[Git][java-team/hsqldb][buster] Import Debian changes 2.4.1-2+deb10u2
Markus Koschany (@apo)
gitlab at salsa.debian.org
Wed Jun 21 23:49:13 BST 2023
Markus Koschany pushed to branch buster at Debian Java Maintainers / hsqldb
Commits:
a56e5d67 by Markus Koschany at 2023-06-22T00:48:22+02:00
Import Debian changes 2.4.1-2+deb10u2
hsqldb (2.4.1-2+deb10u2) buster-security; urgency=high
.
* Team upload.
* Fix CVE-2023-1183:
Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL
database engine, allowed the execution of spurious scripting commands in
.script and .log files. Hsqldb supports a "SCRIPT" keyword which is
normally used to record the commands input by the database admin to output
such a script. In combination with LibreOffice, an attacker could craft an
odb containing a "database/script" file which itself contained a SCRIPT
command where the contents of the file could be written to a new file whose
location was determined by the attacker.
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/CVE-2023-1183.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,18 @@
+hsqldb (2.4.1-2+deb10u2) buster-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2023-1183:
+ Gregor Kopf of Secfault Security GmbH discovered that HSQLDB, a Java SQL
+ database engine, allowed the execution of spurious scripting commands in
+ .script and .log files. Hsqldb supports a "SCRIPT" keyword which is
+ normally used to record the commands input by the database admin to output
+ such a script. In combination with LibreOffice, an attacker could craft an
+ odb containing a "database/script" file which itself contained a SCRIPT
+ command where the contents of the file could be written to a new file whose
+ location was determined by the attacker.
+
+ -- Markus Koschany <apo at debian.org> Thu, 22 Jun 2023 00:37:15 +0200
+
hsqldb (2.4.1-2+deb10u1) buster-security; urgency=high
* Team upload.
=====================================
debian/patches/CVE-2023-1183.patch
=====================================
@@ -0,0 +1,24 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 21 Jun 2023 18:35:57 +0200
+Subject: CVE-2023-1183
+
+Origin: https://sourceforge.net/p/hsqldb/svn/6639/
+---
+ hsqldb/src/org/hsqldb/StatementCommand.java | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/hsqldb/src/org/hsqldb/StatementCommand.java b/hsqldb/src/org/hsqldb/StatementCommand.java
+index 2df0904..f9190b9 100644
+--- a/hsqldb/src/org/hsqldb/StatementCommand.java
++++ b/hsqldb/src/org/hsqldb/StatementCommand.java
+@@ -941,6 +941,10 @@ public class StatementCommand extends Statement {
+ try {
+ session.checkAdmin();
+
++ if (session.isProcessingScript() || session.isProcessingLog()) {
++ return Result.updateZeroResult;
++ }
++
+ if (name == null) {
+ return session.database.getScript(false);
+ } else {
=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
java11-compatibility.patch
CVE-2022-41853.patch
+CVE-2023-1183.patch
View it on GitLab: https://salsa.debian.org/java-team/hsqldb/-/commit/a56e5d6788ef3f3472cc683e2532f5ade346ece7
--
View it on GitLab: https://salsa.debian.org/java-team/hsqldb/-/commit/a56e5d6788ef3f3472cc683e2532f5ade346ece7
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230621/f991c2e7/attachment.htm>
More information about the pkg-java-commits
mailing list