Bug#962828: libpgjava: CVE-2020-13692

Salvatore Bonaccorso carnil at debian.org
Fri Jun 19 12:53:04 BST 2020 

Hi Michael,

On Fri, Jun 19, 2020 at 12:08:36PM +0200, Michael Banck wrote:
> tags 962828 +patch
> thanks
> 
> Hi,
> 
> Am Sonntag, den 14.06.2020, 22:28 +0200 schrieb Christoph Berg:
> > Re: Salvatore Bonaccorso
> > > CVE-2020-13692[0]:
> > > > PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
> > 
> > > > which older versions are affected by this, and what is the impact?
> > > > 
> > > 
> > > I would probably only worry about 42.2.x versions
> > > impact summary
> > > https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
> > > 
> > > 
> > > > In Debian, we currently ship:
> > > > 
> > > > libpgjava  | 9.2-1002-1    | oldoldstable | source (ignore, it's EOL
> > > > really soon)
> > > > libpgjava  | 9.4.1212-1    | oldstable    | source
> > > > libpgjava  | 42.2.5-2      | stable       | source
> > > > libpgjava  | 42.2.12-1     | testing      | source
> > > > libpgjava  | 42.2.12-1     | unstable     | source
> > > > 
> > > > Can you share the actual CVE diff, so we can fix it in the older
> > > > versions?
> > > 
> > > Here is the diff
> > > https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65
> > 
> > (I haven't checked yet if that diff applies to the buster package.)
> 
> I've backpatched that commit to the stable version (several edits were
> required but the general code structure is similar) and verified that it
> builds and that autopkgtest runs fine.
> 
> I haven't tested it otherwise yet, nor tried to reproduce the CVE, I
> guess no exploits are available?

I'm not aware of any to explicitly test for the CVE.

As I see you want to target buster-security in your upload: The CVE
does not really warrant a CVE, as such it was marked no-dsa, but a fix
can go ideally into the next point release. For that though the issue
should first be fixed in unstable.

But I would suggest (even if the version was never used) to actually
use soemthing like 42.2.5-2+deb10u1 for the used version.

Regards,
Salvatore

More information about the pkg-java-maintainers mailing list