[Git][java-team/libcommons-fileupload-java][master] 3 commits: Add patch for CVE-2023-24998 (Closes: #1031733)
Tony Mancill (@tmancill)
gitlab at salsa.debian.org
Thu Feb 23 03:49:30 GMT 2023
Tony Mancill pushed to branch master at Debian Java Maintainers / libcommons-fileupload-java
Commits:
1cfb74fa by tony mancill at 2023-02-22T19:42:11-08:00
Add patch for CVE-2023-24998 (Closes: #1031733)
- - - - -
dfe71fa9 by tony mancill at 2023-02-22T19:42:11-08:00
Include Apache NOTICE file in binary package
- - - - -
a2c5b4ee by tony mancill at 2023-02-22T19:42:11-08:00
Prepare changelog for upload to unstable
- - - - -
4 changed files:
- debian/changelog
- + debian/libcommons-fileupload-java.docs
- + debian/patches/003_CVE-2023-24998.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,11 @@
+libcommons-fileupload-java (1.4-2) unstable; urgency=medium
+
+ * Team upload.
+ * Add patch for CVE-2023-24998 (Closes: #1031733)
+ * Include Apache NOTICE file in binary package
+
+ -- tony mancill <tmancill at debian.org> Wed, 22 Feb 2023 19:37:24 -0800
+
libcommons-fileupload-java (1.4-1) unstable; urgency=medium
* New upstream release
=====================================
debian/libcommons-fileupload-java.docs
=====================================
@@ -0,0 +1 @@
+NOTICE.txt
=====================================
debian/patches/003_CVE-2023-24998.patch
=====================================
@@ -0,0 +1,117 @@
+Description: CVE-2023-24998
+ Apache Commons FileUpload before 1.5 does not limit the number of
+ request parts to be processed resulting in the possibility of an
+ attacker triggering a DoS with a malicious upload or series of uploads.
+Origin: https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17
+Author: Mark Thomas <markt at apache.org>
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031733
+Forwarded: not-needed
+
+--- /dev/null
++++ b/src/main/java/org/apache/commons/fileupload/FileCountLimitExceededException.java
+@@ -0,0 +1,51 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.commons.fileupload;
++
++/**
++ * This exception is thrown if a request contains more files than the specified
++ * limit.
++ */
++public class FileCountLimitExceededException extends FileUploadException {
++
++ private static final long serialVersionUID = 6904179610227521789L;
++
++ /**
++ * The limit that was exceeded.
++ */
++ private final long limit;
++
++ /**
++ * Creates a new instance.
++ *
++ * @param message The detail message
++ * @param limit The limit that was exceeded
++ */
++ public FileCountLimitExceededException(final String message, final long limit) {
++ super(message);
++ this.limit = limit;
++ }
++
++ /**
++ * Retrieves the limit that was exceeded.
++ *
++ * @return The limit that was exceeded by the request
++ */
++ public long getLimit() {
++ return limit;
++ }
++}
+--- a/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
++++ b/src/main/java/org/apache/commons/fileupload/FileUploadBase.java
+@@ -166,6 +166,12 @@
+ private long fileSizeMax = -1;
+
+ /**
++ * The maximum permitted number of files that may be uploaded in a single
++ * request. A value of -1 indicates no maximum.
++ */
++ private long fileCountMax = -1;
++
++ /**
+ * The content encoding to use when reading part headers.
+ */
+ private String headerEncoding;
+@@ -242,6 +248,25 @@
+ }
+
+ /**
++ * Returns the maximum number of files allowed in a single request.
++ *
++ * @return The maximum number of files allowed in a single request.
++ */
++ public long getFileCountMax() {
++ return fileCountMax;
++ }
++
++ /**
++ * Sets the maximum number of files allowed per request.
++ *
++ * @param fileCountMax The new limit. {@code -1} means no limit.
++ */
++ public void setFileCountMax(final long fileCountMax) {
++ this.fileCountMax = fileCountMax;
++ }
++
++
++ /**
+ * Retrieves the character encoding used when reading the headers of an
+ * individual part. When not specified, or <code>null</code>, the request
+ * encoding is used. If that is also not specified, or <code>null</code>,
+@@ -336,7 +361,11 @@
+ throw new NullPointerException("No FileItemFactory has been set.");
+ }
+ while (iter.hasNext()) {
+- final FileItemStream item = iter.next();
++ if (items.size() == fileCountMax) {
++ // The next item will exceed the limit.
++ throw new FileCountLimitExceededException(ATTACHMENT, getFileCountMax());
++ }
++ final FileItemStream item = iter.next();
+ // Don't use getName() here to prevent an InvalidFileNameException.
+ final String fileName = ((FileItemIteratorImpl.FileItemStreamImpl) item).name;
+ FileItem fileItem = fac.createItem(item.getFieldName(), item.getContentType(),
=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
001_update-tests-for-servlet3-api.patch
002_portlet-api-compatibility.patch
+003_CVE-2023-24998.patch
View it on GitLab: https://salsa.debian.org/java-team/libcommons-fileupload-java/-/compare/6bc7f901b6f898c3a1205fe5af62d4cb1aedb377...a2c5b4eea4f789e9b6eb344497a6eeafb73f0c32
--
View it on GitLab: https://salsa.debian.org/java-team/libcommons-fileupload-java/-/compare/6bc7f901b6f898c3a1205fe5af62d4cb1aedb377...a2c5b4eea4f789e9b6eb344497a6eeafb73f0c32
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230223/bc3995a9/attachment.htm>
More information about the pkg-java-commits
mailing list