[lucene-solr] 05/11: Fix CVE-2017-12629

Markus Koschany apo at moszumanska.debian.org
Sun Jan 14 14:29:29 UTC 2018


This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch master
in repository lucene-solr.

commit b1a7ccd489a7cc389bdb71200a424b28dfddbaef
Author: Markus Koschany <apo at debian.org>
Date:   Sat Jan 13 21:30:08 2018 +0100

    Fix CVE-2017-12629
---
 debian/conf/solrconfig.xml                        |  23 ----
 debian/patches/CVE-2017-12629.patch               | 130 ++++++++++++++++++++
 debian/patches/remove-RunExecutableListener.patch | 137 ++++++++++++++++++++++
 debian/patches/series                             |   2 +
 4 files changed, 269 insertions(+), 23 deletions(-)

diff --git a/debian/conf/solrconfig.xml b/debian/conf/solrconfig.xml
index 007ff72..e74ea3e 100644
--- a/debian/conf/solrconfig.xml
+++ b/debian/conf/solrconfig.xml
@@ -338,29 +338,6 @@
          postCommit - fired after every commit or optimize command
          postOptimize - fired after every optimize command
       -->
-    <!-- The RunExecutableListener executes an external command from a
-         hook such as postCommit or postOptimize.
-         
-         exe - the name of the executable to run
-         dir - dir to use as the current working directory. (default=".")
-         wait - the calling thread waits until the executable returns. 
-                (default="true")
-         args - the arguments to pass to the program.  (default is none)
-         env - environment variables to set.  (default is none)
-      -->
-    <!-- This example shows how RunExecutableListener could be used
-         with the script based replication...
-         http://wiki.apache.org/solr/CollectionDistribution
-      -->
-    <!--
-       <listener event="postCommit" class="solr.RunExecutableListener">
-         <str name="exe">solr/bin/snapshooter</str>
-         <str name="dir">.</str>
-         <bool name="wait">true</bool>
-         <arr name="args"> <str>arg1</str> <str>arg2</str> </arr>
-         <arr name="env"> <str>MYVAR=val1</str> </arr>
-       </listener>
-      -->
   </updateHandler>
   
   <!-- IndexReaderFactory
diff --git a/debian/patches/CVE-2017-12629.patch b/debian/patches/CVE-2017-12629.patch
new file mode 100644
index 0000000..96f06e8
--- /dev/null
+++ b/debian/patches/CVE-2017-12629.patch
@@ -0,0 +1,130 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 13 Jan 2018 16:48:33 +0100
+Subject: CVE-2017-12629
+
+---
+ .../org/apache/lucene/xmlparser/CoreParser.java    | 77 +++++++++++++++++-----
+ 1 file changed, 59 insertions(+), 18 deletions(-)
+
+diff --git a/lucene/contrib/xml-query-parser/src/java/org/apache/lucene/xmlparser/CoreParser.java b/lucene/contrib/xml-query-parser/src/java/org/apache/lucene/xmlparser/CoreParser.java
+index c84b90a..21b943a 100644
+--- a/lucene/contrib/xml-query-parser/src/java/org/apache/lucene/xmlparser/CoreParser.java
++++ b/lucene/contrib/xml-query-parser/src/java/org/apache/lucene/xmlparser/CoreParser.java
+@@ -1,9 +1,12 @@
+ package org.apache.lucene.xmlparser;
+ 
+ import java.io.InputStream;
++import java.util.Locale;
+ 
+ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
++import javax.xml.parsers.ParserConfigurationException;
++import javax.xml.XMLConstants;
+ 
+ import org.apache.lucene.analysis.Analyzer;
+ import org.apache.lucene.queryParser.QueryParser;
+@@ -11,6 +14,10 @@ import org.apache.lucene.search.Query;
+ import org.apache.lucene.xmlparser.builders.*;
+ import org.w3c.dom.Document;
+ import org.w3c.dom.Element;
++import org.xml.sax.EntityResolver;
++import org.xml.sax.ErrorHandler;
++import org.xml.sax.SAXException;
++import org.xml.sax.InputSource;
+ 
+ /**
+  * Licensed to the Apache Software Foundation (ASF) under one or more
+@@ -124,6 +131,10 @@ public class CoreParser implements QueryBuilder
+ 		queryFactory.addBuilder("SpanNot",snot);	
+ 	}
+ 	
++  /**
++   * Parses the given stream as XML file and returns a {@link Query}.
++   * By default this disallows external entities for security reasons.
++   */
+ 	public Query parse(InputStream xmlStream) throws ParserException
+ 	{
+ 		return getQuery(parseXML(xmlStream).getDocumentElement());
+@@ -137,34 +148,64 @@ public class CoreParser implements QueryBuilder
+ 	{
+ 		filterFactory.addBuilder(nodeName,builder);
+ 	}
+-	
+-	private static Document parseXML(InputStream pXmlFile) throws ParserException
+-	{
+-		DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+-		DocumentBuilder db = null;
++	  /**
++   * Returns a SAX {@link EntityResolver} to be used by {@link DocumentBuilder}.
++   * By default this returns {@link #DISALLOW_EXTERNAL_ENTITY_RESOLVER}, which disallows the
++   * expansion of external entities (for security reasons). To restore legacy behavior,
++   * override this method to return {@code null}.
++   */
++  protected EntityResolver getEntityResolver() {
++    return DISALLOW_EXTERNAL_ENTITY_RESOLVER;
++  }
++
++  /**
++   * Subclass and override to return a SAX {@link ErrorHandler} to be used by {@link DocumentBuilder}.
++   * By default this returns {@code null} so no error handler is used.
++   * This method can be used to redirect XML parse errors/warnings to a custom logger.
++   */
++  protected ErrorHandler getErrorHandler() {
++    return null;
++  }
++
++  private Document parseXML(InputStream pXmlFile) throws ParserException {
++    final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
++    dbf.setValidating(false);
+ 		try
+ 		{
+-			db = dbf.newDocumentBuilder();
+-		}
+-		catch (Exception se)
+-		{
+-			throw new ParserException("XML Parser configuration error", se);
++	      dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
++		} catch (ParserConfigurationException e) {
++		// ignore since all implementations are required to support the
++		// {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} feature
+ 		}
+-		org.w3c.dom.Document doc = null;
++    final DocumentBuilder db;
+ 		try
+ 		{
+-			doc = db.parse(pXmlFile);
+-		}
+-		catch (Exception se)
+-		{
+-			throw new ParserException("Error parsing XML stream:" + se, se);
++	      db = dbf.newDocumentBuilder();
++		} catch (Exception se) {
++		throw new ParserException("XML Parser configuration error.", se);
+ 		}
+-		return doc;
++		try {
++		db.setEntityResolver(getEntityResolver());
++		db.setErrorHandler(getErrorHandler());
++		return db.parse(pXmlFile);
++		} catch (Exception se) {
++		throw new ParserException("Error parsing XML stream: " + se, se);
+ 	}
+-	
++  }
+ 
+ 	public Query getQuery(Element e) throws ParserException
+ 	{
+ 		return queryFactory.getQuery(e);
+ 	}
++    public static final EntityResolver DISALLOW_EXTERNAL_ENTITY_RESOLVER = createEntityResolver();
++
++    public static EntityResolver createEntityResolver() {
++        return new EntityResolver() {
++            public InputSource resolveEntity(String publicId, String systemId) throws SAXException {
++                throw new SAXException(String.format(Locale.ENGLISH,
++                "External Entity resolving unsupported:  publicId=\"%s\" systemId=\"%s\"",
++                publicId, systemId));
++            }
++        };
++    }
+ }
diff --git a/debian/patches/remove-RunExecutableListener.patch b/debian/patches/remove-RunExecutableListener.patch
new file mode 100644
index 0000000..bdec749
--- /dev/null
+++ b/debian/patches/remove-RunExecutableListener.patch
@@ -0,0 +1,137 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 13 Jan 2018 17:14:03 +0100
+Subject: remove RunExecutableListener
+
+---
+ .../apache/solr/core/RunExecutableListener.java    | 122 ---------------------
+ 1 file changed, 122 deletions(-)
+ delete mode 100644 solr/core/src/java/org/apache/solr/core/RunExecutableListener.java
+
+diff --git a/solr/core/src/java/org/apache/solr/core/RunExecutableListener.java b/solr/core/src/java/org/apache/solr/core/RunExecutableListener.java
+deleted file mode 100644
+index 62f554e..0000000
+--- a/solr/core/src/java/org/apache/solr/core/RunExecutableListener.java
++++ /dev/null
+@@ -1,122 +0,0 @@
+-/**
+- * Licensed to the Apache Software Foundation (ASF) under one or more
+- * contributor license agreements.  See the NOTICE file distributed with
+- * this work for additional information regarding copyright ownership.
+- * The ASF licenses this file to You under the Apache License, Version 2.0
+- * (the "License"); you may not use this file except in compliance with
+- * the License.  You may obtain a copy of the License at
+- *
+- *     http://www.apache.org/licenses/LICENSE-2.0
+- *
+- * Unless required by applicable law or agreed to in writing, software
+- * distributed under the License is distributed on an "AS IS" BASIS,
+- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+- * See the License for the specific language governing permissions and
+- * limitations under the License.
+- */
+-
+-package org.apache.solr.core;
+-
+-import org.apache.solr.common.SolrException;
+-import org.apache.solr.common.util.NamedList;
+-import org.apache.solr.search.SolrIndexSearcher;
+-
+-import java.io.File;
+-import java.io.IOException;
+-import java.util.List;
+-import java.util.ArrayList;
+-
+-/**
+- */
+-class RunExecutableListener extends AbstractSolrEventListener {
+-  public RunExecutableListener(SolrCore core) {
+-    super(core);
+-  }
+-  protected String[] cmd;
+-  protected File dir;
+-  protected String[] envp;
+-  protected boolean wait=true;
+-
+-  @Override
+-  public void init(NamedList args) {
+-    super.init(args);
+-
+-    List cmdlist = new ArrayList();
+-    cmdlist.add(args.get("exe"));
+-    List lst = (List)args.get("args");
+-    if (lst != null) cmdlist.addAll(lst);
+-    cmd = (String[])cmdlist.toArray(new String[cmdlist.size()]);
+-
+-    lst = (List)args.get("env");
+-    if (lst != null) {
+-      envp = (String[])lst.toArray(new String[lst.size()]);
+-    }
+-
+-    String str = (String)args.get("dir");
+-    if (str==null || str.equals("") || str.equals(".") || str.equals("./")) {
+-      dir = null;
+-    } else {
+-      dir = new File(str);
+-    }
+-
+-    if ("false".equals(args.get("wait")) || Boolean.FALSE.equals(args.get("wait"))) wait=false;
+-  }
+-
+-  /**
+-   * External executable listener.
+-   * 
+-   * @param callback Unused (As of solr 1.4-dev)
+-   * @return Error code indicating if the command has executed successfully. <br />
+-   *  0 , indicates normal termination.<br />
+-   *  non-zero , otherwise.
+-   */
+-  protected int exec(String callback) {
+-    int ret = 0;
+-
+-    try {
+-      boolean doLog = log.isDebugEnabled();
+-      if (doLog) {
+-        log.debug("About to exec " + cmd[0]);
+-      }
+-      Process proc = Runtime.getRuntime().exec(cmd, envp ,dir);
+-
+-      if (wait) {
+-        try {
+-          ret = proc.waitFor();
+-        } catch (InterruptedException e) {
+-          SolrException.log(log,e);
+-          ret = INVALID_PROCESS_RETURN_CODE;
+-        }
+-      }
+-
+-      if (wait && doLog) {
+-        log.debug("Executable " + cmd[0] + " returned " + ret);
+-      }
+-
+-    } catch (IOException e) {
+-      // don't throw exception, just log it...
+-      SolrException.log(log,e);
+-      ret = INVALID_PROCESS_RETURN_CODE;
+-    }
+-
+-    return ret;
+-  }
+-
+-
+-  @Override
+-  public void postCommit() {
+-    // anything generic need to be passed to the external program?
+-    // the directory of the index?  the command that caused it to be
+-    // invoked?  the version of the index?
+-    exec("postCommit");
+-  }
+-
+-  @Override
+-  public void newSearcher(SolrIndexSearcher newSearcher, SolrIndexSearcher currentSearcher) {
+-    exec("newSearcher");
+-  }
+-
+-  /** Non-zero value for an invalid return code **/
+-  private static int INVALID_PROCESS_RETURN_CODE = -1;
+-
+-}
diff --git a/debian/patches/series b/debian/patches/series
index a197129..133e43c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,5 @@ CVE-2013-6407_CVE-2013-6408.patch
 jetty-compatibility.patch
 commons-codec-compatibility.patch
 java8-compatibility.patch
+CVE-2017-12629.patch
+remove-RunExecutableListener.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/lucene-solr.git



More information about the pkg-java-commits mailing list