Problems when building binary package of libcommons-fileupload-java under wheezy

Salvatore Bonaccorso carnil at debian.org
Sat Dec 21 18:24:57 UTC 2013 

Hi Emmanuel,

On Sat, Dec 21, 2013 at 05:58:33PM +0100, Emmanuel Bourg wrote:
> Le 21/12/2013 16:02, Salvatore Bonaccorso a écrit :
> 
> > Any idea what is happening?
> 
> Hi Salvatore,
> 
> I can't check in detail now, but the --java-lib flag is probably missing
> from the debian/libcommons-fileupload-java.poms file.

Thanks, this indeed seems to make it better. I have uploade the
resulting preliminary packages to [1]. If you have time in the coming
days to give them a bit of testing I would really appreciate.

 [1] http://people.debian.org/~carnil/libcommons-fileupload-java/

Let me know if this if fine with you (also if you prefer to prepare
the packges yourself).

Regards,
Salvatore
-------------- next part --------------
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .deb but not in first
-------------------------------------
-rw-r--r--  root/root   /usr/share/maven-repo/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2-javadoc.jar

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: [-default-jdk-doc, libportlet-api-2.0-spec-java-doc, libservlet2.5-java-doc-] {+default-jdk-doc+}
Installed-Size: [-1780-] {+1828+}
[-Recommends: libcommons-io-java-doc-]
Version: [-1.2.2-1-] {+1.2.2-1+deb7u1+}
-------------- next part --------------
[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .deb but not in first
-------------------------------------
-rw-r--r--  root/root   /usr/share/java/commons-fileupload.jar
lrwxrwxrwx  root/root   /usr/share/java/commons-fileupload-1.2.2.jar -> commons-fileupload.jar
lrwxrwxrwx  root/root   /usr/share/maven-repo/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar -> ../../../../java/commons-fileupload.jar
lrwxrwxrwx  root/root   /usr/share/maven-repo/commons-fileupload/commons-fileupload/debian/commons-fileupload-debian.jar -> ../../../../java/commons-fileupload.jar

Files in first .deb but not in second
-------------------------------------
-rw-r--r--  root/root   /usr/share/maven-repo/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
lrwxrwxrwx  root/root   /usr/share/java/commons-fileupload-1.2.2.jar -> ../maven-repo/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
lrwxrwxrwx  root/root   /usr/share/java/commons-fileupload.jar -> ../maven-repo/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
lrwxrwxrwx  root/root   /usr/share/maven-repo/commons-fileupload/commons-fileupload/debian/commons-fileupload-debian.jar -> ../1.2.2/commons-fileupload-1.2.2.jar

Control files: lines which differ (wdiff format)
------------------------------------------------
Installed-Size: [-136-] {+118+}
Version: [-1.2.2-1-] {+1.2.2-1+deb7u1+}
-------------- next part --------------
diff -Nru libcommons-fileupload-java-1.2.2/debian/changelog libcommons-fileupload-java-1.2.2/debian/changelog
--- libcommons-fileupload-java-1.2.2/debian/changelog	2010-08-04 13:57:08.000000000 +0200
+++ libcommons-fileupload-java-1.2.2/debian/changelog	2013-12-21 19:09:21.000000000 +0100
@@ -1,3 +1,17 @@
+libcommons-fileupload-java (1.2.2-1+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Add CVE-2013-2186.patch patch.
+    CVE-2013-2186: Arbitrary file upload via deserialization. Properly
+    validate repository in org.apache.commons.fileupload.disk.DiskFileItem.
+    Thanks to Marc Deslauriers <marc.deslauriers at ubuntu.com> (Closes: #726601)
+  * Add --java-lib to libcommons-fileupload-java.poms.
+    Otherwise in the resulting binary package commons-fileupload.jar in
+    /usr/share/java is missing.
+    Thanks to Emmanuel Bourg <ebourg at apache.org>
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 21 Dec 2013 19:08:48 +0100
+
 libcommons-fileupload-java (1.2.2-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru libcommons-fileupload-java-1.2.2/debian/libcommons-fileupload-java.poms libcommons-fileupload-java-1.2.2/debian/libcommons-fileupload-java.poms
--- libcommons-fileupload-java-1.2.2/debian/libcommons-fileupload-java.poms	2010-03-31 01:02:11.000000000 +0200
+++ libcommons-fileupload-java-1.2.2/debian/libcommons-fileupload-java.poms	2013-12-21 19:09:21.000000000 +0100
@@ -1 +1 @@
-pom.xml --no-parent
+pom.xml --no-parent --java-lib
diff -Nru libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch
--- libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch	1970-01-01 01:00:00.000000000 +0100
+++ libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch	2013-12-21 11:01:51.000000000 +0100
@@ -0,0 +1,39 @@
+Description: fix arbitrary file overwrite via poison null byte
+Origin: backport, http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601
+Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=846174
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=974814
+
+WARNING: this patch contains CRLF line endings, editing it may break it
+
+Index: libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java
+===================================================================
+--- libcommons-fileupload-java-1.2.2.orig/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java	2013-11-07 10:56:14.286994776 -0500
++++ libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java	2013-11-07 11:03:26.963005854 -0500
+@@ -712,6 +712,26 @@
+         // read values
+         in.defaultReadObject();
+ 
++        /* One expected use of serialization is to migrate HTTP sessions
++         * containing a DiskFileItem between JVMs. Particularly if the JVMs are
++         * on different machines It is possible that the repository location is
++         * not valid so validate it.
++         */
++        if (repository != null) {
++            if (repository.isDirectory()) {
++                // Check path for nulls
++                if (repository.getPath().contains("\0")) {
++                    throw new IOException("The repository [" +
++                            repository.getPath() +
++                            "] contains a null character");
++                }
++            } else {
++                throw new IOException("The repository [" +
++                        repository.getAbsolutePath() +
++                        "] is not a directory");
++            }
++        }
++
+         OutputStream output = getOutputStream();
+         if (cachedContent != null) {
+             output.write(cachedContent);
diff -Nru libcommons-fileupload-java-1.2.2/debian/patches/series libcommons-fileupload-java-1.2.2/debian/patches/series
--- libcommons-fileupload-java-1.2.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ libcommons-fileupload-java-1.2.2/debian/patches/series	2013-12-21 11:02:05.000000000 +0100
@@ -0,0 +1 @@
+CVE-2013-2186.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20131221/24a556d2/attachment-0001.sig>

More information about the pkg-java-maintainers mailing list