[Git][java-team/libcommons-fileupload-java][master] 3 commits: Add patch for CVE-2023-24998 (Closes: #1031733)

Tony Mancill (@tmancill) gitlab at salsa.debian.org
Thu Feb 23 03:49:30 GMT 2023



Tony Mancill pushed to branch master at Debian Java Maintainers / libcommons-fileupload-java


Commits:
1cfb74fa by tony mancill at 2023-02-22T19:42:11-08:00
Add patch for CVE-2023-24998 (Closes: #1031733)

- - - - -
dfe71fa9 by tony mancill at 2023-02-22T19:42:11-08:00
Include Apache NOTICE file in binary package

- - - - -
a2c5b4ee by tony mancill at 2023-02-22T19:42:11-08:00
Prepare changelog for upload to unstable

- - - - -


4 changed files:

- debian/changelog
- + debian/libcommons-fileupload-java.docs
- + debian/patches/003_CVE-2023-24998.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,11 @@
+libcommons-fileupload-java (1.4-2) unstable; urgency=medium
+
+  * Team upload.
+  * Add patch for CVE-2023-24998 (Closes: #1031733)
+  * Include Apache NOTICE file in binary package
+
+ -- tony mancill <tmancill at debian.org>  Wed, 22 Feb 2023 19:37:24 -0800
+
 libcommons-fileupload-java (1.4-1) unstable; urgency=medium
 
   * New upstream release


=====================================
debian/libcommons-fileupload-java.docs
=====================================
@@ -0,0 +1 @@
+NOTICE.txt


=====================================
debian/patches/003_CVE-2023-24998.patch
=====================================
@@ -0,0 +1,117 @@
+Description: CVE-2023-24998
+ Apache Commons FileUpload before 1.5 does not limit the number of
+ request parts to be processed resulting in the possibility of an
+ attacker triggering a DoS with a malicious upload or series of uploads.
+Origin: https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17
+Author: Mark Thomas <markt at apache.org>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031733
+Forwarded: not-needed
+
+--- /dev/null
++++ b/src/main/java/org/apache/commons/fileupload/FileCountLimitExceededException.java
+@@ -0,0 +1,51 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements.  See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License.  You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.commons.fileupload;
++
++/**
++ * This exception is thrown if a request contains more files than the specified
++ * limit.
++ */
++public class FileCountLimitExceededException extends FileUploadException {
++
++    private static final long serialVersionUID = 6904179610227521789L;
++
++	/**
++     * The limit that was exceeded.
++     */
++    private final long limit;
++
++    /**
++     * Creates a new instance.
++     *
++     * @param message The detail message
++     * @param limit The limit that was exceeded
++     */
++    public FileCountLimitExceededException(final String message, final long limit) {
++        super(message);
++        this.limit = limit;
++    }
++
++    /**
++     * Retrieves the limit that was exceeded.
++     *
++     * @return The limit that was exceeded by the request
++     */
++    public long getLimit() {
++        return limit;
++    }
++}
+--- a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
++++ b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
+@@ -166,6 +166,12 @@
+     private long fileSizeMax = -1;
+ 
+     /**
++     * The maximum permitted number of files that may be uploaded in a single
++     * request. A value of -1 indicates no maximum.
++     */
++    private long fileCountMax = -1;
++
++    /**
+      * The content encoding to use when reading part headers.
+      */
+     private String headerEncoding;
+@@ -242,6 +248,25 @@
+     }
+ 
+     /**
++     * Returns the maximum number of files allowed in a single request.
++     *
++     * @return The maximum number of files allowed in a single request.
++     */
++    public long getFileCountMax() {
++        return fileCountMax;
++    }
++
++    /**
++     * Sets the maximum number of files allowed per request.
++     *
++     * @param fileCountMax The new limit. {@code -1} means no limit.
++     */
++    public void setFileCountMax(final long fileCountMax) {
++        this.fileCountMax = fileCountMax;
++    }
++
++
++    /**
+      * Retrieves the character encoding used when reading the headers of an
+      * individual part. When not specified, or <code>null</code>, the request
+      * encoding is used. If that is also not specified, or <code>null</code>,
+@@ -336,7 +361,11 @@
+                 throw new NullPointerException("No FileItemFactory has been set.");
+             }
+             while (iter.hasNext()) {
+-                final FileItemStream item = iter.next();
++                if (items.size() == fileCountMax) {
++                    // The next item will exceed the limit.
++                    throw new FileCountLimitExceededException(ATTACHMENT, getFileCountMax());
++                }
++            	final FileItemStream item = iter.next();
+                 // Don't use getName() here to prevent an InvalidFileNameException.
+                 final String fileName = ((FileItemIteratorImpl.FileItemStreamImpl) item).name;
+                 FileItem fileItem = fac.createItem(item.getFieldName(), item.getContentType(),


=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
 001_update-tests-for-servlet3-api.patch
 002_portlet-api-compatibility.patch
+003_CVE-2023-24998.patch



View it on GitLab: https://salsa.debian.org/java-team/libcommons-fileupload-java/-/compare/6bc7f901b6f898c3a1205fe5af62d4cb1aedb377...a2c5b4eea4f789e9b6eb344497a6eeafb73f0c32

-- 
View it on GitLab: https://salsa.debian.org/java-team/libcommons-fileupload-java/-/compare/6bc7f901b6f898c3a1205fe5af62d4cb1aedb377...a2c5b4eea4f789e9b6eb344497a6eeafb73f0c32
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230223/bc3995a9/attachment.htm>


More information about the pkg-java-commits mailing list