[Git][java-team/libquartz2-java][master] 2 commits: Add patch for CVE-2019-13990 (Closes: #933170)
Tony Mancill
gitlab at salsa.debian.org
Mon Jul 6 05:56:36 BST 2020
Tony Mancill pushed to branch master at Debian Java Maintainers / libquartz2-java
Commits:
22d63fb4 by tony mancill at 2019-10-08T21:24:15-07:00
Add patch for CVE-2019-13990 (Closes: #933170)
- - - - -
edf2c930 by tony mancill at 2020-07-05T21:46:59-07:00
prepare for upload to unstable
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/03-CVE-2019-13990.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,9 @@
+libquartz2-java (2.3.0-3) unstable; urgency=medium
+
+ * Add patch for CVE-2019-13990 (Closes: #933170)
+
+ -- tony mancill <tmancill at debian.org> Sun, 05 Jul 2020 21:39:41 -0700
+
libquartz2-java (2.3.0-2) unstable; urgency=medium
* Team upload.
=====================================
debian/patches/03-CVE-2019-13990.patch
=====================================
@@ -0,0 +1,92 @@
+Description: patch for CVE-2019-13990: XXE in initDocumentParser
+ provide XML parser with a strong configuration to prevent XXE attacks
+Source: https://github.com/quartz-scheduler/quartz/commit/a1395ba118df306c7fe67c24fb0c9a95a4473140.patch
+Author: Jonathan Gallimore <jon at jrg.me.uk>
+Bug-Debian: https://bugs.debian.org/933170
+Bug: https://github.com/quartz-scheduler/quartz/issues/467
+Forwarded: not-needed
+
+---
+ .../xml/XMLSchedulingDataProcessor.java | 7 +++++
+ .../xml/XMLSchedulingDataProcessorTest.java | 26 +++++++++++++++++++
+ .../org/quartz/xml/bad-job-config.xml | 15 +++++++++++
+ 3 files changed, 48 insertions(+)
+ create mode 100755 quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml
+
+--- a/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java
++++ b/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java
+@@ -174,6 +174,13 @@
+
+ docBuilderFactory.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaSource", resolveSchemaSource());
+
++ docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ docBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++ docBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++ docBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++ docBuilderFactory.setXIncludeAware(false);
++ docBuilderFactory.setExpandEntityReferences(false);
++
+ docBuilder = docBuilderFactory.newDocumentBuilder();
+
+ docBuilder.setErrorHandler(this);
+--- a/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java
++++ b/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java
+@@ -30,6 +30,7 @@
+ import org.quartz.simpl.SimpleThreadPool;
+ import org.quartz.spi.ClassLoadHelper;
+ import org.quartz.utils.DBConnectionManager;
++import org.xml.sax.SAXParseException;
+
+ /**
+ * Unit test for XMLSchedulingDataProcessor.
+@@ -112,6 +113,31 @@
+ inStream.close();
+ }
+ }
++
++ public void testXmlParserConfiguration() throws Exception {
++ Scheduler scheduler = null;
++ try {
++ StdSchedulerFactory factory = new StdSchedulerFactory("org/quartz/xml/quartz-test.properties");
++ scheduler = factory.getScheduler();
++ ClassLoadHelper clhelper = new CascadingClassLoadHelper();
++ clhelper.initialize();
++ XMLSchedulingDataProcessor processor = new XMLSchedulingDataProcessor(clhelper);
++ processor.processFileAndScheduleJobs("org/quartz/xml/bad-job-config.xml", scheduler);
++
++
++ final JobKey jobKey = scheduler.getJobKeys(GroupMatcher.jobGroupEquals("native")).iterator().next();
++ final JobDetail jobDetail = scheduler.getJobDetail(jobKey);
++ final String description = jobDetail.getDescription();
++
++
++ fail("Expected parser configuration to block DOCTYPE. The following was injected into the job description field: " + description);
++ } catch (SAXParseException e) {
++ assertTrue(e.getMessage().contains("DOCTYPE is disallowed"));
++ } finally {
++ if (scheduler != null)
++ scheduler.shutdown();
++ }
++ }
+
+ /** QTZ-187 */
+ public void testDirectivesNoOverwriteWithIgnoreDups() throws Exception {
+--- /dev/null
++++ b/quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml
+@@ -0,0 +1,15 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<!DOCTYPE foo [<!ELEMENT foo ANY >
++ <!ENTITY xxe SYSTEM "/" >]>
++<job-scheduling-data xmlns="http://www.quartz-scheduler.org/xml/JobSchedulingData" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.quartz-scheduler.org/xml/JobSchedulingData http://www.quartz-scheduler.org/xml/job_scheduling_data_2_0.xsd" version="2.0">
++ <schedule>
++ <job>
++ <name>xxe</name>
++ <group>native</group>
++ <description>&xxe;</description>
++ <job-class>org.quartz.xml.XMLSchedulingDataProcessorTest$MyJob</job-class>
++ <durability>true</durability>
++ <recover>false</recover>
++ </job>
++ </schedule>
++</job-scheduling-data>
+\ No newline at end of file
=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
-02-java10-compatibility.patch
01-j2ee-dependencies.patch
+02-java10-compatibility.patch
+03-CVE-2019-13990.patch
View it on GitLab: https://salsa.debian.org/java-team/libquartz2-java/-/compare/2a801469be44c4e92af6bfc0e01008184322cbd3...edf2c930892726c57e301020aa29a311b210214f
--
View it on GitLab: https://salsa.debian.org/java-team/libquartz2-java/-/compare/2a801469be44c4e92af6bfc0e01008184322cbd3...edf2c930892726c57e301020aa29a311b210214f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20200706/19c0c73a/attachment.html>
More information about the pkg-java-commits
mailing list