Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Hello,

I would like to fix CVE-2019-9658 and CVE-2019-10782 in checkstyle.
The security team marked this issue as no-dsa. Please find attached
the debdiff for Stretch.

Regards,

Markus
diff -Nru checkstyle-6.15/debian/changelog checkstyle-6.15/debian/changelog
--- checkstyle-6.15/debian/changelog    2016-02-04 21:52:02.000000000 +0100
+++ checkstyle-6.15/debian/changelog    2020-03-24 13:18:16.000000000 +0100
@@ -1,3 +1,14 @@
+checkstyle (6.15-1+deb9u1) stretch; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2019-9658 and CVE-2019-10782:
+    Security researchers from Snyk discovered that the fix for CVE-2019-9658
+    was incomplete. Checkstyle, a development tool to help programmers write
+    Java code that adheres to a coding standard, was still vulnerable to XML
+    External Entity (XXE) injection. (Closes: #924598)
+
+ -- Markus Koschany <a...@debian.org>  Tue, 24 Mar 2020 13:18:16 +0100
+
 checkstyle (6.15-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch 
checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch
--- checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch       
1970-01-01 01:00:00.000000000 +0100
+++ checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch       
2020-03-24 13:18:16.000000000 +0100
@@ -0,0 +1,95 @@
+From: Markus Koschany <a...@debian.org>
+Date: Thu, 12 Mar 2020 13:06:45 +0100
+Subject: CVE-2019-9658 and CVE-2019-10782
+
+Bug-Debian: https://bugs.debian.org/924598
+
+Origin: 
https://github.com/checkstyle/checkstyle/commit/180b4fe37a2249d4489d584505f2b7b3ab162ec6
+Origin: 
https://github.com/checkstyle/checkstyle/pull/7495/commits/3af187f81ab33c9a8e471cc629ff10fe722a7a56
+---
+ .../tools/checkstyle/api/AbstractLoader.java       | 45 ++++++++++++++++++++++
+ src/xdocs/config_reporting.xml                     | 11 ++++++
+ 2 files changed, 56 insertions(+)
+
+diff --git 
a/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java 
b/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java
+index 2e60e6d..6ea678b 100644
+--- a/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java
++++ b/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java
+@@ -80,6 +80,7 @@ public abstract class AbstractLoader
+         this.publicIdToResourceNameMap =
+             Maps.newHashMap(publicIdToResourceNameMap);
+         final SAXParserFactory factory = SAXParserFactory.newInstance();
++        LoadExternalDtdFeatureProvider.setFeaturesBySystemProperty(factory);
+         factory.setValidating(true);
+         factory.setNamespaceAware(true);
+         parser = factory.newSAXParser().getXMLReader();
+@@ -124,4 +125,48 @@ public abstract class AbstractLoader
+     public void fatalError(SAXParseException exception) throws SAXException {
+         throw exception;
+     }
++
++    /**
++     * Used for setting specific for secure java installations features to 
SAXParserFactory.
++     * Pulled out as a separate class in order to suppress Pitest mutations.
++     */
++    public static final class LoadExternalDtdFeatureProvider {
++
++        /** System property name to enable external DTD load. */
++        public static final String ENABLE_EXTERNAL_DTD_LOAD = 
"checkstyle.enableExternalDtdLoad";
++
++        /** Feature that enables loading external DTD when loading XML files. 
*/
++        public static final String LOAD_EXTERNAL_DTD =
++                
"http://apache.org/xml/features/nonvalidating/load-external-dtd";;
++        /** Feature that enables including external general entities in XML 
files. */
++        public static final String EXTERNAL_GENERAL_ENTITIES =
++                "http://xml.org/sax/features/external-general-entities";;
++        /** Feature that enables including external parameter entities in XML 
files. */
++        public static final String EXTERNAL_PARAMETER_ENTITIES =
++                "http://xml.org/sax/features/external-parameter-entities";;
++
++        /** Stop instances being created. **/
++        private LoadExternalDtdFeatureProvider() {
++        }
++
++        /**
++         * Configures SAXParserFactory with features required
++         * to use external DTD file loading, this is not activated by default 
to not allow
++         * usage of schema files that checkstyle do not know
++         * it is even security problem to allow files from outside.
++         * @param factory factory to be configured with special features
++         * @throws SAXException if an error occurs
++         * @throws ParserConfigurationException if an error occurs
++         */
++        public static void setFeaturesBySystemProperty(SAXParserFactory 
factory)
++                throws SAXException, ParserConfigurationException {
++
++            final boolean enableExternalDtdLoad = Boolean.valueOf(
++                System.getProperty(ENABLE_EXTERNAL_DTD_LOAD, "false"));
++
++            factory.setFeature(LOAD_EXTERNAL_DTD, enableExternalDtdLoad);
++            factory.setFeature(EXTERNAL_GENERAL_ENTITIES, 
enableExternalDtdLoad);
++            factory.setFeature(EXTERNAL_PARAMETER_ENTITIES, 
enableExternalDtdLoad);
++        }
++    }
+ }
+diff --git a/src/xdocs/config_reporting.xml b/src/xdocs/config_reporting.xml
+index 410d7eb..acf99a7 100644
+--- a/src/xdocs/config_reporting.xml
++++ b/src/xdocs/config_reporting.xml
+@@ -68,5 +68,16 @@
+         to an empty string.
+       </p>
+     </section>
++
++    <section name="Enable External DTD load">
++      <p>
++        The property <code>checkstyle.enableExternalDtdLoad</code>
++        defines ability use custom DTD files inconfig and load them from some 
location.
++        The property type
++        is <a href="property_types.html#boolean">boolean</a> and defaults
++        to <code>false</code>.
++      </p>
++    </section>
++
+   </body>
+ </document>
diff -Nru checkstyle-6.15/debian/patches/series 
checkstyle-6.15/debian/patches/series
--- checkstyle-6.15/debian/patches/series       2016-02-04 21:37:44.000000000 
+0100
+++ checkstyle-6.15/debian/patches/series       2020-03-24 13:18:16.000000000 
+0100
@@ -2,3 +2,4 @@
 02_ignore_tests_requiring_internet_connectivity.diff
 03_remove_maven3_prereq.diff
 04_adjust_application_name.diff
+CVE-2019-9658-and-CVE-2019-10782.patch

Reply via email to