[pkg-java] r19223 - in trunk/fop/debian: . patches

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Wed May 24 13:58:15 UTC 2017 

Author: ebourg-guest
Date: 2017-05-24 13:58:15 +0000 (Wed, 24 May 2017)
New Revision: 19223

Added:
   trunk/fop/debian/patches/CVE-2017-5661.patch
Modified:
   trunk/fop/debian/changelog
   trunk/fop/debian/patches/series
Log:
Fixed CVE-2017-5661: Information disclosure vulnerability (Closes: #860567)



Modified: trunk/fop/debian/changelog
===================================================================
--- trunk/fop/debian/changelog	2017-05-20 18:54:00 UTC (rev 19222)
+++ trunk/fop/debian/changelog	2017-05-24 13:58:15 UTC (rev 19223)
@@ -1,3 +1,10 @@
+fop (1:2.1-6) unstable; urgency=high
+
+  * Team upload.
+  * Fixed CVE-2017-5661: Information disclosure vulnerability (Closes: #860567)
+
+ -- Emmanuel Bourg <ebourg at apache.org>  Wed, 24 May 2017 15:53:03 +0200
+
 fop (1:2.1-5) unstable; urgency=medium
 
   * Fix FTBFS now that comments are parsed by javadoc. Closes: #852910

Added: trunk/fop/debian/patches/CVE-2017-5661.patch
===================================================================
--- trunk/fop/debian/patches/CVE-2017-5661.patch	                        (rev 0)
+++ trunk/fop/debian/patches/CVE-2017-5661.patch	2017-05-24 13:58:15 UTC (rev 19223)
@@ -0,0 +1,25 @@
+Description: CVE-2017-5661: Dont load DTDs
+Origin: backport, https://svn.apache.org/r1769967
+Bug: https://issues.apache.org/jira/browse/FOP-2668
+Bug-Debian: https://bugs.debian.org/860567
+--- a/src/java/org/apache/fop/cli/InputHandler.java
++++ b/src/java/org/apache/fop/cli/InputHandler.java
+@@ -244,6 +244,7 @@
+         SAXParserFactory spf = SAXParserFactory.newInstance();
+         spf.setFeature("http://xml.org/sax/features/namespaces", true);
+         spf.setFeature("http://apache.org/xml/features/xinclude", true);
++        spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+         XMLReader xr = spf.newSAXParser().getXMLReader();
+         return xr;
+     }
+--- a/src/java/org/apache/fop/servlet/FopServlet.java
++++ b/src/java/org/apache/fop/servlet/FopServlet.java
+@@ -96,6 +96,8 @@
+     public void init() throws ServletException {
+         this.uriResolver = new ServletContextURIResolver(getServletContext());
+         this.transFactory = TransformerFactory.newInstance();
++        transFactory.setAttribute(javax.xml.XMLConstants.ACCESS_EXTERNAL_DTD, "");
++        transFactory.setAttribute(javax.xml.XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+         this.transFactory.setURIResolver(this.uriResolver);
+         //Configure FopFactory as desired
+         // TODO: Double check this behaves properly!!

Modified: trunk/fop/debian/patches/series
===================================================================
--- trunk/fop/debian/patches/series	2017-05-20 18:54:00 UTC (rev 19222)
+++ trunk/fop/debian/patches/series	2017-05-24 13:58:15 UTC (rev 19223)
@@ -5,3 +5,4 @@
 strip_user_host_from_manifest.patch
 javadoc_encoding.patch
 javadoc_allow-script-in-comments.patch
+CVE-2017-5661.patch

More information about the pkg-java-commits mailing list