Your message dated Sat, 09 May 2020 11:53:52 +0100
with message-id
<fd7fa4d56896c35aab49a5a51cb69727dc60e87a.ca...@adam-barratt.org.uk>
and subject line Closing requests included in 10.4 point release
has caused the Debian Bug report #954862,
regarding buster-pu: package checkstyle/8.15-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
954862: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954862
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
Hello,
I would like to fix CVE-2019-9658 and CVE-2019-10782 in checkstyle.
The security team marked this issue as no-dsa. Please find attached
the debdiff for Buster.
Regards,
Markus
diff -Nru checkstyle-8.15/debian/changelog checkstyle-8.15/debian/changelog
--- checkstyle-8.15/debian/changelog 2018-12-18 13:50:05.000000000 +0100
+++ checkstyle-8.15/debian/changelog 2020-03-24 14:03:07.000000000 +0100
@@ -1,3 +1,14 @@
+checkstyle (8.15-1+deb10u1) buster; urgency=medium
+
+ * Team upload.
+ * Fix CVE-2019-9658 and CVE-2019-10782:
+ Security researchers from Snyk discovered that the fix for CVE-2019-9658
+ was incomplete. Checkstyle, a development tool to help programmers write
+ Java code that adheres to a coding standard, was still vulnerable to XML
+ External Entity (XXE) injection. (Closes: #924598)
+
+ -- Markus Koschany <[email protected]> Tue, 24 Mar 2020 14:03:07 +0100
+
checkstyle (8.15-1) unstable; urgency=medium
* Team upload.
diff -Nru checkstyle-8.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch
checkstyle-8.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch
--- checkstyle-8.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch
1970-01-01 01:00:00.000000000 +0100
+++ checkstyle-8.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch
2020-03-24 14:03:07.000000000 +0100
@@ -0,0 +1,184 @@
+From: Markus Koschany <[email protected]>
+Date: Tue, 24 Mar 2020 13:01:27 +0100
+Subject: CVE-2019-9658 and CVE-2019-10782
+
+Bug-Debian: https://bugs.debian.org/924598
+Origin:
https://github.com/checkstyle/checkstyle/commit/180b4fe37a2249d4489d584505f2b7b3ab162ec6
+Origin:
https://github.com/romani/checkstyle/commit/3af187f81ab33c9a8e471cc629ff10fe722a7a56
+---
+ config/pmd.xml | 4 ++--
+ pom.xml | 4 ++--
+ .../com/puppycrawl/tools/checkstyle/XmlLoader.java | 23 +++++++++++++++++-----
+ .../tools/checkstyle/ConfigurationLoaderTest.java | 9 +++++++++
+ .../puppycrawl/tools/checkstyle/XmlLoaderTest.java | 2 +-
+ src/xdocs/config_reporting.xml | 11 +++++++++++
+ 6 files changed, 43 insertions(+), 10 deletions(-)
+
+diff --git a/config/pmd.xml b/config/pmd.xml
+index 29c5c41..a715cae 100644
+--- a/config/pmd.xml
++++ b/config/pmd.xml
+@@ -96,13 +96,13 @@
+ </rule>
+ <rule ref="category/java/codestyle.xml/ClassNamingConventions">
+ <properties>
+- <!-- Definitions and XmlLoader.FeaturesForVerySecureJavaInstallations
aren't utility classes.
++ <!-- Definitions and XmlLoader.LoadExternalDtdFeatureProvider aren't
utility classes.
+ JavadocTokenTypes and TokenTypes aren't utility classes.
+ They are token definition classes. Also, they are part of the
API. -->
+ <property name="violationSuppressXPath"
+ value="//ClassOrInterfaceDeclaration[@Image='Definitions'
+ or @Image='JavadocTokenTypes' or @Image='TokenTypes'
+- or @Image='FeaturesForVerySecureJavaInstallations']"/>
++ or @Image='LoadExternalDtdFeatureProvider']"/>
+ </properties>
+ </rule>
+ <rule ref="category/java/codestyle.xml/ConfusingTernary">
+diff --git a/pom.xml b/pom.xml
+index 8005c34..bcdcd86 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -2526,12 +2526,12 @@
+ </targetTests>
+ <excludedMethods>
+ <!--cause of
https://github.com/checkstyle/checkstyle/issues/3605-->
+- <param>addFeaturesForVerySecureJavaInstallations</param>
++ <param>setFeaturesBySystemProperty</param>
+ </excludedMethods>
+ <avoidCallsTo>
+ <!--cause of
https://github.com/checkstyle/checkstyle/issues/3605-->
+ <avoidCallsTo>
+-
com.puppycrawl.tools.checkstyle.XmlLoader$FeaturesForVerySecureJavaInstallations
++
com.puppycrawl.tools.checkstyle.XmlLoader$LoadExternalDtdFeatureProvider
+ </avoidCallsTo>
+ </avoidCallsTo>
+ <coverageThreshold>99</coverageThreshold>
+diff --git a/src/main/java/com/puppycrawl/tools/checkstyle/XmlLoader.java
b/src/main/java/com/puppycrawl/tools/checkstyle/XmlLoader.java
+index 71d61be..56bdc67 100644
+--- a/src/main/java/com/puppycrawl/tools/checkstyle/XmlLoader.java
++++ b/src/main/java/com/puppycrawl/tools/checkstyle/XmlLoader.java
+@@ -65,7 +65,7 @@ public class XmlLoader
+ throws SAXException, ParserConfigurationException {
+ this.publicIdToResourceNameMap = new
HashMap<>(publicIdToResourceNameMap);
+ final SAXParserFactory factory = SAXParserFactory.newInstance();
+-
FeaturesForVerySecureJavaInstallations.addFeaturesForVerySecureJavaInstallations(factory);
++ LoadExternalDtdFeatureProvider.setFeaturesBySystemProperty(factory);
+ factory.setValidating(true);
+ factory.setNamespaceAware(true);
+ parser = factory.newSAXParser().getXMLReader();
+@@ -119,7 +119,10 @@ public class XmlLoader
+ * Used for setting specific for secure java installations features to
SAXParserFactory.
+ * Pulled out as a separate class in order to suppress Pitest mutations.
+ */
+- public static final class FeaturesForVerySecureJavaInstallations {
++ public static final class LoadExternalDtdFeatureProvider {
++
++ /** System property name to enable external DTD load. */
++ public static final String ENABLE_EXTERNAL_DTD_LOAD =
"checkstyle.enableExternalDtdLoad";
+
+ /** Feature that enables loading external DTD when loading XML files.
*/
+ private static final String LOAD_EXTERNAL_DTD =
+@@ -127,22 +130,32 @@ public class XmlLoader
+ /** Feature that enables including external general entities in XML
files. */
+ private static final String EXTERNAL_GENERAL_ENTITIES =
+ "http://xml.org/sax/features/external-general-entities";;
++ /** Feature that enables including external parameter entities in XML
files. */
++ public static final String EXTERNAL_PARAMETER_ENTITIES =
++ "http://xml.org/sax/features/external-parameter-entities";;
+
+ /** Stop instances being created. **/
+- private FeaturesForVerySecureJavaInstallations() {
++ private LoadExternalDtdFeatureProvider() {
+ }
+
+ /**
+ * Configures SAXParserFactory with features required
+- * for execution on very secured environments.
++ * to use external DTD file loading, this is not activated by default
to no allow
++ * usage of schema files that checkstyle do not know
++ * it is even security problem to allow files from outside.
+ * @param factory factory to be configured with special features
+ * @throws SAXException if an error occurs
+ * @throws ParserConfigurationException if an error occurs
+ */
+- public static void
addFeaturesForVerySecureJavaInstallations(SAXParserFactory factory)
++ public static void setFeaturesBySystemProperty(SAXParserFactory
factory)
+ throws SAXException, ParserConfigurationException {
++
++ final boolean enableExternalDtdLoad = Boolean.valueOf(
++ System.getProperty(ENABLE_EXTERNAL_DTD_LOAD, "false"));
++
+ factory.setFeature(LOAD_EXTERNAL_DTD, true);
+ factory.setFeature(EXTERNAL_GENERAL_ENTITIES, true);
++ factory.setFeature(EXTERNAL_PARAMETER_ENTITIES,
enableExternalDtdLoad);
+ }
+
+ }
+diff --git
a/src/test/java/com/puppycrawl/tools/checkstyle/ConfigurationLoaderTest.java
b/src/test/java/com/puppycrawl/tools/checkstyle/ConfigurationLoaderTest.java
+index eb54a96..73f2542 100644
+---
a/src/test/java/com/puppycrawl/tools/checkstyle/ConfigurationLoaderTest.java
++++
b/src/test/java/com/puppycrawl/tools/checkstyle/ConfigurationLoaderTest.java
+@@ -413,6 +413,9 @@ public class ConfigurationLoaderTest extends
AbstractPathTestSupport {
+ final Properties props = new Properties();
+ props.setProperty("checkstyle.basedir", "basedir");
+
++ System.setProperty(
++
XmlLoader.LoadExternalDtdFeatureProvider.ENABLE_EXTERNAL_DTD_LOAD, "true");
++
+ final DefaultConfiguration config =
+ (DefaultConfiguration) loadConfiguration(
+ "InputConfigurationLoaderExternalEntity.xml", props);
+@@ -428,6 +431,9 @@ public class ConfigurationLoaderTest extends
AbstractPathTestSupport {
+ final Properties props = new Properties();
+ props.setProperty("checkstyle.basedir", "basedir");
+
++ System.setProperty(
++
XmlLoader.LoadExternalDtdFeatureProvider.ENABLE_EXTERNAL_DTD_LOAD, "true");
++
+ final DefaultConfiguration config =
+ (DefaultConfiguration) loadConfiguration(
+ "subdir/InputConfigurationLoaderExternalEntitySubDir.xml",
props);
+@@ -443,6 +449,9 @@ public class ConfigurationLoaderTest extends
AbstractPathTestSupport {
+ final Properties props = new Properties();
+ props.setProperty("checkstyle.basedir", "basedir");
+
++ System.setProperty(
++
XmlLoader.LoadExternalDtdFeatureProvider.ENABLE_EXTERNAL_DTD_LOAD, "true");
++
+ final File file = new File(
+
getPath("subdir/InputConfigurationLoaderExternalEntitySubDir.xml"));
+ final DefaultConfiguration config =
+diff --git a/src/test/java/com/puppycrawl/tools/checkstyle/XmlLoaderTest.java
b/src/test/java/com/puppycrawl/tools/checkstyle/XmlLoaderTest.java
+index cb3c914..16b6d80 100644
+--- a/src/test/java/com/puppycrawl/tools/checkstyle/XmlLoaderTest.java
++++ b/src/test/java/com/puppycrawl/tools/checkstyle/XmlLoaderTest.java
+@@ -45,7 +45,7 @@ public class XmlLoaderTest {
+ @Test
+ public void testIsProperUtilsClass() throws ReflectiveOperationException {
+ assertTrue("Constructor is not private",
isUtilsClassHasPrivateConstructor(
+- XmlLoader.FeaturesForVerySecureJavaInstallations.class,
true));
++ XmlLoader.LoadExternalDtdFeatureProvider.class, true));
+ }
+
+ private static final class DummyLoader extends XmlLoader {
+diff --git a/src/xdocs/config_reporting.xml b/src/xdocs/config_reporting.xml
+index a2c2584..c5f868a 100644
+--- a/src/xdocs/config_reporting.xml
++++ b/src/xdocs/config_reporting.xml
+@@ -69,5 +69,16 @@
+ to an empty string.
+ </p>
+ </section>
++
++ <section name="Enable External DTD load">
++ <p>
++ The property <code>checkstyle.enableExternalDtdLoad</code>
++ defines ability use custom DTD files inconfig and load them from some
location.
++ The property type
++ is <a href="property_types.html#boolean">boolean</a> and defaults
++ to <code>false</code>.
++ </p>
++ </section>
++
+ </body>
+ </document>
diff -Nru checkstyle-8.15/debian/patches/series
checkstyle-8.15/debian/patches/series
--- checkstyle-8.15/debian/patches/series 2018-12-18 11:48:17.000000000
+0100
+++ checkstyle-8.15/debian/patches/series 2020-03-24 14:03:07.000000000
+0100
@@ -1,3 +1,4 @@
01_link_to_system_javadocs.diff
02_ignore_tests_requiring_internet_connectivity.diff
05_antlr_compatibility.diff
+CVE-2019-9658-and-CVE-2019-10782.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.4
Hi,
Each of the uploads referred to by these bugs was included in today's
stable point release.
Regards,
Adam
--- End Message ---
