Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id
<43535efb498a168cf81452ca0c326f004f46adc6.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #966247,
regarding buster-pu: package commons-configuration2/2.2-1+deb10u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
966247: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966247
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
Fixes a minor security issue, debdiff below.
Cheers,
Moritz
diff -Nru commons-configuration2-2.2/debian/changelog
commons-configuration2-2.2/debian/changelog
--- commons-configuration2-2.2/debian/changelog 2017-12-29 23:12:51.000000000
+0100
+++ commons-configuration2-2.2/debian/changelog 2020-07-13 18:19:38.000000000
+0200
@@ -1,3 +1,9 @@
+commons-configuration2 (2.2-1+deb10u1) buster; urgency=medium
+
+ * CVE-2020-1953 (Closes: #954713)
+
+ -- Moritz Mühlenhoff <[email protected]> Mon, 13 Jul 2020 19:18:37 +0200
+
commons-configuration2 (2.2-1) unstable; urgency=medium
* New upstream release
diff -Nru commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch
commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch
--- commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch
1970-01-01 01:00:00.000000000 +0100
+++ commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch
2020-07-13 18:06:19.000000000 +0200
@@ -0,0 +1,179 @@
+Backport to 2.2 of the following upstream commit:
+
+From add7375cf37fd316d4838c6c56b054fc293b4641 Mon Sep 17 00:00:00 2001
+From: oheger <[email protected]>
+Date: Wed, 4 Mar 2020 21:33:22 +0100
+Subject: [PATCH] Prevent object creation when loading YAML files.
+
+When creating a new Yaml instance from SnakeYaml to read in a
+configuration file the instance is now configured that no objects are
+created automatically.
+
+---
commons-configuration2-2.2.orig/src/main/java/org/apache/commons/configuration2/YAMLConfiguration.java
++++
commons-configuration2-2.2/src/main/java/org/apache/commons/configuration2/YAMLConfiguration.java
+@@ -18,11 +18,14 @@
+ package org.apache.commons.configuration2;
+
+ import org.apache.commons.configuration2.ex.ConfigurationException;
++import org.apache.commons.configuration2.ex.ConfigurationRuntimeException;
+ import org.apache.commons.configuration2.io.InputStreamSupport;
+ import org.apache.commons.configuration2.tree.ImmutableNode;
+ import org.yaml.snakeyaml.DumperOptions;
+ import org.yaml.snakeyaml.LoaderOptions;
+ import org.yaml.snakeyaml.Yaml;
++import org.yaml.snakeyaml.constructor.Constructor;
++import org.yaml.snakeyaml.representer.Representer;
+
+ import java.io.IOException;
+ import java.io.InputStream;
+@@ -65,7 +68,7 @@ public class YAMLConfiguration extends A
+ {
+ try
+ {
+- Yaml yaml = new Yaml();
++ Yaml yaml = createYamlForReading(new LoaderOptions());
+ Map<String, Object> map = (Map) yaml.load(in);
+ load(map);
+ }
+@@ -80,7 +83,7 @@ public class YAMLConfiguration extends A
+ {
+ try
+ {
+- Yaml yaml = new Yaml(options);
++ Yaml yaml = createYamlForReading(options);
+ Map<String, Object> map = (Map) yaml.load(in);
+ load(map);
+ }
+@@ -117,7 +120,7 @@ public class YAMLConfiguration extends A
+ {
+ try
+ {
+- Yaml yaml = new Yaml();
++ Yaml yaml = createYamlForReading(new LoaderOptions());
+ Map<String, Object> map = (Map) yaml.load(in);
+ load(map);
+ }
+@@ -132,7 +135,7 @@ public class YAMLConfiguration extends A
+ {
+ try
+ {
+- Yaml yaml = new Yaml(options);
++ Yaml yaml = createYamlForReading(options);
+ Map<String, Object> map = (Map) yaml.load(in);
+ load(map);
+ }
+@@ -142,4 +145,34 @@ public class YAMLConfiguration extends A
+ }
+ }
+
++ /**
++ * Creates a {@code Yaml} object for reading a Yaml file. The object is
++ * configured with some default settings.
++ *
++ * @param options options for loading the file
++ * @return the {@code Yaml} instance for loading a file
++ */
++ private static Yaml createYamlForReading(LoaderOptions options)
++ {
++ return new Yaml(createClassLoadingDisablingConstructor(), new
Representer(), new DumperOptions(), options);
++ }
++
++ /**
++ * Returns a {@code Constructor} object for the YAML parser that prevents
++ * all classes from being loaded. This effectively disables the dynamic
++ * creation of Java objects that are declared in YAML files to be loaded.
++ *
++ * @return the {@code Constructor} preventing object creation
++ */
++ private static Constructor createClassLoadingDisablingConstructor()
++ {
++ return new Constructor()
++ {
++ @Override
++ protected Class<?> getClassForName(String name)
++ {
++ throw new ConfigurationRuntimeException("Class loading is
disabled.");
++ }
++ };
++ }
+ }
+---
commons-configuration2-2.2.orig/src/test/java/org/apache/commons/configuration2/TestYAMLConfiguration.java
++++
commons-configuration2-2.2/src/test/java/org/apache/commons/configuration2/TestYAMLConfiguration.java
+@@ -20,26 +20,36 @@ package org.apache.commons.configuration
+ import org.apache.commons.configuration2.ex.ConfigurationException;
+ import org.junit.Before;
+ import org.junit.Rule;
++import org.junit.Rule;
+ import org.junit.Test;
+ import org.junit.rules.TemporaryFolder;
+ import org.yaml.snakeyaml.Yaml;
+
+ import java.io.File;
+ import java.io.FileReader;
++import java.io.ByteArrayInputStream;
++import java.io.File;
+ import java.io.IOException;
++import java.io.StringReader;
+ import java.io.StringWriter;
++import java.nio.charset.StandardCharsets;
+ import java.util.Arrays;
+ import java.util.List;
+ import java.util.Map;
+
+ import static org.junit.Assert.assertEquals;
++import static org.junit.Assert.assertFalse;
+ import static org.junit.Assert.assertTrue;
++import static org.junit.Assert.fail;
+
+ /**
+ * Unit test for {@link YAMLConfiguration}
+ */
+ public class TestYAMLConfiguration
+ {
++ @Rule
++ public TemporaryFolder temporaryFolder = new TemporaryFolder();
++
+ /** The files that we test with. */
+ private String testYaml =
+ ConfigurationAssert.getTestFile("test.yaml").getAbsolutePath();
+@@ -137,4 +147,40 @@ public class TestYAMLConfiguration
+ yamlConfiguration = new YAMLConfiguration(c);
+ assertEquals("bar", yamlConfiguration.getString("foo"));
+ }
++
++ @Test
++ public void testObjectCreationFromReader()
++ {
++ final File createdFile = new File(temporaryFolder.getRoot(),
"data.txt");
++ final String yaml = "!!java.io.FileOutputStream [" +
createdFile.getAbsolutePath() + "]";
++
++ try
++ {
++ yamlConfiguration.read(new StringReader(yaml));
++ fail("Loading configuration did not cause an exception!");
++ }
++ catch (ConfigurationException e)
++ {
++ //expected
++ }
++ assertFalse("Java object was created", createdFile.exists());
++ }
++
++ @Test
++ public void testObjectCreationFromStream()
++ {
++ final File createdFile = new File(temporaryFolder.getRoot(),
"data.txt");
++ final String yaml = "!!java.io.FileOutputStream [" +
createdFile.getAbsolutePath() + "]";
++
++ try
++ {
++ yamlConfiguration.read(new
ByteArrayInputStream(yaml.getBytes(StandardCharsets.UTF_8)));
++ fail("Loading configuration did not cause an exception!");
++ }
++ catch (ConfigurationException e)
++ {
++ //expected
++ }
++ assertFalse("Java object was created", createdFile.exists());
++ }
+ }
diff -Nru commons-configuration2-2.2/debian/patches/series
commons-configuration2-2.2/debian/patches/series
--- commons-configuration2-2.2/debian/patches/series 1970-01-01
01:00:00.000000000 +0100
+++ commons-configuration2-2.2/debian/patches/series 2020-07-13
18:05:49.000000000 +0200
@@ -0,0 +1 @@
+CVE-2020-1953.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.5
Hi,
Each of these bugs relates to an update that was included in today's
stable point release.
Regards,
Adam
--- End Message ---
