[Git][java-team/libquartz2-java][master] 2 commits: Add patch for CVE-2019-13990 (Closes: #933170)

Mon Jul 6 05:56:36 BST 2020


Tony Mancill pushed to branch master at Debian Java Maintainers / libquartz2-java


Commits:
22d63fb4 by tony mancill at 2019-10-08T21:24:15-07:00
Add patch for CVE-2019-13990 (Closes: #933170)

- - - - -
edf2c930 by tony mancill at 2020-07-05T21:46:59-07:00
prepare for upload to unstable

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/03-CVE-2019-13990.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,9 @@
+libquartz2-java (2.3.0-3) unstable; urgency=medium
+
+  * Add patch for CVE-2019-13990 (Closes: #933170)
+
+ -- tony mancill <tmancill at debian.org>  Sun, 05 Jul 2020 21:39:41 -0700
+
 libquartz2-java (2.3.0-2) unstable; urgency=medium
 
   * Team upload.


=====================================
debian/patches/03-CVE-2019-13990.patch
=====================================
@@ -0,0 +1,92 @@
+Description: patch for CVE-2019-13990: XXE in initDocumentParser
+ provide XML parser with a strong configuration to prevent XXE attacks
+Source: https://github.com/quartz-scheduler/quartz/commit/a1395ba118df306c7fe67c24fb0c9a95a4473140.patch
+Author: Jonathan Gallimore <jon at jrg.me.uk>
+Bug-Debian: https://bugs.debian.org/933170
+Bug: https://github.com/quartz-scheduler/quartz/issues/467
+Forwarded: not-needed
+
+---
+ .../xml/XMLSchedulingDataProcessor.java       |  7 +++++
+ .../xml/XMLSchedulingDataProcessorTest.java   | 26 +++++++++++++++++++
+ .../org/quartz/xml/bad-job-config.xml         | 15 +++++++++++
+ 3 files changed, 48 insertions(+)
+ create mode 100755 quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml
+
+--- a/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java
++++ b/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java
+@@ -174,6 +174,13 @@
+         
+         docBuilderFactory.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaSource", resolveSchemaSource());
+         
++        docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++        docBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++        docBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
++        docBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++        docBuilderFactory.setXIncludeAware(false);
++        docBuilderFactory.setExpandEntityReferences(false);
++
+         docBuilder = docBuilderFactory.newDocumentBuilder();
+         
+         docBuilder.setErrorHandler(this);
+--- a/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java
++++ b/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java
+@@ -30,6 +30,7 @@
+ import org.quartz.simpl.SimpleThreadPool;
+ import org.quartz.spi.ClassLoadHelper;
+ import org.quartz.utils.DBConnectionManager;
++import org.xml.sax.SAXParseException;
+ 
+ /**
+  * Unit test for XMLSchedulingDataProcessor.
+@@ -112,6 +113,31 @@
+ 				inStream.close();
+ 		}
+ 	}
++
++	public void testXmlParserConfiguration() throws Exception {
++		Scheduler scheduler = null;
++		try {
++			StdSchedulerFactory factory = new StdSchedulerFactory("org/quartz/xml/quartz-test.properties");
++			scheduler = factory.getScheduler();
++			ClassLoadHelper clhelper = new CascadingClassLoadHelper();
++			clhelper.initialize();
++			XMLSchedulingDataProcessor processor = new XMLSchedulingDataProcessor(clhelper);
++			processor.processFileAndScheduleJobs("org/quartz/xml/bad-job-config.xml", scheduler);
++
++
++			final JobKey jobKey = scheduler.getJobKeys(GroupMatcher.jobGroupEquals("native")).iterator().next();
++			final JobDetail jobDetail = scheduler.getJobDetail(jobKey);
++			final String description = jobDetail.getDescription();
++
++
++			fail("Expected parser configuration to block DOCTYPE. The following was injected into the job description field: " + description);
++    		} catch (SAXParseException e) {
++			assertTrue(e.getMessage().contains("DOCTYPE is disallowed"));
++		} finally {
++			if (scheduler != null)
++				scheduler.shutdown();
++    		}
++  	}
+ 	
+ 	/** QTZ-187 */
+ 	public void testDirectivesNoOverwriteWithIgnoreDups() throws Exception {
+--- /dev/null
++++ b/quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml
+@@ -0,0 +1,15 @@
++<?xml version="1.0" encoding="UTF-8"?>
++<!DOCTYPE foo [<!ELEMENT foo ANY >
++		<!ENTITY xxe SYSTEM "/" >]>
++<job-scheduling-data xmlns="http://www.quartz-scheduler.org/xml/JobSchedulingData" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.quartz-scheduler.org/xml/JobSchedulingData http://www.quartz-scheduler.org/xml/job_scheduling_data_2_0.xsd" version="2.0">
++	<schedule>
++		<job>
++			<name>xxe</name>
++			<group>native</group>
++			<description>&xxe;</description>
++			<job-class>org.quartz.xml.XMLSchedulingDataProcessorTest$MyJob</job-class>
++			<durability>true</durability>
++			<recover>false</recover>
++		</job>
++	</schedule>
++</job-scheduling-data>
+\ No newline at end of file


=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
-02-java10-compatibility.patch
 01-j2ee-dependencies.patch
+02-java10-compatibility.patch
+03-CVE-2019-13990.patch



View it on GitLab: https://salsa.debian.org/java-team/libquartz2-java/-/compare/2a801469be44c4e92af6bfc0e01008184322cbd3...edf2c930892726c57e301020aa29a311b210214f

-- 
View it on GitLab: https://salsa.debian.org/java-team/libquartz2-java/-/compare/2a801469be44c4e92af6bfc0e01008184322cbd3...edf2c930892726c57e301020aa29a311b210214f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20200706/19c0c73a/attachment.html>
