[libxalan2-java] 62/71: Removed CVE-2014-0107.patch (fixed upstream)
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Fri Oct 13 15:38:34 UTC 2017
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch master
in repository libxalan2-java.
commit 9caceccdeb09ec9b7c8ab082da7155ef38b8556e
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Mon Sep 28 17:07:47 2015 +0200
Removed CVE-2014-0107.patch (fixed upstream)
---
debian/changelog | 4 +-
debian/patches/CVE-2014-0107.patch | 124 -------------------------------------
debian/patches/build.patch | 34 +++++-----
debian/patches/series | 1 -
4 files changed, 20 insertions(+), 143 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 6928d73..993ced6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
-libxalan2-java (2.7.1-10) UNRELEASED; urgency=medium
+libxalan2-java (2.7.2-1) UNRELEASED; urgency=medium
* Team upload.
+ * New upstream release
+ - Removed CVE-2014-0107.patch (fixed upstream)
* Simplified debian/patches/build.patch
* debian/control:
- Standards-Version updated to 3.9.6 (no changes)
diff --git a/debian/patches/CVE-2014-0107.patch b/debian/patches/CVE-2014-0107.patch
deleted file mode 100644
index 85ccb68..0000000
--- a/debian/patches/CVE-2014-0107.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-Description: Fix for CVE-2014-0107: Strengthen the secure processing mode by
- disabling external general entities, foreign attributes and access to the
- system properties. This could be exploited to execute arbitrary code remotely.
-Origin: https://svn.apache.org/r1581058
-Bug-Debian: https://bugs.debian.org/742577
---- a/src/org/apache/xalan/transformer/TransformerImpl.java
-+++ b/src/org/apache/xalan/transformer/TransformerImpl.java
-@@ -438,7 +438,9 @@
- try
- {
- if (sroot.getExtensions() != null)
-- m_extensionsTable = new ExtensionsTable(sroot);
-+ //only load extensions if secureProcessing is disabled
-+ if(!sroot.isSecureProcessing())
-+ m_extensionsTable = new ExtensionsTable(sroot);
- }
- catch (javax.xml.transform.TransformerException te)
- {te.printStackTrace();}
---- a/src/org/apache/xalan/processor/XSLTElementProcessor.java
-+++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java
-@@ -338,17 +338,29 @@
- }
- else
- {
-- // Can we switch the order here:
--
-- boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
-- attributes.getQName(i), attributes.getValue(i),
-- target);
--
-- // Now we only add the element if it passed a validation check
-- if (success)
-- processedDefs.add(attrDef);
-+ //handle secure processing
-+ if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())
-+ {
-+ //foreign attributes are not allowed in secure processing mode
-+ // Then barf, because this element does not allow this attribute.
-+ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\""
-+ //+ " attribute is not allowed on the " + rawName
-+ // + " element!", null);
-+ }
- else
-- errorDefs.add(attrDef);
-+ {
-+
-+
-+ boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
-+ attributes.getQName(i), attributes.getValue(i),
-+ target);
-+
-+ // Now we only add the element if it passed a validation check
-+ if (success)
-+ processedDefs.add(attrDef);
-+ else
-+ errorDefs.add(attrDef);
-+ }
- }
- }
-
---- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java
-+++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
-@@ -335,6 +335,10 @@
- reader = XMLReaderFactory.createXMLReader();
- }
-
-+ if(m_isSecureProcessing)
-+ {
-+ reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
-+ }
- // Need to set options!
- reader.setContentHandler(handler);
- reader.parse(isource);
---- a/src/org/apache/xpath/functions/FuncSystemProperty.java
-+++ b/src/org/apache/xpath/functions/FuncSystemProperty.java
-@@ -58,7 +58,7 @@
-
- String fullName = m_arg0.execute(xctxt).str();
- int indexOfNSSep = fullName.indexOf(':');
-- String result;
-+ String result = null;
- String propName = "";
-
- // List of properties where the name of the
-@@ -98,8 +98,17 @@
-
- try
- {
-- result = System.getProperty(propName);
--
-+ //if secure procession is enabled only handle required properties do not not map any valid system property
-+ if(!xctxt.isSecureProcessing())
-+ {
-+ result = System.getProperty(propName);
-+ }
-+ else
-+ {
-+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
-+ new Object[]{ propName }); //"SecurityException when trying to access XSL system property: "+propName);
-+ result = xsltInfo.getProperty(propName);
-+ }
- if (null == result)
- {
-
-@@ -120,8 +129,17 @@
- {
- try
- {
-- result = System.getProperty(fullName);
--
-+ //if secure procession is enabled only handle required properties do not not map any valid system property
-+ if(!xctxt.isSecureProcessing())
-+ {
-+ result = System.getProperty(fullName);
-+ }
-+ else
-+ {
-+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
-+ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName);
-+ result = xsltInfo.getProperty(fullName);
-+ }
- if (null == result)
- {
-
diff --git a/debian/patches/build.patch b/debian/patches/build.patch
index 82ecc5c..2fbce63 100644
--- a/debian/patches/build.patch
+++ b/debian/patches/build.patch
@@ -1,6 +1,6 @@
--- a/build.xml
+++ b/build.xml
-@@ -354,11 +354,13 @@
+@@ -365,11 +365,13 @@
puts the result in xdocs/sources/xalan for inclusion in the readme.xml -->
<echo message="Transform commits.xml and put the result in ${xdocs.dir}"/>
<java fork="yes" classname="${xalan.cmdline.class}" >
@@ -14,7 +14,7 @@
<classpath refid="docs.class.path" />
<arg line="loaderConfig=sbk:/style/loaderdesign.xml targetDirectory=./build/docs/design/
./xdocs/sources/xalandesign.xml ./xdocs/style"/>
-@@ -406,7 +408,9 @@
+@@ -419,7 +421,9 @@
<exclude name="${xsltc.reldir}/**/*.java" />
<classpath refid="compile.class.path" />
<bootclasspath refid="xslt.boot.class.path" />
@@ -24,7 +24,7 @@
</javac>
<!-- Copy needed properties, resource, etc. files to be put into .jar file -->
<copy todir="${build.classes}">
-@@ -475,6 +479,7 @@
+@@ -489,6 +493,7 @@
<echo message="java_cup preparsing"/>
<java fork="yes" failonerror="true"
classname="org.apache.xalan.xsltc.util.JavaCupRedirect" >
@@ -32,7 +32,7 @@
<classpath refid="xsltc.class.path" />
<!-- need to bootclasspath java_cup for JDKs that include JavaCupRedirect -->
<jvmarg value="-Xbootclasspath/p:${java_cup.jar}${path.separator}${runtime.jar}"/>
-@@ -493,8 +498,9 @@
+@@ -507,8 +512,9 @@
has to be generated after sym.java, so order is important. -->
<echo message="JLex preparsing"/>
<java fork="yes" failonerror="true" classname="JLex.Main" >
@@ -43,7 +43,7 @@
</java>
<echo message="JLex move output file"/>
<move file="${src.dir}/${xsltc.reldir}/compiler/xpath.lex.java" tofile="${generated.xpathlexer}"/>
-@@ -588,6 +594,12 @@
+@@ -604,6 +610,12 @@
<param name="param_jar_name" value="${runtime.jar.name}" />
</antcall>
@@ -56,7 +56,7 @@
<antcall target="xsltc.copy-deps-jar">
<param name="param_unless" value="xsltc.regexp_jar.not_needed" />
<param name="param_jar_name" value="${regexp.jar.name}" />
-@@ -958,6 +970,7 @@
+@@ -1002,6 +1014,7 @@
<java fork="yes"
classname="${doc.generator}"
classpathref="docs.class.path" >
@@ -64,7 +64,7 @@
<arg line="targetDirectory=${build.docs} ${xdocs.book} ${xdocs.style}"/>
</java>
</target>
-@@ -1028,6 +1041,7 @@
+@@ -1072,6 +1085,7 @@
<javadoc
additionalparam="-breakiterator"
destdir="${build.apidocs}"
@@ -72,7 +72,7 @@
public="true"
sourcepath="${src.dir}"
overview="${src.dir}/javadocOverview.html"
-@@ -1039,7 +1053,9 @@
+@@ -1083,7 +1097,9 @@
doctitle="${Name-in-docs} ${impl.version}"
bottom="Copyright © ${year} Apache XML Project. All Rights Reserved.">
<classpath refid="docs.class.path" />
@@ -82,7 +82,7 @@
<group title="Transformations API for XML (TrAX)" packages="javax.xml.transform*"/>
<group title="Java API for XML Parsing" packages="javax.xml.parsers"/>
<group title="Xalan Core"
-@@ -1394,6 +1410,7 @@
+@@ -1439,6 +1455,7 @@
<java fork="yes"
classname="${doc.generator}"
classpathref="docs.class.path" >
@@ -90,7 +90,7 @@
<arg line="targetDirectory=${site.dir} ${site.book} ${xdocs.style}"/>
</java>
-@@ -1422,6 +1439,7 @@
+@@ -1467,6 +1484,7 @@
<java fork="yes"
classname="${doc.generator}"
classpathref="docs.class.path" >
@@ -98,7 +98,7 @@
<arg line="targetDirectory=${xalan.apache.org.site.dir} ${xalan.apache.org.site.book} ${xdocs.style}"/>
</java>
-@@ -1474,6 +1492,7 @@
+@@ -1519,6 +1537,7 @@
<java fork="yes"
classname="${doc.generator}"
classpathref="docs.class.path" >
@@ -106,7 +106,7 @@
<arg line="loaderConfig=sbk:/style/loaderdesign.xml targetDirectory=${build.dir}/docs/design/
${xdocs.dir}/sources/xalandesign.xml ${xdocs.style}"/>
</java>
-@@ -1490,6 +1509,7 @@
+@@ -1535,6 +1554,7 @@
<java fork="yes"
classname="${xalan.cmdline.class}"
classpathref="docs.class.path" >
@@ -114,7 +114,7 @@
<arg line="-xsl ${xdocs.dir}/sources/xalan-collate.xsl
-out xdocs/sources/xalan/xalan-collate.xml"/>
</java>
-@@ -1499,6 +1519,7 @@
+@@ -1544,6 +1564,7 @@
<java fork="yes"
classname="${xalan.cmdline.class}"
classpathref="docs.class.path" >
@@ -122,7 +122,7 @@
<arg line="-in ${xdocs.dir}/sources/xalan/xalan-collate.xml
-param resourceFile '../../sources/xalan/resources.xml'
-param project ${Name-in-docs}
-@@ -1510,6 +1531,7 @@
+@@ -1555,6 +1576,7 @@
<java fork="yes"
classname="org.apache.fop.apps.CommandLine"
classpath="${java.class.path}:${build.xalan.jar}:${bin.dir}/fop.jar:${bin.dir}/w3c.jar">
@@ -130,7 +130,7 @@
<arg line="${build.docs}/xalan-collate.fo build/docs/xalan.pdf"/>
</java>
</target>
-@@ -1536,6 +1558,7 @@
+@@ -1581,6 +1603,7 @@
<java fork="yes"
classname="${doc.generator}"
classpathref="docs.class.path" >
@@ -138,7 +138,7 @@
<arg line="targetDirectory=${build.docs}/xsltc ${xdocs.dir}/sources/xsltc.xml ${xdocs.style}"/>
</java>
<copy todir="${build.docs}/xsltc"
-@@ -1695,7 +1718,7 @@
+@@ -1741,7 +1764,7 @@
use="true"
windowtitle="${Name-in-docs} Serializer ${impl.version}"
doctitle="${Name-in-docs} Serializer ${impl.version}"
@@ -147,7 +147,7 @@
<classpath refid="docs.class.path" />
<taglet name="xalan2jtaglet.XSLUsageTag" path="${taglet.jar}"/>
<group title="Serializer" packages="org.apache.xml.serialize*"/>
-@@ -1713,7 +1736,7 @@
+@@ -1759,7 +1782,7 @@
use="true"
windowtitle="${Name-in-docs} Serializer ${impl.version}"
doctitle="${Name-in-docs} Serializer ${impl.version}"
diff --git a/debian/patches/series b/debian/patches/series
index 1d5fa85..5879227 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1 @@
build.patch
-CVE-2014-0107.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libxalan2-java.git
More information about the pkg-java-commits
mailing list