Bug#921772: CVE-2018-1000652
tony mancill
tmancill at debian.org
Fri Apr 12 06:20:32 BST 2019
On Fri, Feb 08, 2019 at 11:37:20PM +0100, Moritz Muehlenhoff wrote:
> Package: jabref
> Severity: grave
> Tags: security
>
> This was assigned CVE-2018-1000652:
> https://github.com/JabRef/jabref/issues/4229
> https://github.com/JabRef/jabref/commit/89f855d76713b4cd25ac0830c719cd61c511851e
Hello Moritz,
Attached is a debdiff to address this CVE in stretch. Please let me
know how/whether you'd like to proceed. (I could prepare an upload for
stretch-pu instead if that's preferable.)
I have built the binary and tested locally and everything appears to be
working as expected.
Thanks to Gregor putting this together.
Cheers,
tony
-------------- next part --------------
diff -Nru jabref-3.8.1+ds/debian/changelog jabref-3.8.1+ds/debian/changelog
--- jabref-3.8.1+ds/debian/changelog 2017-01-11 12:27:19.000000000 -0800
+++ jabref-3.8.1+ds/debian/changelog 2019-02-10 11:25:26.000000000 -0800
@@ -1,3 +1,12 @@
+jabref (3.8.1+ds-3+deb9u1) stretch-security; urgency=medium
+
+ [ gregor herrmann & tony mancill ]
+ * Add patch from upstream commit to fix CVE-2018-1000652: XML External
+ Entity attack.
+ Thanks to Moritz Muehlenhoff for the bug report. (Closes: #921772)
+
+ -- gregor herrmann <gregoa at debian.org> Sun, 10 Feb 2019 20:25:26 +0100
+
jabref (3.8.1+ds-3) unstable; urgency=medium
* Remove postgresql entry from debian/maven.rules.
diff -Nru jabref-3.8.1+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch jabref-3.8.1+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch
--- jabref-3.8.1+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch 1969-12-31 16:00:00.000000000 -0800
+++ jabref-3.8.1+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch 2019-02-10 11:25:26.000000000 -0800
@@ -0,0 +1,81 @@
+From 89f855d76713b4cd25ac0830c719cd61c511851e Mon Sep 17 00:00:00 2001
+From: Nick <nick.s.weatherley at protonmail.com>
+Date: Mon, 30 Jul 2018 16:06:07 +0000
+Subject: [PATCH] Fix importer vulnerability (#4240)
+
+* Fix importer vulnerability
+Fixed issue #4229 where importer was vulnerable to XXE attacks by
+disabling DTDs along with adding warning to logger if features are
+unavailable. fixes #4229
+
+Bugs-Debian: https://bugs.debian.org/921772
+Bug: https://github.com/JabRef/jabref/issues/4229
+
+--- a/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java
++++ b/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java
+@@ -6,12 +6,15 @@
+
+ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
++import javax.xml.parsers.ParserConfigurationException;
+
+ import net.sf.jabref.logic.importer.Importer;
+ import net.sf.jabref.logic.importer.ParserResult;
+ import net.sf.jabref.logic.msbib.MSBibDatabase;
+ import net.sf.jabref.logic.util.FileExtensions;
+
++import org.apache.commons.logging.Log;
++import org.apache.commons.logging.LogFactory;
+ import org.w3c.dom.Document;
+ import org.xml.sax.InputSource;
+
+@@ -23,6 +26,10 @@
+ */
+ public class MsBibImporter extends Importer {
+
++ private static final Log LOGGER = LogFactory.getLog(MsBibImporter.class);
++ private static final String DISABLEDTD = "http://apache.org/xml/features/disallow-doctype-decl";
++ private static final String DISABLEEXTERNALDTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
++
+ @Override
+ public boolean isRecognizedFormat(BufferedReader reader) throws IOException {
+ Objects.requireNonNull(reader);
+@@ -34,7 +41,7 @@
+ */
+ Document docin;
+ try {
+- DocumentBuilder dbuild = DocumentBuilderFactory.newInstance().newDocumentBuilder();
++ DocumentBuilder dbuild = makeSafeDocBuilderFactory(DocumentBuilderFactory.newInstance()).newDocumentBuilder();
+ docin = dbuild.parse(new InputSource(reader));
+ } catch (Exception e) {
+ return false;
+@@ -65,4 +72,29 @@
+ return "Importer for the MS Office 2007 XML bibliography format.";
+ }
+
++ /**
++ * DocumentBuilderFactory makes a XXE safe Builder factory from dBuild. If not supported by current
++ * XML then returns original builder given and logs error.
++ * @param dBuild | DocumentBuilderFactory to be made XXE safe.
++ * @return If supported, XXE safe DocumentBuilderFactory. Else, returns original builder given
++ */
++ private DocumentBuilderFactory makeSafeDocBuilderFactory(DocumentBuilderFactory dBuild) {
++ String feature = null;
++
++ try {
++ feature = DISABLEDTD;
++ dBuild.setFeature(feature, true);
++
++ feature = DISABLEEXTERNALDTD;
++ dBuild.setFeature(feature, false);
++
++ dBuild.setXIncludeAware(false);
++ dBuild.setExpandEntityReferences(false);
++
++ } catch (ParserConfigurationException e) {
++ LOGGER.warn("Builder not fully configured. Feature:'" + feature + "' is probably not supported by current XML processor.", e);
++ }
++
++ return dBuild;
++ }
+ }
diff -Nru jabref-3.8.1+ds/debian/patches/series jabref-3.8.1+ds/debian/patches/series
--- jabref-3.8.1+ds/debian/patches/series 2017-01-11 12:27:19.000000000 -0800
+++ jabref-3.8.1+ds/debian/patches/series 2019-02-10 11:25:26.000000000 -0800
@@ -4,3 +4,4 @@
030_xjc.patch
050_unirest_json.patch
070_restore_normal_colors.patch
+100_CVE-2018-1000652_XXE-vulnerability.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20190411/c71dd21c/attachment.sig>
More information about the pkg-java-maintainers
mailing list