Bug#1109335: jackrabbit: CVE-2025-53689
Bastian Germann
bage at debian.org
Wed Jul 23 10:15:30 BST 2025
Control: tags -1 patch
I am uploading a NMU to fix this.
The debdiff is attached.
-------------- next part --------------
diff -Nru jackrabbit-2.20.11/debian/changelog jackrabbit-2.20.11/debian/changelog
--- jackrabbit-2.20.11/debian/changelog 2023-07-29 15:08:48.000000000 +0200
+++ jackrabbit-2.20.11/debian/changelog 2025-07-23 10:05:30.000000000 +0200
@@ -1,3 +1,10 @@
+jackrabbit (2.20.11-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2025-53689 via upstream patch. (Closes: #1109335)
+
+ -- Bastian Germann <bage at debian.org> Wed, 23 Jul 2025 10:05:30 +0200
+
jackrabbit (2.20.11-1) unstable; urgency=medium
* Team upload.
diff -Nru jackrabbit-2.20.11/debian/patches/CVE-2025-53689.patch jackrabbit-2.20.11/debian/patches/CVE-2025-53689.patch
--- jackrabbit-2.20.11/debian/patches/CVE-2025-53689.patch 1970-01-01 01:00:00.000000000 +0100
+++ jackrabbit-2.20.11/debian/patches/CVE-2025-53689.patch 2025-07-23 10:05:30.000000000 +0200
@@ -0,0 +1,147 @@
+Origin: upstream, 8ea2349234b181bf790cad58bfd91fd2763e64a9
+From: Julian Reschke <reschke at apache.org>
+Date: Thu, 10 Jul 2025 18:04:34 +0200
+Subject: JCR-5165: various parsing improvements/consistency (#263)
+
+---
+ .../jackrabbit/core/util/DOMWalker.java | 40 ++++++++++++++++++-
+ .../privilege/PrivilegeXmlHandler.java | 30 ++++++++++++++
+ 2 files changed, 68 insertions(+), 2 deletions(-)
+
+diff --git a/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/util/DOMWalker.java b/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/util/DOMWalker.java
+index 9689f7cba7d..aa6b64467e1 100644
+--- a/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/util/DOMWalker.java
++++ b/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/util/DOMWalker.java
+@@ -23,11 +23,15 @@
+ import org.w3c.dom.NamedNodeMap;
+ import org.w3c.dom.Node;
+ import org.w3c.dom.NodeList;
++import org.xml.sax.EntityResolver;
++import org.xml.sax.InputSource;
+
++import javax.xml.XMLConstants;
+ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
+ import java.io.IOException;
+ import java.io.InputStream;
++import java.io.StringReader;
+ import java.util.Properties;
+
+ /**
+@@ -37,8 +41,36 @@
+ public final class DOMWalker {
+
+ /** Static factory for creating stream to DOM transformers. */
+- private static final DocumentBuilderFactory factory =
+- DocumentBuilderFactory.newInstance();
++ private static final DocumentBuilderFactory factory = createFactory();
++
++ private static DocumentBuilderFactory createFactory() {
++ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++ factory.setIgnoringComments(false);
++ factory.setIgnoringElementContentWhitespace(true);
++ factory.setXIncludeAware(false);
++
++ // Prevent XXE attacks by disabling external entity processing
++ factory.setExpandEntityReferences(false);
++
++ String feature = null;
++
++ try {
++ feature = XMLConstants.FEATURE_SECURE_PROCESSING;
++ factory.setFeature(feature, true);
++ feature = "http://apache.org/xml/features/disallow-doctype-decl";
++ factory.setFeature(feature, true);
++ feature = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
++ factory.setFeature(feature, false);
++ feature = "http://xml.org/sax/features/external-general-entities";
++ factory.setFeature(feature, false);
++ feature = "http://xml.org/sax/features/external-parameter-entities";
++ factory.setFeature(feature, false);
++ } catch (Exception ex) {
++ // abort if secure processing is not supported
++ throw new IllegalStateException("Secure processing feature '" + feature + "' not supported by the DocumentBuilderFactory: " + factory.getClass().getName(), ex);
++ }
++ return factory;
++ }
+
+ /** The DOM document being traversed by this walker. */
+ private final Document document;
+@@ -57,6 +89,10 @@ public final class DOMWalker {
+ public DOMWalker(InputStream xml) throws IOException {
+ try {
+ DocumentBuilder builder = factory.newDocumentBuilder();
++ // defense in depth: entity resolver that will break any document on purpose
++ EntityResolver stopMe = (publicId, systemId) -> new InputSource(
++ new StringReader("<preventing read of: " + publicId + " " + systemId + ">"));
++ builder.setEntityResolver(stopMe);
+ document = builder.parse(xml);
+ current = document.getDocumentElement();
+ } catch (IOException e) {
+diff --git a/jackrabbit-spi-commons/src/main/java/org/apache/jackrabbit/spi/commons/privilege/PrivilegeXmlHandler.java b/jackrabbit-spi-commons/src/main/java/org/apache/jackrabbit/spi/commons/privilege/PrivilegeXmlHandler.java
+index ffa24fe2001..bc241491296 100644
+--- a/jackrabbit-spi-commons/src/main/java/org/apache/jackrabbit/spi/commons/privilege/PrivilegeXmlHandler.java
++++ b/jackrabbit-spi-commons/src/main/java/org/apache/jackrabbit/spi/commons/privilege/PrivilegeXmlHandler.java
+@@ -27,10 +27,12 @@
+ import org.w3c.dom.NamedNodeMap;
+ import org.w3c.dom.Node;
+ import org.w3c.dom.NodeList;
++import org.xml.sax.EntityResolver;
+ import org.xml.sax.InputSource;
+ import org.xml.sax.SAXException;
+ import org.xml.sax.helpers.DefaultHandler;
+
++import javax.xml.XMLConstants;
+ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
+ import javax.xml.parsers.ParserConfigurationException;
+@@ -44,7 +46,9 @@
+ import java.io.InputStream;
+ import java.io.OutputStream;
+ import java.io.Reader;
++import java.io.StringReader;
+ import java.io.Writer;
++import java.rmi.server.ExportException;
+ import java.util.ArrayList;
+ import java.util.HashMap;
+ import java.util.HashSet;
+@@ -112,6 +116,28 @@ private static DocumentBuilderFactory createFactory() {
+ factory.setNamespaceAware(true);
+ factory.setIgnoringComments(false);
+ factory.setIgnoringElementContentWhitespace(true);
++ factory.setXIncludeAware(false);
++
++ // Prevent XXE attacks by disabling external entity processing
++ factory.setExpandEntityReferences(false);
++
++ String feature = null;
++
++ try {
++ feature = XMLConstants.FEATURE_SECURE_PROCESSING;
++ factory.setFeature(feature, true);
++ feature = "http://apache.org/xml/features/disallow-doctype-decl";
++ factory.setFeature(feature, true);
++ feature = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
++ factory.setFeature(feature, false);
++ feature = "http://xml.org/sax/features/external-general-entities";
++ factory.setFeature(feature, false);
++ feature = "http://xml.org/sax/features/external-parameter-entities";
++ factory.setFeature(feature, false);
++ } catch (Exception ex) {
++ // abort if secure processing is not supported
++ throw new IllegalStateException("Secure processing feature '" + feature + "' not supported by the DocumentBuilderFactory: " + factory.getClass().getName(), ex);
++ }
+ return factory;
+ }
+
+@@ -279,6 +305,10 @@ private PrivilegeDefinition parseDefinition(Node n, Map<String, String> namespac
+ */
+ private static DocumentBuilder createDocumentBuilder() throws ParserConfigurationException {
+ DocumentBuilder builder = DOCUMENT_BUILDER_FACTORY.newDocumentBuilder();
++ // defense in depth: entity resolver that will break any document on purpose
++ EntityResolver stopMe = (publicId, systemId) -> new InputSource(
++ new StringReader("<preventing read of: " + publicId + " " + systemId + ">"));
++ builder.setEntityResolver(stopMe);
+ builder.setErrorHandler(new DefaultHandler());
+ return builder;
+ }
diff -Nru jackrabbit-2.20.11/debian/patches/series jackrabbit-2.20.11/debian/patches/series
--- jackrabbit-2.20.11/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ jackrabbit-2.20.11/debian/patches/series 2025-07-23 10:05:30.000000000 +0200
@@ -0,0 +1 @@
+CVE-2025-53689.patch
More information about the pkg-java-maintainers
mailing list