[pkg-java] r17945 - in branches/libxalan2-java/wheezy-security/debian: . patches
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Tue Mar 25 14:44:47 UTC 2014
Author: ebourg-guest
Date: 2014-03-25 14:44:47 +0000 (Tue, 25 Mar 2014)
New Revision: 17945
Added:
branches/libxalan2-java/wheezy-security/debian/patches/CVE-2014-0107.patch
Modified:
branches/libxalan2-java/wheezy-security/debian/changelog
branches/libxalan2-java/wheezy-security/debian/patches/series
Log:
Fix CVE-2014-0107 for Wheezy
Modified: branches/libxalan2-java/wheezy-security/debian/changelog
===================================================================
--- branches/libxalan2-java/wheezy-security/debian/changelog 2014-03-25 14:35:22 UTC (rev 17944)
+++ branches/libxalan2-java/wheezy-security/debian/changelog 2014-03-25 14:44:47 UTC (rev 17945)
@@ -1,3 +1,13 @@
+libxalan2-java (2.7.1-7+deb7u1) wheezy-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2014-0107: Strengthen the secure processing mode by disabling
+ external general entities, foreign attributes and access to the system
+ properties. This could be exploited to execute arbitrary code remotely.
+ (Closes: #742577)
+
+ -- Emmanuel Bourg <ebourg at apache.org> Tue, 25 Mar 2014 15:37:47 +0100
+
libxalan2-java (2.7.1-7) unstable; urgency=low
[Jakub Adam]
Added: branches/libxalan2-java/wheezy-security/debian/patches/CVE-2014-0107.patch
===================================================================
--- branches/libxalan2-java/wheezy-security/debian/patches/CVE-2014-0107.patch (rev 0)
+++ branches/libxalan2-java/wheezy-security/debian/patches/CVE-2014-0107.patch 2014-03-25 14:44:47 UTC (rev 17945)
@@ -0,0 +1,124 @@
+Description: Fix for CVE-2014-0107: Strengthen the secure processing mode by
+ disabling external general entities, foreign attributes and access to the
+ system properties. This could be exploited to execute arbitrary code remotely.
+Origin: https://svn.apache.org/r1581058
+Bug-Debian: https://bugs.debian.org/742577
+--- a/src/org/apache/xalan/transformer/TransformerImpl.java
++++ b/src/org/apache/xalan/transformer/TransformerImpl.java
+@@ -438,7 +438,9 @@
+ try
+ {
+ if (sroot.getExtensions() != null)
+- m_extensionsTable = new ExtensionsTable(sroot);
++ //only load extensions if secureProcessing is disabled
++ if(!sroot.isSecureProcessing())
++ m_extensionsTable = new ExtensionsTable(sroot);
+ }
+ catch (javax.xml.transform.TransformerException te)
+ {te.printStackTrace();}
+--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java
++++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java
+@@ -338,17 +338,29 @@
+ }
+ else
+ {
+- // Can we switch the order here:
+-
+- boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
+- attributes.getQName(i), attributes.getValue(i),
+- target);
+-
+- // Now we only add the element if it passed a validation check
+- if (success)
+- processedDefs.add(attrDef);
++ //handle secure processing
++ if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())
++ {
++ //foreign attributes are not allowed in secure processing mode
++ // Then barf, because this element does not allow this attribute.
++ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\""
++ //+ " attribute is not allowed on the " + rawName
++ // + " element!", null);
++ }
+ else
+- errorDefs.add(attrDef);
++ {
++
++
++ boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
++ attributes.getQName(i), attributes.getValue(i),
++ target);
++
++ // Now we only add the element if it passed a validation check
++ if (success)
++ processedDefs.add(attrDef);
++ else
++ errorDefs.add(attrDef);
++ }
+ }
+ }
+
+--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java
++++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
+@@ -335,6 +335,10 @@
+ reader = XMLReaderFactory.createXMLReader();
+ }
+
++ if(m_isSecureProcessing)
++ {
++ reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
++ }
+ // Need to set options!
+ reader.setContentHandler(handler);
+ reader.parse(isource);
+--- a/src/org/apache/xpath/functions/FuncSystemProperty.java
++++ b/src/org/apache/xpath/functions/FuncSystemProperty.java
+@@ -58,7 +58,7 @@
+
+ String fullName = m_arg0.execute(xctxt).str();
+ int indexOfNSSep = fullName.indexOf(':');
+- String result;
++ String result = null;
+ String propName = "";
+
+ // List of properties where the name of the
+@@ -98,8 +98,17 @@
+
+ try
+ {
+- result = System.getProperty(propName);
+-
++ //if secure procession is enabled only handle required properties do not not map any valid system property
++ if(!xctxt.isSecureProcessing())
++ {
++ result = System.getProperty(propName);
++ }
++ else
++ {
++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
++ new Object[]{ propName }); //"SecurityException when trying to access XSL system property: "+propName);
++ result = xsltInfo.getProperty(propName);
++ }
+ if (null == result)
+ {
+
+@@ -120,8 +129,17 @@
+ {
+ try
+ {
+- result = System.getProperty(fullName);
+-
++ //if secure procession is enabled only handle required properties do not not map any valid system property
++ if(!xctxt.isSecureProcessing())
++ {
++ result = System.getProperty(fullName);
++ }
++ else
++ {
++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
++ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName);
++ result = xsltInfo.getProperty(fullName);
++ }
+ if (null == result)
+ {
+
Modified: branches/libxalan2-java/wheezy-security/debian/patches/series
===================================================================
--- branches/libxalan2-java/wheezy-security/debian/patches/series 2014-03-25 14:35:22 UTC (rev 17944)
+++ branches/libxalan2-java/wheezy-security/debian/patches/series 2014-03-25 14:44:47 UTC (rev 17945)
@@ -1,2 +1,2 @@
build.patch
-
+CVE-2014-0107.patch
More information about the pkg-java-commits
mailing list