[Git][java-team/tuxguitar][master] Import Debian changes 1.5.6+dfsg1-7
Tony Mancill (@tmancill)
gitlab at salsa.debian.org
Wed Dec 20 05:22:40 GMT 2023
Tony Mancill pushed to branch master at Debian Java Maintainers / tuxguitar
Commits:
f58e3654 by Bastian Germann at 2023-12-19T21:14:52-08:00
Import Debian changes 1.5.6+dfsg1-7
tuxguitar (1.5.6+dfsg1-7) unstable; urgency=medium
.
* QA upload
* Fix CVE-2020-14940 (Closes: #963626)
* Try build on every Linux arch
- - - - -
4 changed files:
- debian/changelog
- debian/control
- + debian/patches/10-fix-CVE-2020-14940.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,11 @@
+tuxguitar (1.5.6+dfsg1-7) unstable; urgency=medium
+
+ * QA upload
+ * Fix CVE-2020-14940 (Closes: #963626)
+ * Try build on every Linux arch
+
+ -- Bastian Germann <bage at debian.org> Mon, 06 Nov 2023 23:13:56 +0100
+
tuxguitar (1.5.6+dfsg1-6) unstable; urgency=medium
* QA upload.
=====================================
debian/control
=====================================
@@ -28,7 +28,6 @@ Depends: ${misc:Depends}, ${maven:Depends},
default-jre,
libswt-cairo-gtk-4-jni, libeclipse-e4-ui-widgets-java,
fluid-soundfont-gm
- libcommons-compress-java
Suggests: ${maven:OptionalDepends},
tuxguitar-jsa (= ${source:Version}),
lilypond
@@ -44,7 +43,7 @@ Description: tuxguitar plugin for sound playback using Java Sound API
Use Tuxguitar along this plugin if unsure, other sounds can be used too.
Package: tuxguitar-alsa
-Architecture: alpha amd64 armhf arm64 i386 ia64 powerpc ppc64 ppc64el m68k riscv64 sh4 sparc sparc64 s390x x32
+Architecture: linux-any
Depends: ${misc:Depends}, ${shlibs:Depends},
tuxguitar (= ${source:Version})
Suggests: timidity
@@ -53,7 +52,7 @@ Description: tuxguitar plugin for sound playback using ALSA
A MIDI expander is required (Hardware or Software).
Package: tuxguitar-oss
-Architecture: alpha amd64 armhf arm64 i386 ia64 powerpc ppc64 ppc64el m68k riscv64 sh4 sparc sparc64 s390x x32
+Architecture: linux-any
Depends: ${misc:Depends}, ${shlibs:Depends},
tuxguitar (= ${source:Version}),
oss-compat
@@ -63,7 +62,7 @@ Description: tuxguitar plugin for sound playback using OSS
A MIDI expander is required (Hardware or Software).
Package: tuxguitar-fluidsynth
-Architecture: alpha amd64 armhf arm64 i386 ia64 powerpc ppc64 ppc64el m68k riscv64 sh4 sparc sparc64 s390x x32
+Architecture: linux-any
Depends: ${misc:Depends}, ${shlibs:Depends},
tuxguitar (= ${source:Version}),
fluidsynth
@@ -72,7 +71,7 @@ Description: tuxguitar plugin for sound playback using fluidsynth
fluidsynth as MIDI expander.
Package: tuxguitar-jack
-Architecture: alpha amd64 armhf arm64 i386 ia64 powerpc ppc64 ppc64el m68k riscv64 sh4 sparc sparc64 s390x x32
+Architecture: linux-any
Depends: ${misc:Depends}, ${shlibs:Depends},
tuxguitar (= ${source:Version})
Suggests: qjackctl
@@ -81,7 +80,7 @@ Description: tuxguitar plugin for sound playback using JACKD
A MIDI expander is required (Hardware or Software).
Package: tuxguitar-synth-lv2
-Architecture: alpha amd64 armhf arm64 i386 ia64 powerpc ppc64 ppc64el m68k riscv64 sh4 sparc sparc64 s390x x32
+Architecture: linux-any
Depends: ${misc:Depends}, ${shlibs:Depends},
tuxguitar (= ${source:Version})
Description: tuxguitar LV2 audio plugin
=====================================
debian/patches/10-fix-CVE-2020-14940.patch
=====================================
@@ -0,0 +1,262 @@
+Origin: https://github.com/helge17/tuxguitar/commit/bcaa280e93b0d67dc6f903b6e23a051a7894ba0c
+From: guiv42 <129443524+guiv42 at users.noreply.github.com>
+Date: Tue, 10 Oct 2023 23:02:29 +0200
+Subject: fix CVE-2020-14940
+
+see:
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14940
+https://sourceforge.net/p/tuxguitar/bugs/126/
+https://bugzilla.opensuse.org/show_bug.cgi?id=1173633
+https://logicaltrust.net/blog/2020/06/tuxguitar.html
+https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
+
+Issue could be reproduced on Linux before the fix, as described by
+sourceforge page listed above
+note: needed to de-activate firewall to reproduce issue
+Not all TuxGuitar files mentioned in this page have been modified, as some
+of them do not parse input xml files. Then they should not be concerned by
+vulnerability:
+- TuxGuitar-musicxml/src/org/herac/tuxguitar/io/musicxml/MusicXMLWriter.java
+- TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingWriter.java
+- TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserWriter.java
+
+note: protection does not seem to be supported on Android, so just try to
+activate it, and ignore if it fails (or else Android version can no more
+open .gp and .gpx files)
+basically: this patch doesn't provide full coverage
+
+also (independent from CVE):
+GPXDocumentReader: removed warnings from deprecated Integer constructors
+---
+ .../community/browser/TGBrowserResponse.java | 6 +++
+ .../community/io/TGShareSongResponse.java | 6 +++
+ .../editor/template/TGTemplateReader.java | 6 +++
+ .../tuxguitar/io/gpx/GPXDocumentReader.java | 38 +++++++++++--------
+ .../keybindings/xml/KeyBindingReader.java | 12 ++++++
+ .../tools/browser/xml/TGBrowserReader.java | 7 +++-
+ .../app/tools/scale/xml/ScaleReader.java | 7 +++-
+ .../dialog/chord/xml/TGChordXMLReader.java | 6 +++
+ 8 files changed, 71 insertions(+), 17 deletions(-)
+
+diff --git a/TuxGuitar-community/src/org/herac/tuxguitar/community/browser/TGBrowserResponse.java b/TuxGuitar-community/src/org/herac/tuxguitar/community/browser/TGBrowserResponse.java
+index f82415584..d515446eb 100644
+--- a/TuxGuitar-community/src/org/herac/tuxguitar/community/browser/TGBrowserResponse.java
++++ b/TuxGuitar-community/src/org/herac/tuxguitar/community/browser/TGBrowserResponse.java
+@@ -35,6 +35,12 @@ public TGBrowserResponse( InputStream stream ) throws Throwable {
+
+ private void initialize(InputStream stream) throws Throwable {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++ // CVE-2020-14940
++ try {
++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ factory.setXIncludeAware(false);
++ } catch (Throwable throwable) {
++ }
+ DocumentBuilder builder = factory.newDocumentBuilder();
+ this.document = builder.parse(stream);
+ }
+diff --git a/TuxGuitar-community/src/org/herac/tuxguitar/community/io/TGShareSongResponse.java b/TuxGuitar-community/src/org/herac/tuxguitar/community/io/TGShareSongResponse.java
+index 67dbabb03..39c33bcaf 100644
+--- a/TuxGuitar-community/src/org/herac/tuxguitar/community/io/TGShareSongResponse.java
++++ b/TuxGuitar-community/src/org/herac/tuxguitar/community/io/TGShareSongResponse.java
+@@ -28,6 +28,12 @@ public TGShareSongResponse( InputStream stream ) throws Throwable {
+
+ private void initialize(InputStream stream) throws Throwable {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++ // CVE-2020-14940
++ try {
++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ factory.setXIncludeAware(false);
++ } catch (Throwable throwable) {
++ }
+ DocumentBuilder builder = factory.newDocumentBuilder();
+ this.document = builder.parse(stream);
+ }
+diff --git a/TuxGuitar-editor-utils/src/org/herac/tuxguitar/editor/template/TGTemplateReader.java b/TuxGuitar-editor-utils/src/org/herac/tuxguitar/editor/template/TGTemplateReader.java
+index 439eef348..24688b16d 100644
+--- a/TuxGuitar-editor-utils/src/org/herac/tuxguitar/editor/template/TGTemplateReader.java
++++ b/TuxGuitar-editor-utils/src/org/herac/tuxguitar/editor/template/TGTemplateReader.java
+@@ -51,6 +51,12 @@ private void loadTemplates(List<TGTemplate> templates,Node node) throws Throwabl
+ private Document createDocument(InputStream stream) throws Throwable {
+ Document document = null;
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++ // CVE-2020-14940
++ try {
++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ factory.setXIncludeAware(false);
++ } catch (Throwable throwable) {
++ }
+
+ DocumentBuilder builder = factory.newDocumentBuilder();
+ document = builder.parse(stream);
+diff --git a/TuxGuitar-gpx/src/org/herac/tuxguitar/io/gpx/GPXDocumentReader.java b/TuxGuitar-gpx/src/org/herac/tuxguitar/io/gpx/GPXDocumentReader.java
+index a8b869f28..5232fa6a2 100644
+--- a/TuxGuitar-gpx/src/org/herac/tuxguitar/io/gpx/GPXDocumentReader.java
++++ b/TuxGuitar-gpx/src/org/herac/tuxguitar/io/gpx/GPXDocumentReader.java
+@@ -35,8 +35,16 @@ public GPXDocumentReader(InputStream stream, Integer version) throws GPXFormatEx
+ }
+
+ private Document getDocument(InputStream stream) {
++ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++ // CVE-2020-14940
+ try {
+- return DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(stream);
++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ factory.setXIncludeAware(false);
++ } catch (Throwable throwable) {
++ }
++
++ try {
++ return factory.newDocumentBuilder().parse(stream);
+ } catch (Throwable throwable) {
+ throw new GPXFormatException("Invalid file format", throwable);
+ }
+@@ -309,25 +317,25 @@ public void readBeats(){
+ beat.setWhammyBarEnabled( getChildNode(propertyNode, "Enable") != null );
+ }
+ if( propertyName.equals("WhammyBarOriginValue") ){
+- beat.setWhammyBarOriginValue( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
++ beat.setWhammyBarOriginValue( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
+ }
+ if( propertyName.equals("WhammyBarMiddleValue") ){
+- beat.setWhammyBarMiddleValue( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
++ beat.setWhammyBarMiddleValue( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
+ }
+ if( propertyName.equals("WhammyBarDestinationValue") ){
+- beat.setWhammyBarDestinationValue( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
++ beat.setWhammyBarDestinationValue( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
+ }
+ if( propertyName.equals("WhammyBarOriginOffset") ){
+- beat.setWhammyBarOriginOffset( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
++ beat.setWhammyBarOriginOffset( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
+ }
+ if( propertyName.equals("WhammyBarMiddleOffset1") ){
+- beat.setWhammyBarMiddleOffset1( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
++ beat.setWhammyBarMiddleOffset1( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
+ }
+ if( propertyName.equals("WhammyBarMiddleOffset2") ){
+- beat.setWhammyBarMiddleOffset2( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
++ beat.setWhammyBarMiddleOffset2( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
+ }
+ if( propertyName.equals("WhammyBarDestinationOffset") ){
+- beat.setWhammyBarDestinationOffset( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
++ beat.setWhammyBarDestinationOffset( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
+ }
+ if( propertyName.equals("Brush") ){
+ beat.setBrush( getChildNodeContent(propertyNode, "Direction") );
+@@ -408,25 +416,25 @@ public void readNotes(){
+ note.setBendEnabled( getChildNode(propertyNode, "Enable") != null );
+ }
+ if( propertyName.equals("BendOriginValue") ){
+- note.setBendOriginValue( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
++ note.setBendOriginValue( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
+ }
+ if( propertyName.equals("BendMiddleValue") ){
+- note.setBendMiddleValue( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
++ note.setBendMiddleValue( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
+ }
+ if( propertyName.equals("BendDestinationValue") ){
+- note.setBendDestinationValue( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
++ note.setBendDestinationValue( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
+ }
+ if( propertyName.equals("BendOriginOffset") ){
+- note.setBendOriginOffset( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
++ note.setBendOriginOffset( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
+ }
+ if( propertyName.equals("BendMiddleOffset1") ){
+- note.setBendMiddleOffset1( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
++ note.setBendMiddleOffset1( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
+ }
+ if( propertyName.equals("BendMiddleOffset2") ){
+- note.setBendMiddleOffset2( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
++ note.setBendMiddleOffset2( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
+ }
+ if( propertyName.equals("BendDestinationOffset") ){
+- note.setBendDestinationOffset( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) );
++ note.setBendDestinationOffset( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) );
+ }
+ if( propertyName.equals("HopoOrigin") ){
+ note.setHammer(true);
+diff --git a/TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingReader.java b/TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingReader.java
+index 55beeefb0..ed87fd535 100644
+--- a/TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingReader.java
++++ b/TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingReader.java
+@@ -52,6 +52,12 @@ public static List<KeyBindingAction> getKeyBindings(InputStream is) {
+ private static Document getDocument(InputStream is) {
+ Document document = null;
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++ // CVE-2020-14940
++ try {
++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ factory.setXIncludeAware(false);
++ } catch (Throwable throwable) {
++ }
+ try {
+ DocumentBuilder builder = factory.newDocumentBuilder();
+ document = builder.parse(is);
+@@ -69,6 +75,12 @@ private static Document getDocument(InputStream is) {
+ private static Document getDocument(File file) {
+ Document document = null;
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++ // CVE-2020-14940
++ try {
++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ factory.setXIncludeAware(false);
++ } catch (Throwable throwable) {
++ }
+ try {
+ DocumentBuilder builder = factory.newDocumentBuilder();
+ document = builder.parse(file);
+diff --git a/TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserReader.java b/TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserReader.java
+index 7c4c0e2ab..1303bc16a 100644
+--- a/TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserReader.java
++++ b/TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserReader.java
+@@ -59,7 +59,12 @@ private static void loadCollections(TGBrowserManager manager,Node node){
+ private static Document getDocument(File file) throws ParserConfigurationException, SAXException, IOException {
+ Document document = null;
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+-
++ // CVE-2020-14940
++ try {
++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ factory.setXIncludeAware(false);
++ } catch (Throwable throwable) {
++ }
+ DocumentBuilder builder = factory.newDocumentBuilder();
+ document = builder.parse(file);
+
+diff --git a/TuxGuitar/src/org/herac/tuxguitar/app/tools/scale/xml/ScaleReader.java b/TuxGuitar/src/org/herac/tuxguitar/app/tools/scale/xml/ScaleReader.java
+index 44a263fb2..26f0a6d16 100644
+--- a/TuxGuitar/src/org/herac/tuxguitar/app/tools/scale/xml/ScaleReader.java
++++ b/TuxGuitar/src/org/herac/tuxguitar/app/tools/scale/xml/ScaleReader.java
+@@ -34,7 +34,12 @@ public void loadScales(List<ScaleInfo> scales,InputStream stream){
+ private static Document getDocument(InputStream stream) throws ParserConfigurationException, SAXException, IOException {
+ Document document = null;
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+-
++ // CVE-2020-14940
++ try {
++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ factory.setXIncludeAware(false);
++ } catch (Throwable throwable) {
++ }
+ DocumentBuilder builder = factory.newDocumentBuilder();
+ document = builder.parse(stream);
+
+diff --git a/TuxGuitar/src/org/herac/tuxguitar/app/view/dialog/chord/xml/TGChordXMLReader.java b/TuxGuitar/src/org/herac/tuxguitar/app/view/dialog/chord/xml/TGChordXMLReader.java
+index abf94e056..c06c04dae 100644
+--- a/TuxGuitar/src/org/herac/tuxguitar/app/view/dialog/chord/xml/TGChordXMLReader.java
++++ b/TuxGuitar/src/org/herac/tuxguitar/app/view/dialog/chord/xml/TGChordXMLReader.java
+@@ -36,6 +36,12 @@ public static List<TGChord> getChords(String fileName) {
+ private static Document getDocument(File file) {
+ Document document = null;
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++ // CVE-2020-14940
++ try {
++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ factory.setXIncludeAware(false);
++ } catch (Throwable throwable) {
++ }
+ try {
+ DocumentBuilder builder = factory.newDocumentBuilder();
+ document = builder.parse(file);
=====================================
debian/patches/series
=====================================
@@ -1,4 +1,5 @@
04-hardening-cppflags.patch
+10-fix-CVE-2020-14940.patch
11-eclipse-swt.patch
12-remove-thirth-party-libs.patch
13-remove-vst.patch
View it on GitLab: https://salsa.debian.org/java-team/tuxguitar/-/commit/f58e36542248552d8488b2226aa5f4f3637d0a53
--
View it on GitLab: https://salsa.debian.org/java-team/tuxguitar/-/commit/f58e36542248552d8488b2226aa5f4f3637d0a53
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20231220/dcf978a7/attachment.htm>
More information about the pkg-java-commits
mailing list