[Git][java-team/xmlgraphics-commons][master] 2 commits: Fix CVE-2020-11988

Mon Aug 2 06:59:36 BST 2021


Markus Koschany pushed to branch master at Debian Java Maintainers / xmlgraphics-commons


Commits:
89ebbf60 by Markus Koschany at 2021-08-02T07:47:14+02:00
Fix CVE-2020-11988

- - - - -
4da3c838 by Markus Koschany at 2021-08-02T07:51:13+02:00
Update changelog and patch header

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2020-11988.patch
- + debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,15 @@
+xmlgraphics-commons (2.4-2) unstable; urgency=high
+
+  * Team upload.
+  * Fix CVE-2020-11988:
+    Apache XmlGraphics Commons is vulnerable to server-side request forgery,
+    caused by improper input validation by the XMPParser. By using a
+    specially-crafted argument, an attacker could exploit this vulnerability to
+    cause the underlying server to make arbitrary GET requests.
+    (Closes: #984949)
+
+ -- Markus Koschany <apo at debian.org>  Mon, 02 Aug 2021 07:48:42 +0200
+
 xmlgraphics-commons (2.4-1) unstable; urgency=medium
 
   * New upstream version 2.4


=====================================
debian/patches/CVE-2020-11988.patch
=====================================
@@ -0,0 +1,77 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 2 Aug 2021 07:47:01 +0200
+Subject: CVE-2020-11988
+
+Bug-Debian: https://bugs.debian.org/984949
+Origin: https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183
+---
+ .../java/org/apache/xmlgraphics/xmp/XMPParser.java    |  3 +++
+ .../org/apache/xmlgraphics/xmp/XMPParserTestCase.java | 19 +++++++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
+index b7c0e5f..4c58a11 100644
+--- a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
++++ b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
+@@ -21,6 +21,7 @@ package org.apache.xmlgraphics.xmp;
+ 
+ import java.net.URL;
+ 
++import javax.xml.XMLConstants;
+ import javax.xml.transform.Source;
+ import javax.xml.transform.Transformer;
+ import javax.xml.transform.TransformerException;
+@@ -54,6 +55,8 @@ public final class XMPParser {
+      */
+     public static Metadata parseXMP(Source src) throws TransformerException {
+         TransformerFactory tFactory = TransformerFactory.newInstance();
++        tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++        tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+         Transformer transformer = tFactory.newTransformer();
+         XMPHandler handler = createXMPHandler();
+         SAXResult res = new SAXResult(handler);
+diff --git a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
+index 02c4cf6..5f2ef05 100644
+--- a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
++++ b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
+@@ -19,16 +19,21 @@
+ 
+ package org.apache.xmlgraphics.xmp;
+ 
++import java.io.StringReader;
+ import java.net.URL;
+ import java.util.Calendar;
+ import java.util.Date;
+ import java.util.TimeZone;
+ 
++import javax.xml.transform.TransformerException;
++import javax.xml.transform.stream.StreamSource;
++
+ import org.junit.Test;
+ 
+ import static org.junit.Assert.assertEquals;
+ import static org.junit.Assert.assertNotNull;
+ import static org.junit.Assert.assertNull;
++import static org.junit.Assert.assertTrue;
+ 
+ import org.apache.xmlgraphics.xmp.schemas.DublinCoreAdapter;
+ import org.apache.xmlgraphics.xmp.schemas.DublinCoreSchema;
+@@ -189,4 +194,18 @@ public class XMPParserTestCase {
+         assertNull(title); //Empty value treated same as not existant
+     }
+ 
++    @Test
++    public void testExternalDTD() {
++        String payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
++                + "<!DOCTYPE root [\n<!ENTITY % remote SYSTEM \"http://127.0.0.1:9999/eval.xml\">\n%remote;]>\n"
++                + "<root></root>";
++        StreamSource streamSource = new StreamSource(new StringReader(payload));
++        String msg = "";
++        try {
++            XMPParser.parseXMP(streamSource);
++        } catch (TransformerException e) {
++            msg = e.getMessage();
++        }
++        assertTrue(msg, msg.contains("access is not allowed"));
++    }
+ }


=====================================
debian/patches/series
=====================================
@@ -0,0 +1 @@
+CVE-2020-11988.patch



View it on GitLab: https://salsa.debian.org/java-team/xmlgraphics-commons/-/compare/b1b3ae5d27ebad4fa4982a6837d9dc4890a8add5...4da3c838ad990fad13086935d19a130be736e196

-- 
View it on GitLab: https://salsa.debian.org/java-team/xmlgraphics-commons/-/compare/b1b3ae5d27ebad4fa4982a6837d9dc4890a8add5...4da3c838ad990fad13086935d19a130be736e196
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210802/a0d768ce/attachment.htm>
