[Git][java-team/hsqldb][buster] Import Debian changes 2.4.1-2+deb10u2

Markus Koschany (@apo) gitlab at salsa.debian.org
Wed Jun 21 23:49:13 BST 2023



Markus Koschany pushed to branch buster at Debian Java Maintainers / hsqldb


Commits:
a56e5d67 by Markus Koschany at 2023-06-22T00:48:22+02:00
Import Debian changes 2.4.1-2+deb10u2

hsqldb (2.4.1-2+deb10u2) buster-security; urgency=high
.
  * Team upload.
  * Fix CVE-2023-1183:
    Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL
    database engine, allowed the execution of spurious scripting commands in
    .script and .log files. Hsqldb supports a "SCRIPT" keyword which is
    normally used to record the commands input by the database admin to output
    such a script. In combination with LibreOffice, an attacker could craft an
    odb containing a "database/script" file which itself contained a SCRIPT
    command where the contents of the file could be written to a new file whose
    location was determined by the attacker.

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2023-1183.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,18 @@
+hsqldb (2.4.1-2+deb10u2) buster-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2023-1183:
+    Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL
+    database engine, allowed the execution of spurious scripting commands in
+    .script and .log files. Hsqldb supports a "SCRIPT" keyword which is
+    normally used to record the commands input by the database admin to output
+    such a script. In combination with LibreOffice, an attacker could craft an
+    odb containing a "database/script" file which itself contained a SCRIPT
+    command where the contents of the file could be written to a new file whose
+    location was determined by the attacker.
+
+ -- Markus Koschany <apo at debian.org>  Thu, 22 Jun 2023 00:37:15 +0200
+
 hsqldb (2.4.1-2+deb10u1) buster-security; urgency=high
 
   * Team upload.


=====================================
debian/patches/CVE-2023-1183.patch
=====================================
@@ -0,0 +1,24 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 21 Jun 2023 18:35:57 +0200
+Subject: CVE-2023-1183
+
+Origin: https://sourceforge.net/p/hsqldb/svn/6639/
+---
+ hsqldb/src/org/hsqldb/StatementCommand.java | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hsqldb/src/org/hsqldb/StatementCommand.java b/hsqldb/src/org/hsqldb/StatementCommand.java
+index 2df0904..f9190b9 100644
+--- a/hsqldb/src/org/hsqldb/StatementCommand.java
++++ b/hsqldb/src/org/hsqldb/StatementCommand.java
+@@ -941,6 +941,10 @@ public class StatementCommand extends Statement {
+                 try {
+                     session.checkAdmin();
+ 
++                    if (session.isProcessingScript() || session.isProcessingLog()) {
++                        return Result.updateZeroResult;
++                    }
++
+                     if (name == null) {
+                         return session.database.getScript(false);
+                     } else {


=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
 java11-compatibility.patch
 CVE-2022-41853.patch
+CVE-2023-1183.patch



View it on GitLab: https://salsa.debian.org/java-team/hsqldb/-/commit/a56e5d6788ef3f3472cc683e2532f5ade346ece7

-- 
View it on GitLab: https://salsa.debian.org/java-team/hsqldb/-/commit/a56e5d6788ef3f3472cc683e2532f5ade346ece7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230621/f991c2e7/attachment.htm>


More information about the pkg-java-commits mailing list