[Git][java-team/libquartz-java][master] 2 commits: Add patch for XXE vulnerability CVE-2019-13990 (Closes: #933169)
Tony Mancill (@tmancill)
gitlab at salsa.debian.org
Wed Feb 1 03:39:43 GMT 2023
Tony Mancill pushed to branch master at Debian Java Maintainers / libquartz-java
Commits:
d043139b by tony mancill at 2023-01-31T19:31:37-08:00
Add patch for XXE vulnerability CVE-2019-13990 (Closes: #933169)
- - - - -
ff09a36a by tony mancill at 2023-01-31T19:31:37-08:00
Prepare changelog for upload
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/CVE-2019-13990.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,9 @@
+libquartz-java (1:1.8.6-8) unstable; urgency=medium
+
+ * Add patch for XXE vulnerability CVE-2019-13990 (Closes: #933169)
+
+ -- tony mancill <tmancill at debian.org> Mon, 30 Jan 2023 22:23:39 -0800
+
libquartz-java (1:1.8.6-7) unstable; urgency=medium
* Add build-dep on liblog4j1.2-java (Closes: #1028678)
=====================================
debian/patches/CVE-2019-13990.patch
=====================================
@@ -0,0 +1,91 @@
+Description: patch for CVE-2019-13990
+ The method initDocumentParser() in the XMLSchedulingDataProcessor.java
+ does not forbid DTDs, which allows a context-dependend attacker to
+ perform an XXE.
+ .
+ The testcase in the patch is slightly adapted for quartz 1.8.6
+Origin: https://github.com/quartz-scheduler/quartz/commit/a1395ba118df306c7fe67c24fb0c9a95a4473140
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933169
+Forwarded: not-needed
+Last-Update: 2023-01-29
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/quartz/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java
++++ b/quartz/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java
+@@ -181,6 +181,13 @@
+ docBuilderFactory.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaLanguage", "http://www.w3.org/2001/XMLSchema");
+
+ docBuilderFactory.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaSource", resolveSchemaSource());
++
++ docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ docBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++ docBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++ docBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++ docBuilderFactory.setXIncludeAware(false);
++ docBuilderFactory.setExpandEntityReferences(false);
+
+ docBuilder = docBuilderFactory.newDocumentBuilder();
+
+--- a/quartz/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java
++++ b/quartz/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java
+@@ -16,6 +16,7 @@
+ import org.quartz.jobs.NoOpJob;
+ import org.quartz.simpl.CascadingClassLoadHelper;
+ import org.quartz.spi.ClassLoadHelper;
++import org.xml.sax.SAXParseException;
+
+ /**
+ * Unit test for XMLSchedulingDataProcessor.
+@@ -98,7 +99,29 @@
+ inStream.close();
+ }
+ }
+-
++
++ public void testXmlParserConfiguration() throws Exception {
++ Scheduler scheduler = null;
++ try {
++ StdSchedulerFactory factory = new StdSchedulerFactory("org/quartz/xml/quartz-test.properties");
++ scheduler = factory.getDefaultScheduler();
++ ClassLoadHelper clhelper = new CascadingClassLoadHelper();
++ clhelper.initialize();
++ XMLSchedulingDataProcessor processor = new XMLSchedulingDataProcessor(clhelper);
++ processor.processFileAndScheduleJobs("org/quartz/xml/bad-job-config.xml", scheduler);
++
++ final JobDetail jobDetail = scheduler.getJobDetail("xxe", "native");
++ final String description = jobDetail.getDescription();
++
++ fail("Expected parser configuration to block DOCTYPE. The following was injected into the job description field: " + description);
++ } catch (SAXParseException e) {
++ assertTrue(e.getMessage().contains("DOCTYPE is disallowed"));
++ } finally {
++ if (scheduler != null)
++ scheduler.shutdown();
++ }
++ }
++
+ /** QTZ-187 */
+ public void testDirectivesNoOverwriteWithIgnoreDups() throws Exception {
+ Scheduler scheduler = null;
+--- /dev/null
++++ b/quartz/src/test/resources/org/quartz/xml/bad-job-config.xml
+@@ -0,0 +1,19 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<!DOCTYPE foo [<!ELEMENT foo ANY >
++ <!ENTITY xxe SYSTEM "/" >]>
++<job-scheduling-data xmlns="http://www.quartz-scheduler.org/xml/JobSchedulingData" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.quartz-scheduler.org/xml/JobSchedulingData http://www.quartz-scheduler.org/xml/job_scheduling_data_2_0.xsd" version="2.0">
++ <schedule>
++ <job>
++ <name>xxe</name>
++ <group>native</group>
++ <description>&xxe;</description>
++ <job-class>org.quartz.jobs.NoOpJob</job-class>
++ <volatility>false</volatility>
++ <durability>true</durability>
++ <recover>false</recover>
++ <job-data-map>
++ <entry><key>foo</key><value>bar</value></entry>
++ </job-data-map>
++ </job>
++ </schedule>
++</job-scheduling-data>
=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
disable_update_check_864769.patch
j2ee-dependencies.patch
+CVE-2019-13990.patch
View it on GitLab: https://salsa.debian.org/java-team/libquartz-java/-/compare/aa2f7b5ac1c49e2a86bfc595262eb920d1216ca8...ff09a36af32bd686174d97615f9fb48bd31598d7
--
View it on GitLab: https://salsa.debian.org/java-team/libquartz-java/-/compare/aa2f7b5ac1c49e2a86bfc595262eb920d1216ca8...ff09a36af32bd686174d97615f9fb48bd31598d7
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230201/3ca66661/attachment.htm>
More information about the pkg-java-commits
mailing list