[pkg-java] r17947 - branches/libxalan2-java/squeeze-security/debian/patches

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Tue Mar 25 15:35:46 UTC 2014 

Author: ebourg-guest
Date: 2014-03-25 15:35:46 +0000 (Tue, 25 Mar 2014)
New Revision: 17947

Added:
   branches/libxalan2-java/squeeze-security/debian/patches/CVE-2014-0107.patch
Log:
Fix CVE-2014-0107 for Squeeze (with the patch this time)



Added: branches/libxalan2-java/squeeze-security/debian/patches/CVE-2014-0107.patch
===================================================================
--- branches/libxalan2-java/squeeze-security/debian/patches/CVE-2014-0107.patch	                        (rev 0)
+++ branches/libxalan2-java/squeeze-security/debian/patches/CVE-2014-0107.patch	2014-03-25 15:35:46 UTC (rev 17947)
@@ -0,0 +1,124 @@
+Description: Fix for CVE-2014-0107: Strengthen the secure processing mode by
+ disabling external general entities, foreign attributes and access to the
+ system properties. This could be exploited to execute arbitrary code remotely.
+Origin: https://svn.apache.org/r1581058
+Bug-Debian: https://bugs.debian.org/742577
+--- a/src/org/apache/xalan/transformer/TransformerImpl.java
++++ b/src/org/apache/xalan/transformer/TransformerImpl.java
+@@ -438,7 +438,9 @@
+     try
+     {
+       if (sroot.getExtensions() != null)
+-        m_extensionsTable = new ExtensionsTable(sroot);
++        //only load extensions if secureProcessing is disabled
++        if(!sroot.isSecureProcessing())
++            m_extensionsTable = new ExtensionsTable(sroot);
+     }
+     catch (javax.xml.transform.TransformerException te)
+     {te.printStackTrace();}
+--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java
++++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java
+@@ -338,17 +338,29 @@
+       }
+       else
+       {
+-        // Can we switch the order here:
+-
+-        boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
+-                             attributes.getQName(i), attributes.getValue(i),
+-                             target);
+-                             
+-        // Now we only add the element if it passed a validation check
+-        if (success)
+-            processedDefs.add(attrDef);
++        //handle secure processing
++        if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())
++        {
++            //foreign attributes are not allowed in secure processing mode
++            // Then barf, because this element does not allow this attribute.
++            handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\""
++            //+ " attribute is not allowed on the " + rawName
++            // + " element!", null);
++        }
+         else
+-            errorDefs.add(attrDef);
++        {
++
++
++            boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
++                                 attributes.getQName(i), attributes.getValue(i),
++                                 target);
++
++            // Now we only add the element if it passed a validation check
++            if (success)
++                processedDefs.add(attrDef);
++            else
++                errorDefs.add(attrDef);
++        }
+       }
+     }
+ 
+--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java
++++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
+@@ -335,6 +335,10 @@
+           reader = XMLReaderFactory.createXMLReader();
+         }
+ 
++        if(m_isSecureProcessing)
++        {
++            reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
++        }
+         // Need to set options!
+         reader.setContentHandler(handler);
+         reader.parse(isource);
+--- a/src/org/apache/xpath/functions/FuncSystemProperty.java
++++ b/src/org/apache/xpath/functions/FuncSystemProperty.java
+@@ -58,7 +58,7 @@
+ 
+     String fullName = m_arg0.execute(xctxt).str();
+     int indexOfNSSep = fullName.indexOf(':');
+-    String result;
++    String result = null;
+     String propName = "";
+ 
+     // List of properties where the name of the
+@@ -98,8 +98,17 @@
+ 
+         try
+         {
+-          result = System.getProperty(propName);
+-
++          //if secure procession is enabled only handle required properties do not not map any valid system property
++          if(!xctxt.isSecureProcessing())
++          {
++            result = System.getProperty(propName);
++          }
++          else
++          {
++            warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
++                 new Object[]{ propName });  //"SecurityException when trying to access XSL system property: "+propName);
++            result = xsltInfo.getProperty(propName);
++          }
+           if (null == result)
+           {
+ 
+@@ -120,8 +129,17 @@
+     {
+       try
+       {
+-        result = System.getProperty(fullName);
+-
++        //if secure procession is enabled only handle required properties do not not map any valid system property
++        if(!xctxt.isSecureProcessing())
++        {
++          result = System.getProperty(fullName);
++        }
++        else
++        {
++          warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
++               new Object[]{ fullName });  //"SecurityException when trying to access XSL system property: "+fullName);
++          result = xsltInfo.getProperty(fullName);
++        }
+         if (null == result)
+         {
+

More information about the pkg-java-commits mailing list