Bug#927936: c3p0: CVE-2019-5427

Bastian Germann bage at debian.org
Fri Apr 4 12:07:42 BST 2025 

Control: tags -1 patch

I am uploading a NMU to fix this.
Please find the debdiff attached.
-------------- next part --------------
diff -Nru c3p0-0.9.1.2/debian/changelog c3p0-0.9.1.2/debian/changelog
--- c3p0-0.9.1.2/debian/changelog	2018-12-25 15:16:25.000000000 +0100
+++ c3p0-0.9.1.2/debian/changelog	2025-04-04 13:01:52.000000000 +0200
@@ -1,3 +1,10 @@
+c3p0 (0.9.1.2-10.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Backport fix for CVE-2019-5427. (Closes: #927936)
+
+ -- Bastian Germann <bage at debian.org>  Fri, 04 Apr 2025 13:01:52 +0200
+
 c3p0 (0.9.1.2-10) unstable; urgency=medium
 
   * Team upload.
diff -Nru c3p0-0.9.1.2/debian/patches/CVE-2019-5427.patch c3p0-0.9.1.2/debian/patches/CVE-2019-5427.patch
--- c3p0-0.9.1.2/debian/patches/CVE-2019-5427.patch	1970-01-01 01:00:00.000000000 +0100
+++ c3p0-0.9.1.2/debian/patches/CVE-2019-5427.patch	2025-04-04 13:01:18.000000000 +0200
@@ -0,0 +1,76 @@
+Origin: upstream, f38f27635c384806c2a9d6500d80183d9f09d78b
+From: Steve Waldman <swaldman at mchange.com>
+Date: Fri, 15 Mar 2019 22:29:39 -0700
+Subject: Address more potential security concerns associated with the
+ possibility of adversarially constructed XML files, many thanks to Aaron
+ Massey at HackerOne.
+---
+--- a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
++++ b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
+@@ -147,10 +141,65 @@ public static C3P0Config extractXmlConfigFromDefaultResource( boolean expandEnti
+         }
+     }
+ 
++    private static void attemptSetFeature( DocumentBuilderFactory dbf, String featureUri, boolean setting )
++    {
++	try { dbf.setFeature( featureUri, setting ); }
++	catch (ParserConfigurationException e)
++	{
++	    if ( logger.isLoggable( MLevel.FINE ) )
++		logger.log(MLevel.FINE, "Attempted but failed to set presumably unsupported feature '" + featureUri + "' to " + setting + ".");
++	}
++    }
++
++    // thanks to zhutougg on GitHub https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
++    // let's address hazards associated with overliberal parsing of XML, CVE-2018-20433
++    //
++    // by default entity references will not be expanded, but callers can specify expansion if they wish (important
++    // to retain backwards compatibility with existing config files where users understand the risks)
++    //
++    // -=-=-=-
++    //
++    // disabling entity expansions turns out not to be sufficient to prevent attacks (if an attacker can control the
++    // XML config file that will be parsed). we now enable a wide variety of restrictions by default, but allow users
++    // to revert to the old behavior by setting usePermissiveParser to 'true'
++    //
++    // Many thanks to Aaron Massey (amassey) at HackerOne for calling attention to the continued vulnerability,
++    // and to Dominique Righetto (righettod on GitHub) for
++    //
++    //    https://github.com/OWASP/CheatSheetSeries/blob/31c94f233c40af4237432008106f42a9c4bff05e/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md
++    //    (via Aaron Massey)
++    //
++    // for instructions on how to overkill the fix
++    
++    private static void cautionDocumentBuilderFactory( DocumentBuilderFactory dbf )
++    {
++	// the big one, if possible disable doctype declarations entirely
++	attemptSetFeature(dbf, "http://apache.org/xml/features/disallow-doctype-decl", true);
++
++	// for a varety of libraries, disable external general entities
++	attemptSetFeature(dbf, "http://xerces.apache.org/xerces-j/features.html#external-general-entities", false);
++	attemptSetFeature(dbf, "http://xerces.apache.org/xerces2-j/features.html#external-general-entities", false);
++	attemptSetFeature(dbf, "http://xml.org/sax/features/external-general-entities", false);
++
++	// for a variety of libraries, disable external parameter entities
++	attemptSetFeature(dbf, "http://xerces.apache.org/xerces-j/features.html#external-parameter-entities", false);
++	attemptSetFeature(dbf, "http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities", false);
++	attemptSetFeature(dbf, "http://xml.org/sax/features/external-parameter-entities", false);
++
++	// if possible, disable external DTDs
++	attemptSetFeature(dbf, "http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++
++	// disallow xinclude resolution
++	dbf.setXIncludeAware(false);
++
++	// disallow entity reference expansion in general
++	dbf.setExpandEntityReferences( false );
++    }
++
+     public static C3P0Config extractXmlConfigFromInputStream(InputStream is) throws Exception
+     {
+         DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
+-	fact.setExpandEntityReferences(false);
++	cautionDocumentBuilderFactory( fact );
+         DocumentBuilder db = fact.newDocumentBuilder();
+         Document doc = db.parse( is );
+ 
diff -Nru c3p0-0.9.1.2/debian/patches/series c3p0-0.9.1.2/debian/patches/series
--- c3p0-0.9.1.2/debian/patches/series	2018-12-25 15:16:25.000000000 +0100
+++ c3p0-0.9.1.2/debian/patches/series	2025-04-04 13:01:41.000000000 +0200
@@ -2,3 +2,4 @@
 testing.patch
 java-7-compat.patch
 CVE-2018-20433.patch
+CVE-2019-5427.patch

More information about the pkg-java-maintainers mailing list