Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package eclipse for openSUSE:Factory checked in at 2021-03-19 16:43:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/eclipse (Old) and /work/SRC/openSUSE:Factory/.eclipse.new.2401 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "eclipse" Fri Mar 19 16:43:14 2021 rev:14 rq:880010 version:4.15 Changes: -------- --- /work/SRC/openSUSE:Factory/eclipse/eclipse.changes 2020-07-17 20:50:38.212906944 +0200 +++ /work/SRC/openSUSE:Factory/.eclipse.new.2401/eclipse.changes 2021-03-19 16:43:20.334128792 +0100 @@ -1,0 +2,10 @@ +Thu Mar 18 17:38:41 UTC 2021 - Pedro Monreal <[email protected]> + +- Security fix: [bsc#1183728, CVE-2020-27225] + * The Help Subsystem does not authenticate active help requests + to the local help web server, allowing an unauthenticated local + attacker to issue active help commands to the associated Eclipse + Platform process or Eclipse Rich Client Platform process. +- Add eclipse-CVE-2020-27225.patch + +------------------------------------------------------------------- New: ---- eclipse-CVE-2020-27225.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ eclipse.spec ++++++ --- /var/tmp/diff_new_pack.E1W2yd/_old 2021-03-19 16:43:21.546130428 +0100 +++ /var/tmp/diff_new_pack.E1W2yd/_new 2021-03-19 16:43:21.550130433 +0100 @@ -1,7 +1,7 @@ # -# spec file for package eclipse +# spec file for package eclipse-bootstrap # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -115,6 +115,8 @@ # Fix build on ppc64 big endian Patch33: eclipse-ppc64.patch Patch34: eclipse-libkeystorelinuxnative.patch +# PATCH-FIX-UPSTREAM bsc#1183728 CVE-2020-27225 Help Subsystem does not authenticate active help requests +Patch35: eclipse-CVE-2020-27225.patch BuildRequires: ant >= 1.10.5 BuildRequires: ant-antlr BuildRequires: ant-apache-bcel @@ -252,6 +254,7 @@ %if %{with bootstrap} %package -n eclipse-swt-bootstrap %else + %package swt Obsoletes: eclipse-swt-bootstrap %endif @@ -265,6 +268,7 @@ %if %{with bootstrap} %description -n eclipse-swt-bootstrap %else + %description swt %endif SWT Library for GTK+. @@ -272,6 +276,7 @@ %if %{with bootstrap} %package -n eclipse-equinox-osgi-bootstrap %else + %package equinox-osgi Obsoletes: eclipse-equinox-osgi-bootstrap %endif @@ -284,6 +289,7 @@ %if %{with bootstrap} %description -n eclipse-equinox-osgi-bootstrap %else + %description equinox-osgi %endif Eclipse OSGi - Equinox @@ -293,6 +299,7 @@ Requires: eclipse-equinox-osgi-bootstrap = %{version}-%{release} Requires: eclipse-swt-bootstrap = %{version}-%{release} %else + %package platform Requires: %{name}-equinox-osgi = %{version}-%{release} Requires: %{name}-swt = %{version}-%{release} @@ -373,6 +380,7 @@ %if %{with bootstrap} %description -n eclipse-platform-bootstrap %else + %description platform %endif The Eclipse Platform is the base of all IDE plugins. This does not include the @@ -382,6 +390,7 @@ %package -n eclipse-jdt-bootstrap Requires: eclipse-platform-bootstrap = %{version}-%{release} %else + %package jdt Requires: %{name}-platform = %{version}-%{release} Obsoletes: eclipse-jdt-bootstrap @@ -397,6 +406,7 @@ %if %{with bootstrap} %description -n eclipse-jdt-bootstrap %else + %description jdt %endif Eclipse Java Development Tools. This package is required to use Eclipse for @@ -407,6 +417,7 @@ Requires: eclipse-jdt-bootstrap = %{version}-%{release} Requires: eclipse-platform-bootstrap = %{version}-%{release} %else + %package pde Requires: %{name}-jdt = %{version}-%{release} Requires: %{name}-platform = %{version}-%{release} @@ -419,6 +430,7 @@ %if %{with bootstrap} %description -n eclipse-pde-bootstrap %else + %description pde %endif Eclipse Plugin Development Environment. This package is required for @@ -428,6 +440,7 @@ %package -n eclipse-p2-discovery-bootstrap Requires: eclipse-platform-bootstrap = %{version}-%{release} %else + %package p2-discovery Requires: %{name}-platform = %{version}-%{release} Obsoletes: eclipse-p2-discovery-bootstrap @@ -439,6 +452,7 @@ %if %{with bootstrap} %description -n eclipse-p2-discovery-bootstrap %else + %description p2-discovery %endif The p2 Discovery mechanism provides a simplified and branded front-end for the @@ -451,6 +465,7 @@ %package -n eclipse-contributor-tools-bootstrap Requires: eclipse-platform-bootstrap = %{version}-%{release} %else + %package contributor-tools Requires: %{name}-platform = %{version}-%{release} Obsoletes: eclipse-contributor-tools-bootstrap @@ -463,6 +478,7 @@ %if %{with bootstrap} %description -n eclipse-contributor-tools-bootstrap %else + %description contributor-tools %endif This package contains tools specifically for Eclipse contributors. It includes @@ -505,6 +521,7 @@ %patch31 -p1 %patch33 -p1 %patch34 -p1 +%patch35 -p1 # Optional (unused) multipart support (see patch 25) rm rt.equinox.bundles/bundles/org.eclipse.equinox.http.servlet/src/org/eclipse/equinox/http/servlet/internal/multipart/MultipartSupport{Impl,FactoryImpl,Part}.java @@ -959,6 +976,7 @@ %if %{with bootstrap} %files -n eclipse-swt-bootstrap -f .mfiles-swt %else + %files swt -f .mfiles-swt %endif %{_eclipsedir}/plugins/org.eclipse.swt_* @@ -969,6 +987,7 @@ %if %{with bootstrap} %files -n eclipse-platform-bootstrap %else + %files platform %endif %{_bindir}/eclipse @@ -1154,6 +1173,7 @@ %if %{with bootstrap} %files -n eclipse-jdt-bootstrap -f .mfiles-jdt %else + %files jdt -f .mfiles-jdt %endif %{_datadir}/appdata/eclipse-jdt.metainfo.xml @@ -1161,6 +1181,7 @@ %if %{with bootstrap} %files -n eclipse-pde-bootstrap -f .mfiles-pde -f .mfiles-cvs -f .mfiles-sdk %else + %files pde -f .mfiles-pde -f .mfiles-cvs -f .mfiles-sdk %endif %{_datadir}/appdata/eclipse-pde.metainfo.xml @@ -1168,6 +1189,7 @@ %if %{with bootstrap} %files -n eclipse-p2-discovery-bootstrap -f .mfiles-p2-discovery %else + %files p2-discovery -f .mfiles-p2-discovery %endif @@ -1175,6 +1197,7 @@ %if %{with bootstrap} %files -n eclipse-contributor-tools-bootstrap -f .mfiles-contributor-tools %else + %files contributor-tools -f .mfiles-contributor-tools %endif %endif @@ -1182,6 +1205,7 @@ %if %{with bootstrap} %files -n eclipse-equinox-osgi-bootstrap -f .mfiles-equinox-osgi %else + %files equinox-osgi -f .mfiles-equinox-osgi %endif %{_eclipsedir}/plugins/org.eclipse.osgi_* ++++++ eclipse-CVE-2020-27225.patch ++++++ >From 213812355860e3732e1b28e620df31db8ff160aa Mon Sep 17 00:00:00 2001 From: Andrew Johnson Date: Mon, 15 Mar 2021 20:53:01 +0530 Subject: 569855: Fix for Eclipse live help. - Use tokens - Backport to R4_15_maintenance branch Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java =================================================================== --- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java +++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/BaseHelpSystem.java @@ -59,6 +59,7 @@ public final class BaseHelpSystem { private IBrowser browser; private IBrowser internalBrowser; private HelpDisplay helpDisplay = null; + private String liveHelpToken = null; private BaseHelpSystem() { super(); @@ -350,4 +351,29 @@ public final class BaseHelpSystem { } } + /** + * Check supplied token against stored token. Clears the stored token if + * successful. + * + * @param helpSessionToken + * @return true if match successful + */ + public boolean matchOnceLiveHelpToken(String helpSessionToken) { + /* + * @FIXME - should we use a constant time comparison, and store/compare a + * cryptographic hash? + */ + if (liveHelpToken != null && liveHelpToken.equals(helpSessionToken)) { + // Enforce one-time use. + liveHelpToken = null; + return true; + } else { + return false; + } + } + + public void setLiveHelpToken(String helpSessionToken) { + liveHelpToken = helpSessionToken; + } + } Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java =================================================================== --- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java +++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.base/src/org/eclipse/help/internal/base/HelpDisplay.java @@ -15,6 +15,8 @@ package org.eclipse.help.internal.base; import java.io.UnsupportedEncodingException; import java.net.URLEncoder; +import java.nio.charset.StandardCharsets; +import java.util.UUID; import org.eclipse.core.runtime.CoreException; import org.eclipse.core.runtime.IConfigurationElement; @@ -196,6 +198,12 @@ public class HelpDisplay { String topic = helpURL.substring("topic=".length()); //$NON-NLS-1$ helpURL = getHelpDisplay().getHelpForTopic( topic, WebappManager.getHost(), WebappManager.getPort()); } + String basehelp = getBaseURL(); + if (BaseHelpSystem.getMode() != BaseHelpSystem.MODE_INFOCENTER && helpURL.startsWith(basehelp)) { + String sessid = UUID.randomUUID().toString(); + BaseHelpSystem.getInstance().setLiveHelpToken(sessid); + helpURL += (helpURL.indexOf('?') < 0 ? '?' : '&') + "token=" + sessid; //$NON-NLS-1$ + } BaseHelpSystem.getHelpBrowser(forceExternal) .displayURL(helpURL); Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/advanced/livehelp_js.jsp =================================================================== --- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/advanced/livehelp_js.jsp +++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/advanced/livehelp_js.jsp @@ -47,7 +47,15 @@ function liveActionInternal(topHelpWindo url=url.substring(0, i+1); var encodedArg=encodeURIComponent(argument); url=url+"livehelp/?pluginID="+pluginId+"&class="+className+"&arg="+encodedArg+"&nocaching="+Math.random(); - + <% + Object token = request.getSession().getAttribute("LSESSION"); //$NON-NLS-1$ + // Validate token to protect against XSS + if (token instanceof String && ((String)token).matches("[a-z0-9-]{36}")) {//$NON-NLS-1$) { + %> + url=url+"&token=<%=token%>"; + <% + } + %> // we need to find the toolbar frame. // to do: cleanup this, including the location of the hidden livehelp frame. var toolbarFrame = topHelpWindow.HelpFrame.ContentFrame.ContentToolbarFrame; Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/index.jsp =================================================================== --- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/index.jsp +++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/index.jsp @@ -12,9 +12,11 @@ IBM Corporation - initial API and implementation --%> <%@ page import="org.eclipse.help.internal.webapp.data.*" errorPage="/advanced/err.jsp" contentType="text/html; charset=UTF-8"%> +<%@ page import="java.util.UUID" %> +<%@ page import="org.eclipse.help.internal.base.BaseHelpSystem" %> <% request.setCharacterEncoding("UTF-8"); - ServerState.webappStarted(application,request, response); + ServerState.webappStarted(application,request, response); // Read the scope parameter RequestScope.setScopeFromRequest(request, response); LayoutData data = new LayoutData(application,request, response); @@ -33,7 +35,22 @@ </body> </html> <% - }else { + } else { + // For live help + String token = request.getParameter("token"); //$NON-NLS-1$ + if (token != null && token.matches("[a-z0-9-]{36}")) { //$NON-NLS-1$ + if (BaseHelpSystem.getInstance().matchOnceLiveHelpToken(token)) { + // Only one session can grab this + if (request.getSession().getAttribute("XSESSION") == null) { //$NON-NLS-1$ + String token2 = UUID.randomUUID().toString(); + request.getSession().setAttribute("XSESSION", token2); //$NON-NLS-1$ + int port = request.getLocalPort(); + response.addHeader("Set-Cookie", "XSESSION-" + port + "=" + token2 + "; HttpOnly; SameSite=Strict"); //$NON-NLS-1 //$NON-NLS-2$ //$NON-NLS-3$ //$NON-NLS-4$ + String token3 = UUID.randomUUID().toString(); + request.getSession().setAttribute("LSESSION", token3); //$NON-NLS-1$ + } + } + } request.getRequestDispatcher("/advanced/index.jsp" + data.getQuery()).forward(request, response); } %> Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java =================================================================== --- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java +++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/data/LayoutData.java @@ -46,6 +46,11 @@ public class LayoutData extends RequestD // initialize the query string String qs = request.getQueryString(); + // Remove any live help token + if (qs != null) { + qs = qs.replaceFirst("^token=[a-z0-9-]{36}", ""); //$NON-NLS-1$ //$NON-NLS-2$ + qs = qs.replaceFirst("&token=[a-z0-9-]{36}", ""); //$NON-NLS-1$ //$NON-NLS-2$ + } if (qs != null && qs.length() > 0) query = "?" + qs; //$NON-NLS-1$ } Index: eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java =================================================================== --- eclipse-4.15.orig/eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java +++ eclipse-platform-sources-I20200305-0155/eclipse.platform.ua/org.eclipse.help.webapp/src/org/eclipse/help/internal/webapp/servlet/LiveHelpServlet.java @@ -14,8 +14,8 @@ package org.eclipse.help.internal.webapp.servlet; import java.io.IOException; - import javax.servlet.ServletException; +import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -51,6 +51,45 @@ public class LiveHelpServlet extends Htt return; } req.setCharacterEncoding("UTF-8"); //$NON-NLS-1$ + String sessionid = req.getSession().getId(); + Cookie cookies[] = req.getCookies(); + boolean jsessOK = false; + boolean xsessOK = false; + boolean lsessOK = false; + // Unique session ID per help server + int port = req.getLocalPort(); + String xsessname = "XSESSION-" + port; //$NON-NLS-1$ + if (cookies != null) { + for (Cookie cookie : cookies) { + if (cookie.getName().equals("JSESSIONID")) {//$NON-NLS-1$ + if (sessionid.length() >= 30 && + cookie.getValue().startsWith(sessionid)) { + jsessOK = true; + } + } + if (cookie.getName().equals(xsessname)) { + if (cookie.getValue().equals(req.getSession().getAttribute("XSESSION"))) { //$NON-NLS-1$ + xsessOK = true; + } + } + } + } + String token = req.getParameter("token"); //$NON-NLS-1$ + if (token != null && token.equals(req.getSession().getAttribute("LSESSION"))) { //$NON-NLS-1$ + lsessOK = true; + } + if (!jsessOK) { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "JSESSIONID"); //$NON-NLS-1$ + return; + } + if (!lsessOK) { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "token"); //$NON-NLS-1$ + return; + } + if (!xsessOK) { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, xsessname); + return; + } String pluginID = req.getParameter("pluginID"); //$NON-NLS-1$ if (pluginID == null) return; @@ -59,6 +98,11 @@ public class LiveHelpServlet extends Htt return; String arg = req.getParameter("arg"); //$NON-NLS-1$ BaseHelpSystem.runLiveHelp(pluginID, className, arg); + /* + * @FIXME Should runLiveHelp return an error if the plugin/class is wrong + * so a SC_BAD_REQUEST can be returned? Or does this reveal too much? + */ + resp.setStatus(HttpServletResponse.SC_ACCEPTED); } /** *
