Problems when building binary package of libcommons-fileupload-java under wheezy
Salvatore Bonaccorso
carnil at debian.org
Sat Dec 21 15:02:58 UTC 2013
Hi Debian Java Maintainers,
I'm cc'ing Emmanuel also directly as he did the last upload for
libcommons-fileupload-java.
Ubuntu has released versions of libcommons-fileupload-java and
backported the patch to 1.2.2-1 also. It is about CVE-2013-2186[1]. I
prepared also packages for squeeze-security and wheezy-security based
on that patch.
The squeeze-security upload is fine, but for the wheezy-security
upload there are problems. The jar symlinks in /usr/share/java are not
created when rebuilding the package under wheezy.
I'm attaching the debdiff's for both squeeze-security and
wheezy-security. Additionally the debdiff's for the created binary
packages in wheezy, where you can see it also drops dependencies (in
the -doc package).
Any idea what is happening?
Regards,
Salvatore
[1] https://security-tracker.debian.org/tracker/CVE-2013-2186
-------------- next part --------------
diff -Nru libcommons-fileupload-java-1.2.2/debian/changelog libcommons-fileupload-java-1.2.2/debian/changelog
--- libcommons-fileupload-java-1.2.2/debian/changelog 2010-08-04 13:57:08.000000000 +0200
+++ libcommons-fileupload-java-1.2.2/debian/changelog 2013-12-21 11:13:07.000000000 +0100
@@ -1,3 +1,13 @@
+libcommons-fileupload-java (1.2.2-1+deb6u1) squeeze-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Add CVE-2013-2186.patch patch.
+ CVE-2013-2186: Arbitrary file upload via deserialization. Properly
+ validate repository in org.apache.commons.fileupload.disk.DiskFileItem.
+ Thanks to Marc Deslauriers <marc.deslauriers at ubuntu.com> (Closes: #726601)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Sat, 21 Dec 2013 11:12:53 +0100
+
libcommons-fileupload-java (1.2.2-1) unstable; urgency=low
* New upstream release.
diff -Nru libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch
--- libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch 2013-12-21 11:12:48.000000000 +0100
@@ -0,0 +1,39 @@
+Description: fix arbitrary file overwrite via poison null byte
+Origin: backport, http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601
+Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=846174
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=974814
+
+WARNING: this patch contains CRLF line endings, editing it may break it
+
+Index: libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java
+===================================================================
+--- libcommons-fileupload-java-1.2.2.orig/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-11-07 10:56:14.286994776 -0500
++++ libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-11-07 11:03:26.963005854 -0500
+@@ -712,6 +712,26 @@
+ // read values
+ in.defaultReadObject();
+
++ /* One expected use of serialization is to migrate HTTP sessions
++ * containing a DiskFileItem between JVMs. Particularly if the JVMs are
++ * on different machines It is possible that the repository location is
++ * not valid so validate it.
++ */
++ if (repository != null) {
++ if (repository.isDirectory()) {
++ // Check path for nulls
++ if (repository.getPath().contains("\0")) {
++ throw new IOException("The repository [" +
++ repository.getPath() +
++ "] contains a null character");
++ }
++ } else {
++ throw new IOException("The repository [" +
++ repository.getAbsolutePath() +
++ "] is not a directory");
++ }
++ }
++
+ OutputStream output = getOutputStream();
+ if (cachedContent != null) {
+ output.write(cachedContent);
diff -Nru libcommons-fileupload-java-1.2.2/debian/patches/series libcommons-fileupload-java-1.2.2/debian/patches/series
--- libcommons-fileupload-java-1.2.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libcommons-fileupload-java-1.2.2/debian/patches/series 2013-12-21 11:11:15.000000000 +0100
@@ -0,0 +1 @@
+CVE-2013-2186.patch
-------------- next part --------------
diff -Nru libcommons-fileupload-java-1.2.2/debian/changelog libcommons-fileupload-java-1.2.2/debian/changelog
--- libcommons-fileupload-java-1.2.2/debian/changelog 2010-08-04 13:57:08.000000000 +0200
+++ libcommons-fileupload-java-1.2.2/debian/changelog 2013-12-21 11:13:52.000000000 +0100
@@ -1,3 +1,13 @@
+libcommons-fileupload-java (1.2.2-1+deb7u1) wheezy-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * Add CVE-2013-2186.patch patch.
+ CVE-2013-2186: Arbitrary file upload via deserialization. Properly
+ validate repository in org.apache.commons.fileupload.disk.DiskFileItem.
+ Thanks to Marc Deslauriers <marc.deslauriers at ubuntu.com> (Closes: #726601)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Sat, 21 Dec 2013 11:09:58 +0100
+
libcommons-fileupload-java (1.2.2-1) unstable; urgency=low
* New upstream release.
diff -Nru libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch
--- libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch 1970-01-01 01:00:00.000000000 +0100
+++ libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch 2013-12-21 11:01:51.000000000 +0100
@@ -0,0 +1,39 @@
+Description: fix arbitrary file overwrite via poison null byte
+Origin: backport, http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601
+Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=846174
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=974814
+
+WARNING: this patch contains CRLF line endings, editing it may break it
+
+Index: libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java
+===================================================================
+--- libcommons-fileupload-java-1.2.2.orig/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-11-07 10:56:14.286994776 -0500
++++ libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-11-07 11:03:26.963005854 -0500
+@@ -712,6 +712,26 @@
+ // read values
+ in.defaultReadObject();
+
++ /* One expected use of serialization is to migrate HTTP sessions
++ * containing a DiskFileItem between JVMs. Particularly if the JVMs are
++ * on different machines It is possible that the repository location is
++ * not valid so validate it.
++ */
++ if (repository != null) {
++ if (repository.isDirectory()) {
++ // Check path for nulls
++ if (repository.getPath().contains("\0")) {
++ throw new IOException("The repository [" +
++ repository.getPath() +
++ "] contains a null character");
++ }
++ } else {
++ throw new IOException("The repository [" +
++ repository.getAbsolutePath() +
++ "] is not a directory");
++ }
++ }
++
+ OutputStream output = getOutputStream();
+ if (cachedContent != null) {
+ output.write(cachedContent);
diff -Nru libcommons-fileupload-java-1.2.2/debian/patches/series libcommons-fileupload-java-1.2.2/debian/patches/series
--- libcommons-fileupload-java-1.2.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ libcommons-fileupload-java-1.2.2/debian/patches/series 2013-12-21 11:02:05.000000000 +0100
@@ -0,0 +1 @@
+CVE-2013-2186.patch
-------------- next part --------------
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in first .deb but not in second
-------------------------------------
lrwxrwxrwx root/root /usr/share/java/commons-fileupload-1.2.2.jar -> ../maven-repo/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
lrwxrwxrwx root/root /usr/share/java/commons-fileupload.jar -> ../maven-repo/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Control files: lines which differ (wdiff format)
------------------------------------------------
Installed-Size: [-136-] {+114+}
Version: [-1.2.2-1-] {+1.2.2-1+deb7u1+}
-------------- next part --------------
[The following lists of changes regard files as different if they have
different names, permissions or owners.]
Files in second .deb but not in first
-------------------------------------
-rw-r--r-- root/root /usr/share/maven-repo/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2-javadoc.jar
Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: [-default-jdk-doc, libportlet-api-2.0-spec-java-doc, libservlet2.5-java-doc-] {+default-jdk-doc+}
Installed-Size: [-1780-] {+1828+}
[-Recommends: libcommons-io-java-doc-]
Version: [-1.2.2-1-] {+1.2.2-1+deb7u1+}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20131221/ec0a2b25/attachment.sig>
More information about the pkg-java-maintainers
mailing list