[Git][java-team/velocity][debian/buster] 2 commits: CVE-2020-13936: Prevent a potential arbitrary code execution vulnerability...

Thu May 13 11:18:54 BST 2021


Chris Lamb pushed to branch debian/buster at Debian Java Maintainers / velocity


Commits:
285e6809 by Chris Lamb at 2021-05-13T11:04:52+01:00
CVE-2020-13936: Prevent a potential arbitrary code execution vulnerability that can be exploited by applications that allow untrusted users to upload/modify Velocity templates. (Closes: #985220)

- - - - -
6e13b05b by Chris Lamb at 2021-05-13T11:14:13+01:00
releasing package velocity version 1.7-5+deb10u1

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,11 @@
+velocity (1.7-5+deb10u1) buster; urgency=medium
+
+  * CVE-2020-13936: Prevent a potential arbitrary code execution vulnerability
+    that can be exploited by applications that allow untrusted users to
+    upload/modify Velocity templates. (Closes: #985220)
+
+ -- Chris Lamb <lamby at debian.org>  Thu, 13 May 2021 11:11:57 +0100
+
 velocity (1.7-5) unstable; urgency=medium
 
   * Team upload.


=====================================
debian/patches/0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch
=====================================
@@ -0,0 +1,58 @@
+From: Chris Lamb <lamby at debian.org>
+Date: Thu, 13 May 2021 11:03:13 +0100
+Subject: CVE-2020-13936: Prevent a potential arbitrary code execution
+ vulnerability that can be exploited by applications that allow untrusted
+ users to upload/modify Velocity templates. (Closes: #985220)
+
+---
+ .../org/apache/velocity/runtime/defaults/velocity.properties     | 7 +------
+ .../velocity/util/introspection/SecureIntrospectorImpl.java      | 9 +++++++++
+ 2 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+index 750a59a..9415ca5 100644
+--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties
++++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+@@ -247,13 +247,9 @@ runtime.introspector.uberspect = org.apache.velocity.util.introspection.Uberspec
+ 
+ introspector.restrict.packages = java.lang.reflect
+ 
+-# The two most dangerous classes
++## ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
+ 
+ introspector.restrict.classes = java.lang.Class
+-introspector.restrict.classes = java.lang.ClassLoader
+-                
+-# Restrict these for extra safety
+-
+ introspector.restrict.classes = java.lang.Compiler
+ introspector.restrict.classes = java.lang.InheritableThreadLocal
+ introspector.restrict.classes = java.lang.Package
+@@ -262,7 +258,6 @@ introspector.restrict.classes = java.lang.Runtime
+ introspector.restrict.classes = java.lang.RuntimePermission
+ introspector.restrict.classes = java.lang.SecurityManager
+ introspector.restrict.classes = java.lang.System
+-introspector.restrict.classes = java.lang.Thread
+ introspector.restrict.classes = java.lang.ThreadGroup
+ introspector.restrict.classes = java.lang.ThreadLocal
+ 
+diff --git a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
+index f317b1c..35ea9e9 100644
+--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
++++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
+@@ -121,6 +121,15 @@ public class SecureIntrospectorImpl extends Introspector implements SecureIntros
+             return true;
+         }
+ 
++	/**
++       * Always disallow ClassLoader, Thread and subclasses
++       */
++        if (ClassLoader.class.isAssignableFrom(clazz) ||
++                Thread.class.isAssignableFrom(clazz))
++        {
++            return false;
++        }
++
+         /**
+          * check the classname (minus any array info)
+          * whether it matches disallowed classes or packages


=====================================
debian/patches/series
=====================================
@@ -1 +1,2 @@
 0001-fix-example-scripts.patch
+0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch



View it on GitLab: https://salsa.debian.org/java-team/velocity/-/compare/ff71af50914361e226ad21103ca24c9b3dc6bc18...6e13b05b1b32765d2731a09ade14f2118530aa13

-- 
View it on GitLab: https://salsa.debian.org/java-team/velocity/-/compare/ff71af50914361e226ad21103ca24c9b3dc6bc18...6e13b05b1b32765d2731a09ade14f2118530aa13
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210513/ecc24118/attachment.htm>
