[Git][java-team/c3p0][master] 2 commits: Import Upstream version 0.9.1.2

Alexandre Detiste (@detiste-guest) gitlab at salsa.debian.org
Thu Sep 4 13:14:05 BST 2025 


Alexandre Detiste pushed to branch master at Debian Java Maintainers / c3p0


Commits:
277678c6 by Markus Koschany at 2018-12-28T19:13:11+01:00
Import Upstream version 0.9.1.2
- - - - -
d9e66c4b by Bastian Germann at 2025-09-04T14:13:52+02:00
Import Debian changes 0.9.1.2-10.1

c3p0 (0.9.1.2-10.1) unstable; urgency=medium
.
  * Non-maintainer upload.
  * Backport fix for CVE-2019-5427. (Closes: #927936)

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2019-5427.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+c3p0 (0.9.1.2-10.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport fix for CVE-2019-5427. (Closes: #927936)
+
+ -- Bastian Germann <bage at debian.org>  Fri, 04 Apr 2025 13:01:52 +0200
+
 c3p0 (0.9.1.2-10) unstable; urgency=medium
 
   * Team upload.


=====================================
debian/patches/CVE-2019-5427.patch
=====================================
@@ -0,0 +1,76 @@
+Origin: upstream, f38f27635c384806c2a9d6500d80183d9f09d78b
+From: Steve Waldman <swaldman at mchange.com>
+Date: Fri, 15 Mar 2019 22:29:39 -0700
+Subject: Address more potential security concerns associated with the
+ possibility of adversarially constructed XML files, many thanks to Aaron
+ Massey at HackerOne.
+---
+--- a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
++++ b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
+@@ -147,10 +141,65 @@ public static C3P0Config extractXmlConfigFromDefaultResource( boolean expandEnti
+         }
+     }
+ 
++    private static void attemptSetFeature( DocumentBuilderFactory dbf, String featureUri, boolean setting )
++    {
++	try { dbf.setFeature( featureUri, setting ); }
++	catch (ParserConfigurationException e)
++	{
++	    if ( logger.isLoggable( MLevel.FINE ) )
++		logger.log(MLevel.FINE, "Attempted but failed to set presumably unsupported feature '" + featureUri + "' to " + setting + ".");
++	}
++    }
++
++    // thanks to zhutougg on GitHub https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
++    // let's address hazards associated with overliberal parsing of XML, CVE-2018-20433
++    //
++    // by default entity references will not be expanded, but callers can specify expansion if they wish (important
++    // to retain backwards compatibility with existing config files where users understand the risks)
++    //
++    // -=-=-=-
++    //
++    // disabling entity expansions turns out not to be sufficient to prevent attacks (if an attacker can control the
++    // XML config file that will be parsed). we now enable a wide variety of restrictions by default, but allow users
++    // to revert to the old behavior by setting usePermissiveParser to 'true'
++    //
++    // Many thanks to Aaron Massey (amassey) at HackerOne for calling attention to the continued vulnerability,
++    // and to Dominique Righetto (righettod on GitHub) for
++    //
++    //    https://github.com/OWASP/CheatSheetSeries/blob/31c94f233c40af4237432008106f42a9c4bff05e/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md
++    //    (via Aaron Massey)
++    //
++    // for instructions on how to overkill the fix
++    
++    private static void cautionDocumentBuilderFactory( DocumentBuilderFactory dbf )
++    {
++	// the big one, if possible disable doctype declarations entirely
++	attemptSetFeature(dbf, "http://apache.org/xml/features/disallow-doctype-decl", true);
++
++	// for a varety of libraries, disable external general entities
++	attemptSetFeature(dbf, "http://xerces.apache.org/xerces-j/features.html#external-general-entities", false);
++	attemptSetFeature(dbf, "http://xerces.apache.org/xerces2-j/features.html#external-general-entities", false);
++	attemptSetFeature(dbf, "http://xml.org/sax/features/external-general-entities", false);
++
++	// for a variety of libraries, disable external parameter entities
++	attemptSetFeature(dbf, "http://xerces.apache.org/xerces-j/features.html#external-parameter-entities", false);
++	attemptSetFeature(dbf, "http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities", false);
++	attemptSetFeature(dbf, "http://xml.org/sax/features/external-parameter-entities", false);
++
++	// if possible, disable external DTDs
++	attemptSetFeature(dbf, "http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++
++	// disallow xinclude resolution
++	dbf.setXIncludeAware(false);
++
++	// disallow entity reference expansion in general
++	dbf.setExpandEntityReferences( false );
++    }
++
+     public static C3P0Config extractXmlConfigFromInputStream(InputStream is) throws Exception
+     {
+         DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
+-	fact.setExpandEntityReferences(false);
++	cautionDocumentBuilderFactory( fact );
+         DocumentBuilder db = fact.newDocumentBuilder();
+         Document doc = db.parse( is );
+ 


=====================================
debian/patches/series
=====================================
@@ -2,3 +2,4 @@ build.patch
 testing.patch
 java-7-compat.patch
 CVE-2018-20433.patch
+CVE-2019-5427.patch



View it on GitLab: https://salsa.debian.org/java-team/c3p0/-/compare/5cd08b7000e47fa980bd7fa4a7bab91a7d3b08f2...d9e66c4b9ba5570bff4ffadbe4fe69b2d1729b1d

-- 
View it on GitLab: https://salsa.debian.org/java-team/c3p0/-/compare/5cd08b7000e47fa980bd7fa4a7bab91a7d3b08f2...d9e66c4b9ba5570bff4ffadbe4fe69b2d1729b1d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20250904/9b9140f7/attachment.htm>

More information about the pkg-java-commits mailing list