[Git][java-team/openrefine][master] 3 commits: Add CVE-2023-37476.patch and automatically refresh all other patches

Fri Aug 18 00:46:22 BST 2023


Markus Koschany pushed to branch master at Debian Java Maintainers / openrefine


Commits:
c965725c by Markus Koschany at 2023-08-18T01:35:30+02:00
Add CVE-2023-37476.patch and automatically refresh all other patches

- - - - -
4f079c67 by Markus Koschany at 2023-08-18T01:35:42+02:00
Declare compliance with Debian Policy 4.6.2.

- - - - -
5eef2063 by Markus Koschany at 2023-08-18T01:39:05+02:00
Update changelog

- - - - -


8 changed files:

- debian/changelog
- debian/control
- + debian/patches/CVE-2023-37476.patch
- debian/patches/build.patch
- debian/patches/gdata-extension.patch
- debian/patches/log4j-api.patch
- debian/patches/no-java-files.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,15 @@
+openrefine (3.6.2-3) unstable; urgency=medium
+
+  * Tighten B-D on commons-io to >= 2.11.0.
+  * Fix CVE-2023-37476 and automatically refresh all other patches.
+    OpenRefine is a free, open source tool for data processing. A carefully
+    crafted malicious OpenRefine project tar file can be used to trigger
+    arbitrary code execution in the context of the OpenRefine process if a user
+    can be convinced to import it. (Closes: #1041422)
+  * Declare compliance with Debian Policy 4.6.2.
+
+ -- Markus Koschany <apo at debian.org>  Fri, 18 Aug 2023 01:37:01 +0200
+
 openrefine (3.6.2-2) unstable; urgency=medium
 
   * Depend on libjoda-time-java and liboro-java.


=====================================
debian/control
=====================================
@@ -69,7 +69,7 @@ Build-Depends:
  libxtc-rats-java,
  maven-debian-helper,
  velocity
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Vcs-Git: https://salsa.debian.org/java-team/openrefine.git
 Vcs-Browser: https://salsa.debian.org/java-team/openrefine
 Homepage: https://openrefine.org/


=====================================
debian/patches/CVE-2023-37476.patch
=====================================
@@ -0,0 +1,24 @@
+From: Markus Koschany <apo at debian.org>
+Date: Thu, 17 Aug 2023 21:33:50 +0200
+Subject: CVE-2023-37476
+
+Bug-Debian: https://bugs.debian.org/1041422
+Origin: https://github.com/OpenRefine/OpenRefine/commit/c40c84d8170c4d61c6a0926531b552a50caa5651
+---
+ main/src/com/google/refine/io/FileProjectManager.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/main/src/com/google/refine/io/FileProjectManager.java b/main/src/com/google/refine/io/FileProjectManager.java
+index 09197f7..c913199 100644
+--- a/main/src/com/google/refine/io/FileProjectManager.java
++++ b/main/src/com/google/refine/io/FileProjectManager.java
+@@ -167,6 +167,9 @@ public class FileProjectManager extends ProjectManager  {
+ 
+         while ((tarEntry = tin.getNextTarEntry()) != null) {
+             File destEntry = new File(destDir, tarEntry.getName());
++            if (!destEntry.toPath().normalize().startsWith(destDir.toPath().normalize())) {
++                throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed.");
++            }
+             File parent = destEntry.getParentFile();
+ 
+             if (!parent.exists()) {


=====================================
debian/patches/build.patch
=====================================
@@ -7,7 +7,7 @@ Subject: build
  1 file changed, 4 insertions(+)
 
 diff --git a/main/pom.xml b/main/pom.xml
-index c0b409c..27f789d 100644
+index 17b8ddc..4b61428 100644
 --- a/main/pom.xml
 +++ b/main/pom.xml
 @@ -337,6 +337,10 @@


=====================================
debian/patches/gdata-extension.patch
=====================================
@@ -7,7 +7,7 @@ Subject: gdata extension
  1 file changed, 5 insertions(+)
 
 diff --git a/extensions/gdata/pom.xml b/extensions/gdata/pom.xml
-index 4fc64e5..ce9b906 100644
+index ed8b740..e310e8c 100644
 --- a/extensions/gdata/pom.xml
 +++ b/extensions/gdata/pom.xml
 @@ -97,6 +97,11 @@


=====================================
debian/patches/log4j-api.patch
=====================================
@@ -7,7 +7,7 @@ Subject: log4j-api
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/server/pom.xml b/server/pom.xml
-index 8bb528a..89dd5ab 100644
+index 2408c76..e168085 100644
 --- a/server/pom.xml
 +++ b/server/pom.xml
 @@ -180,7 +180,7 @@


=====================================
debian/patches/no-java-files.patch
=====================================
@@ -8,7 +8,7 @@ Subject: no-java-files
  2 files changed, 10 deletions(-)
 
 diff --git a/main/pom.xml b/main/pom.xml
-index 27f789d..0ef3eab 100644
+index 4b61428..8ea4ef6 100644
 --- a/main/pom.xml
 +++ b/main/pom.xml
 @@ -27,11 +27,6 @@
@@ -24,7 +24,7 @@ index 27f789d..0ef3eab 100644
      <testResources>
        <testResource>
 diff --git a/server/pom.xml b/server/pom.xml
-index 89dd5ab..94fda4c 100644
+index e168085..f2955e4 100644
 --- a/server/pom.xml
 +++ b/server/pom.xml
 @@ -28,11 +28,6 @@


=====================================
debian/patches/series
=====================================
@@ -4,3 +4,4 @@ butterfly.properties.patch
 log4j-api.patch
 no-java-files.patch
 gdata-extension.patch
+CVE-2023-37476.patch



View it on GitLab: https://salsa.debian.org/java-team/openrefine/-/compare/056c7e43b2b47cfa861b047d2b20f4832f68984c...5eef2063146c92e67f28568c663aa99335978e5d

-- 
View it on GitLab: https://salsa.debian.org/java-team/openrefine/-/compare/056c7e43b2b47cfa861b047d2b20f4832f68984c...5eef2063146c92e67f28568c663aa99335978e5d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230817/429b39fd/attachment.htm>
