[pkg-java] r17941 - in trunk/libxalan2-java/debian: . patches
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Tue Mar 25 14:21:38 UTC 2014
Author: ebourg-guest
Date: 2014-03-25 14:21:38 +0000 (Tue, 25 Mar 2014)
New Revision: 17941
Added:
trunk/libxalan2-java/debian/patches/CVE-2014-0107.patch
Modified:
trunk/libxalan2-java/debian/changelog
trunk/libxalan2-java/debian/patches/series
Log:
Fix CVE-2014-0107: Remote code execution
Modified: trunk/libxalan2-java/debian/changelog
===================================================================
--- trunk/libxalan2-java/debian/changelog 2014-03-25 11:03:19 UTC (rev 17940)
+++ trunk/libxalan2-java/debian/changelog 2014-03-25 14:21:38 UTC (rev 17941)
@@ -1,6 +1,10 @@
libxalan2-java (2.7.1-9) UNRELEASED; urgency=medium
* Team upload.
+ * Fix CVE-2014-0107: Strengthen the secure processing mode by disabling
+ external general entities, foreign attributes and access to the system
+ properties. This could be exploited to execute arbitrary code remotely.
+ (Closes: #742577)
* debian/control:
- Standards-Version updated to 3.9.5 (no changes)
- Use canonical URLs for the Vcs-* fields
Added: trunk/libxalan2-java/debian/patches/CVE-2014-0107.patch
===================================================================
--- trunk/libxalan2-java/debian/patches/CVE-2014-0107.patch (rev 0)
+++ trunk/libxalan2-java/debian/patches/CVE-2014-0107.patch 2014-03-25 14:21:38 UTC (rev 17941)
@@ -0,0 +1,124 @@
+Description: Fix for CVE-2014-0107: Strengthen the secure processing mode by
+ disabling external general entities, foreign attributes and access to the
+ system properties. This could be exploited to execute arbitrary code remotely.
+Origin: https://svn.apache.org/r1581058
+Bug-Debian: https://bugs.debian.org/742577
+--- a/src/org/apache/xalan/transformer/TransformerImpl.java
++++ b/src/org/apache/xalan/transformer/TransformerImpl.java
+@@ -438,7 +438,9 @@
+ try
+ {
+ if (sroot.getExtensions() != null)
+- m_extensionsTable = new ExtensionsTable(sroot);
++ //only load extensions if secureProcessing is disabled
++ if(!sroot.isSecureProcessing())
++ m_extensionsTable = new ExtensionsTable(sroot);
+ }
+ catch (javax.xml.transform.TransformerException te)
+ {te.printStackTrace();}
+--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java
++++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java
+@@ -338,17 +338,29 @@
+ }
+ else
+ {
+- // Can we switch the order here:
+-
+- boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
+- attributes.getQName(i), attributes.getValue(i),
+- target);
+-
+- // Now we only add the element if it passed a validation check
+- if (success)
+- processedDefs.add(attrDef);
++ //handle secure processing
++ if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())
++ {
++ //foreign attributes are not allowed in secure processing mode
++ // Then barf, because this element does not allow this attribute.
++ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\""
++ //+ " attribute is not allowed on the " + rawName
++ // + " element!", null);
++ }
+ else
+- errorDefs.add(attrDef);
++ {
++
++
++ boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
++ attributes.getQName(i), attributes.getValue(i),
++ target);
++
++ // Now we only add the element if it passed a validation check
++ if (success)
++ processedDefs.add(attrDef);
++ else
++ errorDefs.add(attrDef);
++ }
+ }
+ }
+
+--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java
++++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
+@@ -335,6 +335,10 @@
+ reader = XMLReaderFactory.createXMLReader();
+ }
+
++ if(m_isSecureProcessing)
++ {
++ reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
++ }
+ // Need to set options!
+ reader.setContentHandler(handler);
+ reader.parse(isource);
+--- a/src/org/apache/xpath/functions/FuncSystemProperty.java
++++ b/src/org/apache/xpath/functions/FuncSystemProperty.java
+@@ -58,7 +58,7 @@
+
+ String fullName = m_arg0.execute(xctxt).str();
+ int indexOfNSSep = fullName.indexOf(':');
+- String result;
++ String result = null;
+ String propName = "";
+
+ // List of properties where the name of the
+@@ -98,8 +98,17 @@
+
+ try
+ {
+- result = System.getProperty(propName);
+-
++ //if secure procession is enabled only handle required properties do not not map any valid system property
++ if(!xctxt.isSecureProcessing())
++ {
++ result = System.getProperty(propName);
++ }
++ else
++ {
++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
++ new Object[]{ propName }); //"SecurityException when trying to access XSL system property: "+propName);
++ result = xsltInfo.getProperty(propName);
++ }
+ if (null == result)
+ {
+
+@@ -120,8 +129,17 @@
+ {
+ try
+ {
+- result = System.getProperty(fullName);
+-
++ //if secure procession is enabled only handle required properties do not not map any valid system property
++ if(!xctxt.isSecureProcessing())
++ {
++ result = System.getProperty(fullName);
++ }
++ else
++ {
++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
++ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName);
++ result = xsltInfo.getProperty(fullName);
++ }
+ if (null == result)
+ {
+
Modified: trunk/libxalan2-java/debian/patches/series
===================================================================
--- trunk/libxalan2-java/debian/patches/series 2014-03-25 11:03:19 UTC (rev 17940)
+++ trunk/libxalan2-java/debian/patches/series 2014-03-25 14:21:38 UTC (rev 17941)
@@ -1,2 +1,2 @@
build.patch
-
+CVE-2014-0107.patch
More information about the pkg-java-commits
mailing list