[pkg-java] r17534 - in trunk/libcommons-fileupload-java/debian: . patches
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Mon Dec 2 21:13:34 UTC 2013
Author: ebourg-guest
Date: 2013-12-02 21:13:34 +0000 (Mon, 02 Dec 2013)
New Revision: 17534
Added:
trunk/libcommons-fileupload-java/debian/patches/CVE-2013-2186.patch
Modified:
trunk/libcommons-fileupload-java/debian/changelog
trunk/libcommons-fileupload-java/debian/patches/series
Log:
Ack NMU
Modified: trunk/libcommons-fileupload-java/debian/changelog
===================================================================
--- trunk/libcommons-fileupload-java/debian/changelog 2013-12-02 17:23:20 UTC (rev 17533)
+++ trunk/libcommons-fileupload-java/debian/changelog 2013-12-02 21:13:34 UTC (rev 17534)
@@ -1,3 +1,14 @@
+libcommons-fileupload-java (1.3-2.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Add CVE-2013-2186.patch patch.
+ CVE-2013-2186: Arbitrary file upload via deserialization. Properly
+ validate repository in src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java.
+ Thanks to Marc Deslauriers <marc.deslauriers at ubuntu.com> for
+ providing the debdiff. (Closes: #726601)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Fri, 15 Nov 2013 15:04:17 +0100
+
libcommons-fileupload-java (1.3-2) unstable; urgency=low
* Team upload.
Added: trunk/libcommons-fileupload-java/debian/patches/CVE-2013-2186.patch
===================================================================
--- trunk/libcommons-fileupload-java/debian/patches/CVE-2013-2186.patch (rev 0)
+++ trunk/libcommons-fileupload-java/debian/patches/CVE-2013-2186.patch 2013-12-02 21:13:34 UTC (rev 17534)
@@ -0,0 +1,37 @@
+Description: fix arbitrary file overwrite via poison null byte
+Origin: upstream, http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601
+Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=846174
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=974814
+
+Index: libcommons-fileupload-java-1.3/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java
+===================================================================
+--- libcommons-fileupload-java-1.3.orig/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-03-24 08:36:44.000000000 -0400
++++ libcommons-fileupload-java-1.3/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-11-07 09:32:20.042865874 -0500
+@@ -656,6 +656,26 @@
+ // read values
+ in.defaultReadObject();
+
++ /* One expected use of serialization is to migrate HTTP sessions
++ * containing a DiskFileItem between JVMs. Particularly if the JVMs are
++ * on different machines It is possible that the repository location is
++ * not valid so validate it.
++ */
++ if (repository != null) {
++ if (repository.isDirectory()) {
++ // Check path for nulls
++ if (repository.getPath().contains("\0")) {
++ throw new IOException(format(
++ "The repository [%s] contains a null character",
++ repository.getPath()));
++ }
++ } else {
++ throw new IOException(format(
++ "The repository [%s] is not a directory",
++ repository.getAbsolutePath()));
++ }
++ }
++
+ OutputStream output = getOutputStream();
+ if (cachedContent != null) {
+ output.write(cachedContent);
Modified: trunk/libcommons-fileupload-java/debian/patches/series
===================================================================
--- trunk/libcommons-fileupload-java/debian/patches/series 2013-12-02 17:23:20 UTC (rev 17533)
+++ trunk/libcommons-fileupload-java/debian/patches/series 2013-12-02 21:13:34 UTC (rev 17534)
@@ -1 +1,2 @@
001_update-tests-for-servlet3-api.patch
+CVE-2013-2186.patch
More information about the pkg-java-commits
mailing list