Problems when building binary package of libcommons-fileupload-java under wheezy

Salvatore Bonaccorso carnil at debian.org
Sat Dec 21 15:02:58 UTC 2013


Hi Debian Java Maintainers,

I'm cc'ing Emmanuel also directly as he did the last upload for
libcommons-fileupload-java.

Ubuntu has released versions of libcommons-fileupload-java and
backported the patch to 1.2.2-1 also. It is about CVE-2013-2186[1]. I
prepared also packages for squeeze-security and wheezy-security based
on that patch.

The squeeze-security upload is fine, but for the wheezy-security
upload there are problems. The jar symlinks in /usr/share/java are not
created when rebuilding the package under wheezy.

I'm attaching the debdiff's for both squeeze-security and
wheezy-security. Additionally the debdiff's for the created binary
packages in wheezy, where you can see it also drops dependencies (in
the -doc package).

Any idea what is happening?

Regards,
Salvatore

 [1] https://security-tracker.debian.org/tracker/CVE-2013-2186
-------------- next part --------------
diff -Nru libcommons-fileupload-java-1.2.2/debian/changelog libcommons-fileupload-java-1.2.2/debian/changelog
--- libcommons-fileupload-java-1.2.2/debian/changelog	2010-08-04 13:57:08.000000000 +0200
+++ libcommons-fileupload-java-1.2.2/debian/changelog	2013-12-21 11:13:07.000000000 +0100
@@ -1,3 +1,13 @@
+libcommons-fileupload-java (1.2.2-1+deb6u1) squeeze-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Add CVE-2013-2186.patch patch.
+    CVE-2013-2186: Arbitrary file upload via deserialization. Properly
+    validate repository in org.apache.commons.fileupload.disk.DiskFileItem.
+    Thanks to Marc Deslauriers <marc.deslauriers at ubuntu.com> (Closes: #726601)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 21 Dec 2013 11:12:53 +0100
+
 libcommons-fileupload-java (1.2.2-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch
--- libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch	1970-01-01 01:00:00.000000000 +0100
+++ libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch	2013-12-21 11:12:48.000000000 +0100
@@ -0,0 +1,39 @@
+Description: fix arbitrary file overwrite via poison null byte
+Origin: backport, http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601
+Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=846174
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=974814
+
+WARNING: this patch contains CRLF line endings, editing it may break it
+
+Index: libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java
+===================================================================
+--- libcommons-fileupload-java-1.2.2.orig/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java	2013-11-07 10:56:14.286994776 -0500
++++ libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java	2013-11-07 11:03:26.963005854 -0500
+@@ -712,6 +712,26 @@
+         // read values
+         in.defaultReadObject();
+ 
++        /* One expected use of serialization is to migrate HTTP sessions
++         * containing a DiskFileItem between JVMs. Particularly if the JVMs are
++         * on different machines It is possible that the repository location is
++         * not valid so validate it.
++         */
++        if (repository != null) {
++            if (repository.isDirectory()) {
++                // Check path for nulls
++                if (repository.getPath().contains("\0")) {
++                    throw new IOException("The repository [" +
++                            repository.getPath() +
++                            "] contains a null character");
++                }
++            } else {
++                throw new IOException("The repository [" +
++                        repository.getAbsolutePath() +
++                        "] is not a directory");
++            }
++        }
++
+         OutputStream output = getOutputStream();
+         if (cachedContent != null) {
+             output.write(cachedContent);
diff -Nru libcommons-fileupload-java-1.2.2/debian/patches/series libcommons-fileupload-java-1.2.2/debian/patches/series
--- libcommons-fileupload-java-1.2.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libcommons-fileupload-java-1.2.2/debian/patches/series	2013-12-21 11:11:15.000000000 +0100
@@ -0,0 +1 @@
+CVE-2013-2186.patch
-------------- next part --------------
diff -Nru libcommons-fileupload-java-1.2.2/debian/changelog libcommons-fileupload-java-1.2.2/debian/changelog
--- libcommons-fileupload-java-1.2.2/debian/changelog	2010-08-04 13:57:08.000000000 +0200
+++ libcommons-fileupload-java-1.2.2/debian/changelog	2013-12-21 11:13:52.000000000 +0100
@@ -1,3 +1,13 @@
+libcommons-fileupload-java (1.2.2-1+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Add CVE-2013-2186.patch patch.
+    CVE-2013-2186: Arbitrary file upload via deserialization. Properly
+    validate repository in org.apache.commons.fileupload.disk.DiskFileItem.
+    Thanks to Marc Deslauriers <marc.deslauriers at ubuntu.com> (Closes: #726601)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 21 Dec 2013 11:09:58 +0100
+
 libcommons-fileupload-java (1.2.2-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch
--- libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch	1970-01-01 01:00:00.000000000 +0100
+++ libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch	2013-12-21 11:01:51.000000000 +0100
@@ -0,0 +1,39 @@
+Description: fix arbitrary file overwrite via poison null byte
+Origin: backport, http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601
+Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=846174
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=974814
+
+WARNING: this patch contains CRLF line endings, editing it may break it
+
+Index: libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java
+===================================================================
+--- libcommons-fileupload-java-1.2.2.orig/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java	2013-11-07 10:56:14.286994776 -0500
++++ libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java	2013-11-07 11:03:26.963005854 -0500
+@@ -712,6 +712,26 @@
+         // read values
+         in.defaultReadObject();
+ 
++        /* One expected use of serialization is to migrate HTTP sessions
++         * containing a DiskFileItem between JVMs. Particularly if the JVMs are
++         * on different machines It is possible that the repository location is
++         * not valid so validate it.
++         */
++        if (repository != null) {
++            if (repository.isDirectory()) {
++                // Check path for nulls
++                if (repository.getPath().contains("\0")) {
++                    throw new IOException("The repository [" +
++                            repository.getPath() +
++                            "] contains a null character");
++                }
++            } else {
++                throw new IOException("The repository [" +
++                        repository.getAbsolutePath() +
++                        "] is not a directory");
++            }
++        }
++
+         OutputStream output = getOutputStream();
+         if (cachedContent != null) {
+             output.write(cachedContent);
diff -Nru libcommons-fileupload-java-1.2.2/debian/patches/series libcommons-fileupload-java-1.2.2/debian/patches/series
--- libcommons-fileupload-java-1.2.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libcommons-fileupload-java-1.2.2/debian/patches/series	2013-12-21 11:02:05.000000000 +0100
@@ -0,0 +1 @@
+CVE-2013-2186.patch
-------------- next part --------------
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in first .deb but not in second
-------------------------------------
lrwxrwxrwx  root/root   /usr/share/java/commons-fileupload-1.2.2.jar -> ../maven-repo/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
lrwxrwxrwx  root/root   /usr/share/java/commons-fileupload.jar -> ../maven-repo/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Control files: lines which differ (wdiff format)
------------------------------------------------
Installed-Size: [-136-] {+114+}
Version: [-1.2.2-1-] {+1.2.2-1+deb7u1+}
-------------- next part --------------
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .deb but not in first
-------------------------------------
-rw-r--r--  root/root   /usr/share/maven-repo/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2-javadoc.jar

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: [-default-jdk-doc, libportlet-api-2.0-spec-java-doc, libservlet2.5-java-doc-] {+default-jdk-doc+}
Installed-Size: [-1780-] {+1828+}
[-Recommends: libcommons-io-java-doc-]
Version: [-1.2.2-1-] {+1.2.2-1+deb7u1+}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20131221/ec0a2b25/attachment.sig>


More information about the pkg-java-maintainers mailing list