[libxstream-java] 01/01: Backported the fix for CVE-2016-3674

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Tue Mar 29 12:09:11 UTC 2016


This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository libxstream-java.

commit 9b91e415d1821f6f3d29dc372e2df4020e76ed9d
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Tue Mar 29 13:58:10 2016 +0200

    Backported the fix for CVE-2016-3674
---
 debian/changelog                   |   8 +
 debian/patches/CVE-2016-3674.patch | 351 +++++++++++++++++++++++++++++++++++++
 debian/patches/series              |   1 +
 3 files changed, 360 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 366d204..7af9fe2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libxstream-java (1.4.7-2+deb8u1) jessie-security; urgency=high
+
+  * Security update:
+    - CVE-2016-3674: XML external entity injection vulnerability
+     (Closes: #819455)
+
+ -- Emmanuel Bourg <ebourg at apache.org>  Tue, 29 Mar 2016 13:54:56 +0200
+
 libxstream-java (1.4.7-2) unstable; urgency=medium
 
   * Depend on libcglib3-java instead of libcglib-java
diff --git a/debian/patches/CVE-2016-3674.patch b/debian/patches/CVE-2016-3674.patch
new file mode 100644
index 0000000..d14f261
--- /dev/null
+++ b/debian/patches/CVE-2016-3674.patch
@@ -0,0 +1,351 @@
+Description: CVE-2016-3674: XML external entity injection vulnerability
+Origin: backport, https://github.com/x-stream/xstream/commit/c9b121a
+                  https://github.com/x-stream/xstream/commit/25c6704
+                  https://github.com/x-stream/xstream/commit/87172cf
+                  https://github.com/x-stream/xstream/commit/7c77ac0
+                  https://github.com/x-stream/xstream/commit/7183131
+                  https://github.com/x-stream/xstream/commit/812a0fa
+                  https://github.com/x-stream/xstream/commit/6438b65
+Bug: https://github.com/x-stream/xstream/issues/25
+Bug-Debian: https://bugs.debian.org/819455
+--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/BEAStaxDriver.java
++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/BEAStaxDriver.java
+@@ -62,7 +62,9 @@
+     }
+ 
+     protected XMLInputFactory createInputFactory() {
+-        return new MXParserFactory();
++        XMLInputFactory instance = new MXParserFactory();
++        instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
++        return instance;
+     }
+ 
+     protected XMLOutputFactory createOutputFactory() {
+--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/Dom4JDriver.java
++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/Dom4JDriver.java
+@@ -26,6 +26,7 @@
+ import org.dom4j.io.OutputFormat;
+ import org.dom4j.io.SAXReader;
+ import org.dom4j.io.XMLWriter;
++import org.xml.sax.SAXException;
+ 
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+@@ -89,8 +90,7 @@
+ 
+     public HierarchicalStreamReader createReader(Reader text) {
+         try {
+-            SAXReader reader = new SAXReader();
+-            Document document = reader.read(text);
++            Document document = createReader().read(text);
+             return new Dom4JReader(document, getNameCoder());
+         } catch (DocumentException e) {
+             throw new StreamException(e);
+@@ -99,8 +99,7 @@
+ 
+     public HierarchicalStreamReader createReader(InputStream in) {
+         try {
+-            SAXReader reader = new SAXReader();
+-            Document document = reader.read(in);
++            Document document = createReader().read(in);
+             return new Dom4JReader(document, getNameCoder());
+         } catch (DocumentException e) {
+             throw new StreamException(e);
+@@ -112,8 +111,7 @@
+      */
+     public HierarchicalStreamReader createReader(URL in) {
+         try {
+-            SAXReader reader = new SAXReader();
+-            Document document = reader.read(in);
++            Document document = createReader().read(in);
+             return new Dom4JReader(document, getNameCoder());
+         } catch (DocumentException e) {
+             throw new StreamException(e);
+@@ -125,8 +123,7 @@
+      */
+     public HierarchicalStreamReader createReader(File in) {
+         try {
+-            SAXReader reader = new SAXReader();
+-            Document document = reader.read(in);
++            Document document = createReader().read(in);
+             return new Dom4JReader(document, getNameCoder());
+         } catch (DocumentException e) {
+             throw new StreamException(e);
+@@ -148,4 +145,21 @@
+         final Writer writer = new OutputStreamWriter(out);
+         return createWriter(writer);
+     }
++
++    /**
++     * Create and initialize the SAX reader.
++     *
++     * @return the SAX reader instance.
++     * @throws DocumentException if DOCTYPE processing cannot be disabled
++     * @since upcoming
++     */
++    protected SAXReader createReader() throws DocumentException {
++        SAXReader reader = new SAXReader();
++        try {
++            reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++        } catch (SAXException e) {
++            throw new DocumentException("Cannot disable DOCTYPE processing", e);
++        }
++        return reader;
++    }
+ }
+--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/DomDriver.java
++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/DomDriver.java
+@@ -39,7 +39,7 @@
+ public class DomDriver extends AbstractXmlDriver {
+ 
+     private final String encoding;
+-    private final DocumentBuilderFactory documentBuilderFactory;
++    private DocumentBuilderFactory documentBuilderFactory;
+ 
+     /**
+      * Construct a DomDriver.
+@@ -61,7 +61,6 @@
+      */
+     public DomDriver(String encoding, NameCoder nameCoder) {
+         super(nameCoder);
+-        documentBuilderFactory = DocumentBuilderFactory.newInstance();
+         this.encoding = encoding;
+     }
+ 
+@@ -91,6 +90,13 @@
+ 
+     private HierarchicalStreamReader createReader(InputSource source) {
+         try {
++            if (documentBuilderFactory == null) {
++                synchronized (this) {
++                    if (documentBuilderFactory == null) {
++                        documentBuilderFactory = createDocumentBuilderFactory();
++                    }
++                }
++            }
+             DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
+             if (encoding != null) {
+                 source.setEncoding(encoding);
+@@ -121,4 +127,20 @@
+             throw new StreamException(e);
+         }
+     }
++
++    /**
++     * Create the DocumentBuilderFactory instance.
++     *
++     * @return the new instance
++     * @since upcoming
++     */
++    protected DocumentBuilderFactory createDocumentBuilderFactory() {
++        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++        try {
++            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++        } catch (ParserConfigurationException e) {
++            throw new StreamException(e);
++        }
++        return factory;
++    }
+ }
+--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/JDom2Driver.java
++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/JDom2Driver.java
+@@ -47,7 +47,7 @@
+ 
+     public HierarchicalStreamReader createReader(Reader reader) {
+         try {
+-            SAXBuilder builder = new SAXBuilder();
++            SAXBuilder builder = createBuilder();
+             Document document = builder.build(reader);
+             return new JDom2Reader(document, getNameCoder());
+         } catch (IOException e) {
+@@ -59,7 +59,7 @@
+ 
+     public HierarchicalStreamReader createReader(InputStream in) {
+         try {
+-            SAXBuilder builder = new SAXBuilder();
++            SAXBuilder builder = createBuilder();
+             Document document = builder.build(in);
+             return new JDom2Reader(document, getNameCoder());
+         } catch (IOException e) {
+@@ -71,7 +71,7 @@
+ 
+     public HierarchicalStreamReader createReader(URL in) {
+         try {
+-            SAXBuilder builder = new SAXBuilder();
++            SAXBuilder builder = createBuilder();
+             Document document = builder.build(in);
+             return new JDom2Reader(document, getNameCoder());
+         } catch (IOException e) {
+@@ -83,7 +83,7 @@
+ 
+     public HierarchicalStreamReader createReader(File in) {
+         try {
+-            SAXBuilder builder = new SAXBuilder();
++            SAXBuilder builder = createBuilder();
+             Document document = builder.build(in);
+             return new JDom2Reader(document, getNameCoder());
+         } catch (IOException e) {
+@@ -100,5 +100,17 @@
+     public HierarchicalStreamWriter createWriter(OutputStream out) {
+         return new PrettyPrintWriter(new OutputStreamWriter(out));
+     }
++
++    /**
++     * Create and initialize the SAX builder.
++     *
++     * @return the SAX builder instance.
++     * @since upcoming
++     */
++    protected SAXBuilder createBuilder() {
++        SAXBuilder builder = new SAXBuilder();
++        builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++        return builder;
++    }
+ }
+ 
+--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/JDomDriver.java
++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/JDomDriver.java
+@@ -55,7 +55,7 @@
+ 
+     public HierarchicalStreamReader createReader(Reader reader) {
+         try {
+-            SAXBuilder builder = new SAXBuilder();
++            SAXBuilder builder = createBuilder();
+             Document document = builder.build(reader);
+             return new JDomReader(document, getNameCoder());
+         } catch (IOException e) {
+@@ -67,7 +67,7 @@
+ 
+     public HierarchicalStreamReader createReader(InputStream in) {
+         try {
+-            SAXBuilder builder = new SAXBuilder();
++            SAXBuilder builder = createBuilder();
+             Document document = builder.build(in);
+             return new JDomReader(document, getNameCoder());
+         } catch (IOException e) {
+@@ -79,7 +79,7 @@
+ 
+     public HierarchicalStreamReader createReader(URL in) {
+         try {
+-            SAXBuilder builder = new SAXBuilder();
++            SAXBuilder builder = createBuilder();
+             Document document = builder.build(in);
+             return new JDomReader(document, getNameCoder());
+         } catch (IOException e) {
+@@ -91,7 +91,7 @@
+ 
+     public HierarchicalStreamReader createReader(File in) {
+         try {
+-            SAXBuilder builder = new SAXBuilder();
++            SAXBuilder builder = createBuilder();
+             Document document = builder.build(in);
+             return new JDomReader(document, getNameCoder());
+         } catch (IOException e) {
+@@ -109,5 +109,17 @@
+         return new PrettyPrintWriter(new OutputStreamWriter(out));
+     }
+ 
++    /**
++     * Create and initialize the SAX builder.
++     *
++     * @return the SAX builder instance.
++     * @since upcoming
++     */
++    protected SAXBuilder createBuilder() {
++        SAXBuilder builder = new SAXBuilder();
++        builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++        return builder;
++    }
++
+ }
+ 
+--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/SjsxpDriver.java
++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/SjsxpDriver.java
+@@ -58,7 +58,9 @@
+     protected XMLInputFactory createInputFactory() {
+         Exception exception = null;
+         try {
+-            return (XMLInputFactory)Class.forName("com.sun.xml.internal.stream.XMLInputFactoryImpl").newInstance();
++            XMLInputFactory instance = (XMLInputFactory)Class.forName("com.sun.xml.internal.stream.XMLInputFactoryImpl").newInstance();
++            instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
++            return instance;
+         } catch (InstantiationException e) {
+             exception = e;
+         } catch (IllegalAccessException e) {
+--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/StandardStaxDriver.java
++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/StandardStaxDriver.java
+@@ -75,7 +75,9 @@
+         try {
+             Class staxInputFactory = JVM.getStaxInputFactory();
+             if (staxInputFactory != null) {
+-                return (XMLInputFactory)staxInputFactory.newInstance();
++                XMLInputFactory instance = (XMLInputFactory)staxInputFactory.newInstance();
++                instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
++                return instance;
+             } else {
+                 throw new StreamException("Java runtime has no standard XMLInputFactory implementation.", exception);
+             }
+--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/StaxDriver.java
++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/StaxDriver.java
+@@ -238,7 +238,9 @@
+      * @since 1.4
+      */
+     protected XMLInputFactory createInputFactory() {
+-        return XMLInputFactory.newInstance();
++        XMLInputFactory instance = XMLInputFactory.newInstance();
++        instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
++        return instance;
+     }
+ 
+     /**
+--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/WstxDriver.java
++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/WstxDriver.java
+@@ -62,7 +62,9 @@
+     }
+ 
+     protected XMLInputFactory createInputFactory() {
+-        return new WstxInputFactory();
++        XMLInputFactory instance = new WstxInputFactory();
++        instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
++        return instance;
+     }
+ 
+     protected XMLOutputFactory createOutputFactory() {
+--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/XomDriver.java
++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/XomDriver.java
+@@ -79,7 +79,7 @@
+ 
+     public HierarchicalStreamReader createReader(Reader text) {
+         try {
+-            Document document = builder.build(text);
++            Document document = getBuilder().build(text);
+             return new XomReader(document, getNameCoder());
+         } catch (ValidityException e) {
+             throw new StreamException(e);
+@@ -92,7 +92,7 @@
+ 
+     public HierarchicalStreamReader createReader(InputStream in) {
+         try {
+-            Document document = builder.build(in);
++            Document document = getBuilder().build(in);
+             return new XomReader(document, getNameCoder());
+         } catch (ValidityException e) {
+             throw new StreamException(e);
+@@ -105,7 +105,7 @@
+ 
+     public HierarchicalStreamReader createReader(URL in) {
+         try {
+-            Document document = builder.build(in.toExternalForm());
++            Document document = getBuilder().build(in.toExternalForm());
+             return new XomReader(document, getNameCoder());
+         } catch (ValidityException e) {
+             throw new StreamException(e);
+@@ -118,7 +118,7 @@
+ 
+     public HierarchicalStreamReader createReader(File in) {
+         try {
+-            Document document = builder.build(in);
++            Document document = getBuilder().build(in);
+             return new XomReader(document, getNameCoder());
+         } catch (ValidityException e) {
+             throw new StreamException(e);
diff --git a/debian/patches/series b/debian/patches/series
index e69de29..cfbb099 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2016-3674.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libxstream-java.git



More information about the pkg-java-commits mailing list