[pkg-java] r19226 - in branches/fop/jessie/debian: . patches

[Emmanuel Bourg]

Author: ebourg-guest
Date: 2017-05-24 22:19:41 +0000 (Wed, 24 May 2017)
New Revision: 19226

Added:
   branches/fop/jessie/debian/patches/CVE-2017-5661.patch
Modified:
   branches/fop/jessie/debian/changelog
   branches/fop/jessie/debian/patches/series
Log:
Fixed CVE-2017-5661: Information disclosure vulnerability (Closes: #860567)



Modified: branches/fop/jessie/debian/changelog
===================================================================
--- branches/fop/jessie/debian/changelog	2017-05-24 15:24:03 UTC (rev 19225)
+++ branches/fop/jessie/debian/changelog	2017-05-24 22:19:41 UTC (rev 19226)
@@ -1,3 +1,10 @@
+fop (1:1.1.dfsg2-1+deb8u1) jessie-security; urgency=high
+
+  * Team upload.
+  * Fixed CVE-2017-5661: Information disclosure vulnerability (Closes: #860567)
+
+ -- Emmanuel Bourg <ebourg at apache.org>  Wed, 24 May 2017 17:35:34 +0200
+
 fop (1:1.1.dfsg2-1) unstable; urgency=medium
 
   * Team upload.

Added: branches/fop/jessie/debian/patches/CVE-2017-5661.patch
===================================================================
--- branches/fop/jessie/debian/patches/CVE-2017-5661.patch	                        (rev 0)
+++ branches/fop/jessie/debian/patches/CVE-2017-5661.patch	2017-05-24 22:19:41 UTC (rev 19226)
@@ -0,0 +1,25 @@
+Description: CVE-2017-5661: Dont load DTDs
+Origin: backport, https://svn.apache.org/r1769967
+Bug: https://issues.apache.org/jira/browse/FOP-2668
+Bug-Debian: https://bugs.debian.org/860567
+--- a/src/java/org/apache/fop/cli/InputHandler.java
++++ b/src/java/org/apache/fop/cli/InputHandler.java
+@@ -259,6 +259,7 @@
+         SAXParserFactory spf = SAXParserFactory.newInstance();
+         spf.setFeature("http://xml.org/sax/features/namespaces", true);
+         spf.setFeature("http://apache.org/xml/features/xinclude", true);
++        spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+         XMLReader xr = spf.newSAXParser().getXMLReader();
+         return xr;
+     }
+--- a/src/java/org/apache/fop/servlet/FopServlet.java
++++ b/src/java/org/apache/fop/servlet/FopServlet.java
+@@ -89,6 +89,8 @@
+     public void init() throws ServletException {
+         this.uriResolver = new ServletContextURIResolver(getServletContext());
+         this.transFactory = TransformerFactory.newInstance();
++        transFactory.setAttribute(javax.xml.XMLConstants.ACCESS_EXTERNAL_DTD, "");
++        transFactory.setAttribute(javax.xml.XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+         this.transFactory.setURIResolver(this.uriResolver);
+         //Configure FopFactory as desired
+         this.fopFactory = FopFactory.newInstance();

Modified: branches/fop/jessie/debian/patches/series
===================================================================
--- branches/fop/jessie/debian/patches/series	2017-05-24 15:24:03 UTC (rev 19225)
+++ branches/fop/jessie/debian/patches/series	2017-05-24 22:19:41 UTC (rev 19226)
@@ -1,3 +1,4 @@
 04_fixqdoxbuildfailure.patch
 fixbuildxml.patch
 replace-sRGB-profile.patch
+CVE-2017-5661.patch