[Git][java-team/jabref][master] 2 commits: Add patch from upstream commit to fix CVE-2018-1000652: XML External Entity attack.

gregor herrmann gitlab at salsa.debian.org
Sat Feb 9 00:11:48 GMT 2019 

gregor herrmann pushed to branch master at Debian Java Maintainers / jabref


Commits:
3252637a by gregor herrmann at 2019-02-08T23:49:58Z
Add patch from upstream commit to fix CVE-2018-1000652: XML External Entity attack.

Closes: #921772
Thanks: Moritz Muehlenhoff for the bug report.

- - - - -
f6a50cbf by gregor herrmann at 2019-02-09T00:11:33Z
update changelog

Gbp-Dch: Ignore

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,17 @@
+jabref (3.8.2+ds-12) UNRELEASED; urgency=medium
+
+  TODO: FTBFS with
+  /build/jabref-3.8.2+ds/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java:16: error: package org.slf4j does not exist
+  import org.slf4j.Logger;
+                  ^
+  etc.
+
+  * Add patch from upstream commit to fix CVE-2018-1000652: XML External
+    Entity attack.
+    Thanks to Moritz Muehlenhoff for the bug report. (Closes: #921772)
+
+ -- gregor herrmann <gregoa at debian.org>  Sat, 09 Feb 2019 00:54:59 +0100
+
 jabref (3.8.2+ds-11) unstable; urgency=medium
 
   * Add build dependency on libicu4j-java.


=====================================
debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch
=====================================
@@ -0,0 +1,81 @@
+From 89f855d76713b4cd25ac0830c719cd61c511851e Mon Sep 17 00:00:00 2001
+From: Nick <nick.s.weatherley at protonmail.com>
+Date: Mon, 30 Jul 2018 16:06:07 +0000
+Subject: [PATCH] Fix importer vulnerability (#4240)
+
+* Fix importer vulnerability
+Fixed issue #4229  where importer was vulnerable to XXE attacks by
+disabling DTDs along with adding warning to logger if features are
+unavailable. fixes #4229
+
+Bugs-Debian: https://bugs.debian.org/921772
+Bug: https://github.com/JabRef/jabref/issues/4229
+
+--- a/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java
++++ b/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java
+@@ -6,12 +6,15 @@
+ 
+ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
++import javax.xml.parsers.ParserConfigurationException;
+ 
+ import net.sf.jabref.logic.importer.Importer;
+ import net.sf.jabref.logic.importer.ParserResult;
+ import net.sf.jabref.logic.msbib.MSBibDatabase;
+ import net.sf.jabref.logic.util.FileExtensions;
+ 
++import org.slf4j.Logger;
++import org.slf4j.LoggerFactory;
+ import org.w3c.dom.Document;
+ import org.xml.sax.InputSource;
+ 
+@@ -23,6 +26,10 @@
+  */
+ public class MsBibImporter extends Importer {
+ 
++    private static final Logger LOGGER = LoggerFactory.getLogger(MsBibImporter.class);
++    private static final String DISABLEDTD = "http://apache.org/xml/features/disallow-doctype-decl";
++    private static final String DISABLEEXTERNALDTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
++
+     @Override
+     public boolean isRecognizedFormat(BufferedReader reader) throws IOException {
+         Objects.requireNonNull(reader);
+@@ -34,7 +41,7 @@
+          */
+         Document docin;
+         try {
+-            DocumentBuilder dbuild = DocumentBuilderFactory.newInstance().newDocumentBuilder();
++            DocumentBuilder dbuild = makeSafeDocBuilderFactory(DocumentBuilderFactory.newInstance()).newDocumentBuilder();
+             docin = dbuild.parse(new InputSource(reader));
+         } catch (Exception e) {
+             return false;
+@@ -65,4 +72,29 @@
+         return "Importer for the MS Office 2007 XML bibliography format.";
+     }
+ 
++    /**
++     * DocumentBuilderFactory makes a XXE safe Builder factory from dBuild. If not supported by current
++     * XML then returns original builder given and logs error.
++     * @param dBuild | DocumentBuilderFactory to be made XXE safe.
++     * @return If supported, XXE safe DocumentBuilderFactory. Else, returns original builder given
++     */
++    private DocumentBuilderFactory makeSafeDocBuilderFactory(DocumentBuilderFactory dBuild) {
++        String feature = null;
++
++        try {
++            feature = DISABLEDTD;
++            dBuild.setFeature(feature, true);
++
++            feature = DISABLEEXTERNALDTD;
++            dBuild.setFeature(feature, false);
++
++            dBuild.setXIncludeAware(false);
++            dBuild.setExpandEntityReferences(false);
++
++        } catch (ParserConfigurationException e) {
++            LOGGER.warn("Builder not fully configured. Feature:'{}' is probably not supported by current XML processor. {}", feature, e);
++        }
++
++        return dBuild;
++    }
+ }


=====================================
debian/patches/series
=====================================
@@ -7,3 +7,4 @@
 070_jdk9_swing.patch
 080_jdk11_jaxb.patch
 090_mariadb.patch
+100_CVE-2018-1000652_XXE-vulnerability.patch



View it on GitLab: https://salsa.debian.org/java-team/jabref/compare/4b4f34aa4cdf36a2b720d2df37cd55ab808802cb...f6a50cbf794d92dcd057a49113eadcf301b1fcc9

-- 
View it on GitLab: https://salsa.debian.org/java-team/jabref/compare/4b4f34aa4cdf36a2b720d2df37cd55ab808802cb...f6a50cbf794d92dcd057a49113eadcf301b1fcc9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20190209/be635b45/attachment.html>

More information about the pkg-java-commits mailing list