Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org
[ Reason ] Fixing CVE-2023-37476 in Bookworm. [ Tests ] The patch checks if file paths inside Zip/Tar archives are valid and do not try to escape their root directory. The code looks reasonable to me. [ Risks ] The code is trivial. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable
diff -Nru openrefine-3.6.2/debian/changelog openrefine-3.6.2/debian/changelog --- openrefine-3.6.2/debian/changelog 2023-04-05 20:20:17.000000000 +0200 +++ openrefine-3.6.2/debian/changelog 2023-09-07 21:22:17.000000000 +0200 @@ -1,3 +1,13 @@ +openrefine (3.6.2-2+deb12u1) bookworm; urgency=medium + + * Fix CVE-2023-37476: + OpenRefine is a free, open source tool for data processing. A carefully + crafted malicious OpenRefine project tar file can be used to trigger + arbitrary code execution in the context of the OpenRefine process if a user + can be convinced to import it. (Closes: #1041422) + + -- Markus Koschany <a...@debian.org> Thu, 07 Sep 2023 21:22:17 +0200 + openrefine (3.6.2-2) unstable; urgency=medium * Depend on libjoda-time-java and liboro-java. diff -Nru openrefine-3.6.2/debian/patches/CVE-2023-37476.patch openrefine-3.6.2/debian/patches/CVE-2023-37476.patch --- openrefine-3.6.2/debian/patches/CVE-2023-37476.patch 1970-01-01 01:00:00.000000000 +0100 +++ openrefine-3.6.2/debian/patches/CVE-2023-37476.patch 2023-09-07 21:22:17.000000000 +0200 @@ -0,0 +1,24 @@ +From: Markus Koschany <a...@debian.org> +Date: Thu, 17 Aug 2023 21:33:50 +0200 +Subject: CVE-2023-37476 + +Bug-Debian: https://bugs.debian.org/1041422 +Origin: https://github.com/OpenRefine/OpenRefine/commit/c40c84d8170c4d61c6a0926531b552a50caa5651 +--- + main/src/com/google/refine/io/FileProjectManager.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/main/src/com/google/refine/io/FileProjectManager.java b/main/src/com/google/refine/io/FileProjectManager.java +index 09197f7..c913199 100644 +--- a/main/src/com/google/refine/io/FileProjectManager.java ++++ b/main/src/com/google/refine/io/FileProjectManager.java +@@ -167,6 +167,9 @@ public class FileProjectManager extends ProjectManager { + + while ((tarEntry = tin.getNextTarEntry()) != null) { + File destEntry = new File(destDir, tarEntry.getName()); ++ if (!destEntry.toPath().normalize().startsWith(destDir.toPath().normalize())) { ++ throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed."); ++ } + File parent = destEntry.getParentFile(); + + if (!parent.exists()) { diff -Nru openrefine-3.6.2/debian/patches/series openrefine-3.6.2/debian/patches/series --- openrefine-3.6.2/debian/patches/series 2023-04-05 20:20:17.000000000 +0200 +++ openrefine-3.6.2/debian/patches/series 2023-09-07 21:22:17.000000000 +0200 @@ -4,3 +4,4 @@ log4j-api.patch no-java-files.patch gdata-extension.patch +CVE-2023-37476.patch