Bug#954863: marked as done (stretch-pu: package checkstyle/6.15-1)

Sat, 18 Jul 2020 05:13:02 -0700 

Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id 
<b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.ca...@adam-barratt.org.uk>
and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #954863,
regarding stretch-pu: package checkstyle/6.15-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
954863: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954863
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: [email protected]
Usertags: pu

Hello,

I would like to fix CVE-2019-9658 and CVE-2019-10782 in checkstyle.
The security team marked this issue as no-dsa. Please find attached
the debdiff for Stretch.

Regards,

Markus

diff -Nru checkstyle-6.15/debian/changelog checkstyle-6.15/debian/changelog
--- checkstyle-6.15/debian/changelog    2016-02-04 21:52:02.000000000 +0100
+++ checkstyle-6.15/debian/changelog    2020-03-24 13:18:16.000000000 +0100
@@ -1,3 +1,14 @@
+checkstyle (6.15-1+deb9u1) stretch; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2019-9658 and CVE-2019-10782:
+    Security researchers from Snyk discovered that the fix for CVE-2019-9658
+    was incomplete. Checkstyle, a development tool to help programmers write
+    Java code that adheres to a coding standard, was still vulnerable to XML
+    External Entity (XXE) injection. (Closes: #924598)
+
+ -- Markus Koschany <[email protected]>  Tue, 24 Mar 2020 13:18:16 +0100
+
 checkstyle (6.15-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch 
checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch
--- checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch       
1970-01-01 01:00:00.000000000 +0100
+++ checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch       
2020-03-24 13:18:16.000000000 +0100
@@ -0,0 +1,95 @@
+From: Markus Koschany <[email protected]>
+Date: Thu, 12 Mar 2020 13:06:45 +0100
+Subject: CVE-2019-9658 and CVE-2019-10782
+
+Bug-Debian: https://bugs.debian.org/924598
+
+Origin: 
https://github.com/checkstyle/checkstyle/commit/180b4fe37a2249d4489d584505f2b7b3ab162ec6
+Origin: 
https://github.com/checkstyle/checkstyle/pull/7495/commits/3af187f81ab33c9a8e471cc629ff10fe722a7a56
+---
+ .../tools/checkstyle/api/AbstractLoader.java       | 45 ++++++++++++++++++++++
+ src/xdocs/config_reporting.xml                     | 11 ++++++
+ 2 files changed, 56 insertions(+)
+
+diff --git 
a/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java 
b/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java
+index 2e60e6d..6ea678b 100644
+--- a/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java
++++ b/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java
+@@ -80,6 +80,7 @@ public abstract class AbstractLoader
+         this.publicIdToResourceNameMap =
+             Maps.newHashMap(publicIdToResourceNameMap);
+         final SAXParserFactory factory = SAXParserFactory.newInstance();
++        LoadExternalDtdFeatureProvider.setFeaturesBySystemProperty(factory);
+         factory.setValidating(true);
+         factory.setNamespaceAware(true);
+         parser = factory.newSAXParser().getXMLReader();
+@@ -124,4 +125,48 @@ public abstract class AbstractLoader
+     public void fatalError(SAXParseException exception) throws SAXException {
+         throw exception;
+     }
++
++    /**
++     * Used for setting specific for secure java installations features to 
SAXParserFactory.
++     * Pulled out as a separate class in order to suppress Pitest mutations.
++     */
++    public static final class LoadExternalDtdFeatureProvider {
++
++        /** System property name to enable external DTD load. */
++        public static final String ENABLE_EXTERNAL_DTD_LOAD = 
"checkstyle.enableExternalDtdLoad";
++
++        /** Feature that enables loading external DTD when loading XML files. 
*/
++        public static final String LOAD_EXTERNAL_DTD =
++                
"http://apache.org/xml/features/nonvalidating/load-external-dtd";;
++        /** Feature that enables including external general entities in XML 
files. */
++        public static final String EXTERNAL_GENERAL_ENTITIES =
++                "http://xml.org/sax/features/external-general-entities";;
++        /** Feature that enables including external parameter entities in XML 
files. */
++        public static final String EXTERNAL_PARAMETER_ENTITIES =
++                "http://xml.org/sax/features/external-parameter-entities";;
++
++        /** Stop instances being created. **/
++        private LoadExternalDtdFeatureProvider() {
++        }
++
++        /**
++         * Configures SAXParserFactory with features required
++         * to use external DTD file loading, this is not activated by default 
to not allow
++         * usage of schema files that checkstyle do not know
++         * it is even security problem to allow files from outside.
++         * @param factory factory to be configured with special features
++         * @throws SAXException if an error occurs
++         * @throws ParserConfigurationException if an error occurs
++         */
++        public static void setFeaturesBySystemProperty(SAXParserFactory 
factory)
++                throws SAXException, ParserConfigurationException {
++
++            final boolean enableExternalDtdLoad = Boolean.valueOf(
++                System.getProperty(ENABLE_EXTERNAL_DTD_LOAD, "false"));
++
++            factory.setFeature(LOAD_EXTERNAL_DTD, enableExternalDtdLoad);
++            factory.setFeature(EXTERNAL_GENERAL_ENTITIES, 
enableExternalDtdLoad);
++            factory.setFeature(EXTERNAL_PARAMETER_ENTITIES, 
enableExternalDtdLoad);
++        }
++    }
+ }
+diff --git a/src/xdocs/config_reporting.xml b/src/xdocs/config_reporting.xml
+index 410d7eb..acf99a7 100644
+--- a/src/xdocs/config_reporting.xml
++++ b/src/xdocs/config_reporting.xml
+@@ -68,5 +68,16 @@
+         to an empty string.
+       </p>
+     </section>
++
++    <section name="Enable External DTD load">
++      <p>
++        The property <code>checkstyle.enableExternalDtdLoad</code>
++        defines ability use custom DTD files inconfig and load them from some 
location.
++        The property type
++        is <a href="property_types.html#boolean">boolean</a> and defaults
++        to <code>false</code>.
++      </p>
++    </section>
++
+   </body>
+ </document>
diff -Nru checkstyle-6.15/debian/patches/series 
checkstyle-6.15/debian/patches/series
--- checkstyle-6.15/debian/patches/series       2016-02-04 21:37:44.000000000 
+0100
+++ checkstyle-6.15/debian/patches/series       2020-03-24 13:18:16.000000000 
+0100
@@ -2,3 +2,4 @@
 02_ignore_tests_requiring_internet_connectivity.diff
 03_remove_maven3_prereq.diff
 04_adjust_application_name.diff
+CVE-2019-9658-and-CVE-2019-10782.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam

--- End Message ---

Reply via email to