[Git][java-team/openrefine][bullseye-backports] 5 commits: Add CVE-2023-37476.patch and automatically refresh all other patches

Thu Sep 7 20:21:06 BST 2023


Markus Koschany pushed to branch bullseye-backports at Debian Java Maintainers / openrefine


Commits:
c965725c by Markus Koschany at 2023-08-18T01:35:30+02:00
Add CVE-2023-37476.patch and automatically refresh all other patches

- - - - -
4f079c67 by Markus Koschany at 2023-08-18T01:35:42+02:00
Declare compliance with Debian Policy 4.6.2.

- - - - -
5eef2063 by Markus Koschany at 2023-08-18T01:39:05+02:00
Update changelog

- - - - -
4b86cd68 by Markus Koschany at 2023-09-07T17:32:18+02:00
Merge branch 'master' into bullseye-backports

- - - - -
46b8c3d2 by Markus Koschany at 2023-09-07T21:16:11+02:00
Adjust bullseye-backports version.

- - - - -


8 changed files:

- debian/changelog
- debian/control
- + debian/patches/CVE-2023-37476.patch
- debian/patches/build.patch
- debian/patches/gdata-extension.patch
- debian/patches/log4j-api.patch
- debian/patches/no-java-files.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,9 +1,20 @@
 openrefine (3.6.2-2~bpo11+1) bullseye-backports; urgency=medium
 
   * Rebuild for bullseye-backports.
-  * Tighten B-D on commons-io to >= 2.11.0.
 
- -- Markus Koschany <apo at debian.org>  Sat, 22 Jul 2023 03:09:50 +0200
+ -- Markus Koschany <apo at debian.org>  Thu, 07 Sep 2023 17:31:14 +0200
+
+openrefine (3.6.2-3) unstable; urgency=medium
+
+  * Tighten B-D on commons-io to >= 2.11.0.
+  * Fix CVE-2023-37476 and automatically refresh all other patches.
+    OpenRefine is a free, open source tool for data processing. A carefully
+    crafted malicious OpenRefine project tar file can be used to trigger
+    arbitrary code execution in the context of the OpenRefine process if a user
+    can be convinced to import it. (Closes: #1041422)
+  * Declare compliance with Debian Policy 4.6.2.
+
+ -- Markus Koschany <apo at debian.org>  Fri, 18 Aug 2023 01:37:01 +0200
 
 openrefine (3.6.2-2) unstable; urgency=medium
 


=====================================
debian/control
=====================================
@@ -69,7 +69,7 @@ Build-Depends:
  libxtc-rats-java,
  maven-debian-helper,
  velocity
-Standards-Version: 4.6.1
+Standards-Version: 4.6.2
 Vcs-Git: https://salsa.debian.org/java-team/openrefine.git
 Vcs-Browser: https://salsa.debian.org/java-team/openrefine
 Homepage: https://openrefine.org/


=====================================
debian/patches/CVE-2023-37476.patch
=====================================
@@ -0,0 +1,24 @@
+From: Markus Koschany <apo at debian.org>
+Date: Thu, 17 Aug 2023 21:33:50 +0200
+Subject: CVE-2023-37476
+
+Bug-Debian: https://bugs.debian.org/1041422
+Origin: https://github.com/OpenRefine/OpenRefine/commit/c40c84d8170c4d61c6a0926531b552a50caa5651
+---
+ main/src/com/google/refine/io/FileProjectManager.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/main/src/com/google/refine/io/FileProjectManager.java b/main/src/com/google/refine/io/FileProjectManager.java
+index 09197f7..c913199 100644
+--- a/main/src/com/google/refine/io/FileProjectManager.java
++++ b/main/src/com/google/refine/io/FileProjectManager.java
+@@ -167,6 +167,9 @@ public class FileProjectManager extends ProjectManager  {
+ 
+         while ((tarEntry = tin.getNextTarEntry()) != null) {
+             File destEntry = new File(destDir, tarEntry.getName());
++            if (!destEntry.toPath().normalize().startsWith(destDir.toPath().normalize())) {
++                throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed.");
++            }
+             File parent = destEntry.getParentFile();
+ 
+             if (!parent.exists()) {


=====================================
debian/patches/build.patch
=====================================
@@ -7,7 +7,7 @@ Subject: build
  1 file changed, 4 insertions(+)
 
 diff --git a/main/pom.xml b/main/pom.xml
-index c0b409c..27f789d 100644
+index 17b8ddc..4b61428 100644
 --- a/main/pom.xml
 +++ b/main/pom.xml
 @@ -337,6 +337,10 @@


=====================================
debian/patches/gdata-extension.patch
=====================================
@@ -7,7 +7,7 @@ Subject: gdata extension
  1 file changed, 5 insertions(+)
 
 diff --git a/extensions/gdata/pom.xml b/extensions/gdata/pom.xml
-index 4fc64e5..ce9b906 100644
+index ed8b740..e310e8c 100644
 --- a/extensions/gdata/pom.xml
 +++ b/extensions/gdata/pom.xml
 @@ -97,6 +97,11 @@


=====================================
debian/patches/log4j-api.patch
=====================================
@@ -7,7 +7,7 @@ Subject: log4j-api
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/server/pom.xml b/server/pom.xml
-index 8bb528a..89dd5ab 100644
+index 2408c76..e168085 100644
 --- a/server/pom.xml
 +++ b/server/pom.xml
 @@ -180,7 +180,7 @@


=====================================
debian/patches/no-java-files.patch
=====================================
@@ -8,7 +8,7 @@ Subject: no-java-files
  2 files changed, 10 deletions(-)
 
 diff --git a/main/pom.xml b/main/pom.xml
-index 27f789d..0ef3eab 100644
+index 4b61428..8ea4ef6 100644
 --- a/main/pom.xml
 +++ b/main/pom.xml
 @@ -27,11 +27,6 @@
@@ -24,7 +24,7 @@ index 27f789d..0ef3eab 100644
      <testResources>
        <testResource>
 diff --git a/server/pom.xml b/server/pom.xml
-index 89dd5ab..94fda4c 100644
+index e168085..f2955e4 100644
 --- a/server/pom.xml
 +++ b/server/pom.xml
 @@ -28,11 +28,6 @@


=====================================
debian/patches/series
=====================================
@@ -4,3 +4,4 @@ butterfly.properties.patch
 log4j-api.patch
 no-java-files.patch
 gdata-extension.patch
+CVE-2023-37476.patch



View it on GitLab: https://salsa.debian.org/java-team/openrefine/-/compare/0b399e5059da17017e149abd1f615863432e01d6...46b8c3d25107e63871d6745229e97670e400c7c3

-- 
View it on GitLab: https://salsa.debian.org/java-team/openrefine/-/compare/0b399e5059da17017e149abd1f615863432e01d6...46b8c3d25107e63871d6745229e97670e400c7c3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230907/3a706730/attachment.htm>
