 1.5~),
  po-debconf
-Standards-Version: 4.4.0
+Standards-Version: 4.4.1
 Vcs-Git: https://salsa.debian.org/java-team/lucene-solr.git
 Vcs-Browser: https://salsa.debian.org/java-team/lucene-solr
 Homepage: http://lucene.apache.org


=====================================
debian/patches/CVE-2019-0193.patch
=====================================
@@ -0,0 +1,70 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 9 Oct 2019 17:41:28 +0200
+Subject: CVE-2019-0193
+
+Bug-Upstream: https://issues.apache.org/jira/browse/SOLR-13669
+Origin: https://github.com/apache/lucene-solr/commit/325824cd391c8e71f36f17d687f52344e50e9715
+---
+ .../apache/solr/handler/dataimport/DataImportHandler.java   | 10 ++++++++++
+ .../dataimport/AbstractDataImportHandlerTestCase.java       | 13 ++++++-------
+ 2 files changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImportHandler.java b/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImportHandler.java
+index 9e11c79..a4a39a0 100644
+--- a/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImportHandler.java
++++ b/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImportHandler.java
+@@ -83,6 +83,10 @@ public class DataImportHandler extends RequestHandlerBase implements
+ 
+   private Map<String , Object> coreScopeSession = new HashMap<String, Object>();
+ 
++  static final String ENABLE_DIH_DATA_CONFIG_PARAM = "enable.dih.dataConfigParam";
++
++  final boolean dataConfigParam_enabled = Boolean.getBoolean(ENABLE_DIH_DATA_CONFIG_PARAM);
++
+   @Override
+   @SuppressWarnings("unchecked")
+   public void init(NamedList args) {
+@@ -153,6 +157,12 @@ public class DataImportHandler extends RequestHandlerBase implements
+       return;
+     }
+ 
++    if (dataConfigParam_enabled == false) {
++      throw new SolrException(SolrException.ErrorCode.FORBIDDEN,
++          "Use of the dataConfig param (DIH debug mode) requires the system property " +
++              ENABLE_DIH_DATA_CONFIG_PARAM + " because it's a security risk.");
++    }
++
+     rsp.add("initArgs", initArgs);
+     String message = "";
+ 
+diff --git a/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/AbstractDataImportHandlerTestCase.java b/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/AbstractDataImportHandlerTestCase.java
+index 1b49028..1cce926 100644
+--- a/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/AbstractDataImportHandlerTestCase.java
++++ b/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/AbstractDataImportHandlerTestCase.java
+@@ -30,7 +30,7 @@ import org.apache.solr.update.processor.UpdateRequestProcessor;
+ import org.apache.solr.update.processor.UpdateRequestProcessorFactory;
+ import org.apache.solr.common.util.NamedList;
+ import org.junit.After;
+-import org.junit.Before;
++import org.junit.BeforeClass;
+ 
+ import java.io.FileOutputStream;
+ import java.io.IOException;
+@@ -57,12 +57,11 @@ public abstract class AbstractDataImportHandlerTestCase extends
+   public static void initCore(String config, String schema) throws Exception {
+     initCore(config, schema, getFile("dih/solr").getAbsolutePath());
+   }
+-  
+-  @Override
+-  @Before
+-  public void setUp() throws Exception {
+-    super.setUp();
+-  }
++
++  @BeforeClass
++  public static void baseBeforeClass() {
++    System.setProperty(DataImportHandler.ENABLE_DIH_DATA_CONFIG_PARAM, "true");
++   }
+ 
+   @Override
+   @After


=====================================
debian/patches/series
=====================================
@@ -17,3 +17,4 @@ CVE-2017-3163.patch
 ant-1.10.patch
 CVE-2018-1308.patch
 web.xml.patch
+CVE-2019-0193.patch



View it on GitLab: https://salsa.debian.org/java-team/lucene-solr/compare/180958616a94034e05f99f22be54ac7f006fe0c0...486dde851b525a201521fb69ca907a4d710f130e

-- 
View it on GitLab: https://salsa.debian.org/java-team/lucene-solr/compare/180958616a94034e05f99f22be54ac7f006fe0c0...486dde851b525a201521fb69ca907a4d710f130e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20191010/5004e9d9/attachment.html>

More information about the pkg-java-commits mailing list