Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-CC: tmanc...@debian.org
Hi, This is an update for CVE-2019-12402. The change is same as done for libcommons-compress-java_1.18-3 at: https://salsa.debian.org/java-team/libcommons-compress-java/-/commit/b0f86e2643f1edde31f42a8245224b618030c6aa Its a no-dsa so needs to be fixed via stable update. -- Regards Sudip
diff -Nru libcommons-compress-java-1.18/debian/changelog libcommons-compress-java-1.18/debian/changelog --- libcommons-compress-java-1.18/debian/changelog 2019-03-01 22:27:13.000000000 +0000 +++ libcommons-compress-java-1.18/debian/changelog 2020-09-18 12:47:06.000000000 +0100 @@ -1,3 +1,10 @@ +libcommons-compress-java (1.18-2+deb10u1) buster; urgency=medium + + * Team upload. + * Add patch for CVE-2019-12402 (Closes: #939610) + + -- Sudip Mukherjee <sudipm.mukher...@gmail.com> Fri, 18 Sep 2020 12:47:06 +0100 + libcommons-compress-java (1.18-2) unstable; urgency=medium * Team upload. diff -Nru libcommons-compress-java-1.18/debian/patches/CVE-2019-12402-939610.patch libcommons-compress-java-1.18/debian/patches/CVE-2019-12402-939610.patch --- libcommons-compress-java-1.18/debian/patches/CVE-2019-12402-939610.patch 1970-01-01 01:00:00.000000000 +0100 +++ libcommons-compress-java-1.18/debian/patches/CVE-2019-12402-939610.patch 2020-09-14 16:52:45.000000000 +0100 @@ -0,0 +1,127 @@ +Description: addresses CVE-2019-12402 (Debian: #939610) +From: Stefan Bodewig <bode...@apache.org> +Date: Fri, 23 Aug 2019 14:12:05 +0000 (+0200) +Subject: unit tests for encoding logic +X-Git-Tag: 1.19-RC1~6 +X-Git-Url: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commitdiff_plain;h=4ad5d80a6272e007f64a6ac66829ca189a8093b9;hp=16a0c84e84b93cc8c107b7ff3080bd11317ab581 + +unit tests for encoding logic +--- + +diff --git a/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java b/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java +index 0a7581a..4ce9c20 100644 +--- a/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java ++++ b/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java +@@ -112,6 +112,9 @@ class NioZipEncoding implements ZipEncoding, CharsetAccessor { + } else if (res.isOverflow()) { + int increment = estimateIncrementalEncodingSize(enc, cb.remaining()); + out = ZipEncodingHelper.growBufferBy(out, increment); ++ ++ } else if (res.isUnderflow() || res.isError()) { ++ break; + } + } + // tell the encoder we are done +diff --git a/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java b/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java +new file mode 100644 +index 0000000..a04730c +--- /dev/null ++++ b/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java +@@ -0,0 +1,97 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one ++ * or more contributor license agreements. See the NOTICE file ++ * distributed with this work for additional information ++ * regarding copyright ownership. The ASF licenses this file ++ * to you under the Apache License, Version 2.0 (the ++ * "License"); you may not use this file except in compliance ++ * with the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, ++ * software distributed under the License is distributed on an ++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY ++ * KIND, either express or implied. See the License for the ++ * specific language governing permissions and limitations ++ * under the License. ++ */ ++ ++package org.apache.commons.compress.archivers.zip; ++ ++import java.nio.ByteBuffer; ++import java.nio.charset.StandardCharsets; ++import java.util.Arrays; ++ ++import org.junit.Assert; ++import org.junit.Test; ++ ++public class NioZipEncodingTest { ++ ++ private static final String UMLAUTS = "\u00e4\u00f6\u00fc"; ++ ++ @Test ++ public void umlautToUTF16BE() { ++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_16BE, false); ++ ByteBuffer bb = e.encode(UMLAUTS); ++ final int off = bb.arrayOffset(); ++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position()); ++ Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.UTF_16BE), result); ++ } ++ ++ @Test ++ public void umlautToUTF8() { ++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_8, true); ++ ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc"); ++ final int off = bb.arrayOffset(); ++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position()); ++ Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.UTF_8), result); ++ } ++ ++ @Test ++ public void umlautToISO88591() { ++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.ISO_8859_1, true); ++ ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc"); ++ final int off = bb.arrayOffset(); ++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position()); ++ Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.ISO_8859_1), result); ++ } ++ ++ @Test ++ public void unmappableUmlauts() { ++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false); ++ ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc"); ++ final int off = bb.arrayOffset(); ++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position()); ++ Assert.assertEquals("%U00E4%U00F6%U00FC", new String(result, StandardCharsets.US_ASCII)); ++ } ++ ++ private static final String RAINBOW_EMOJI = "\ud83c\udf08"; ++ ++ @Test ++ public void unmappableRainbowEmoji() { ++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false); ++ ByteBuffer bb = e.encode(RAINBOW_EMOJI); ++ final int off = bb.arrayOffset(); ++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position()); ++ Assert.assertEquals("%UD83C%UDF08", new String(result, StandardCharsets.US_ASCII)); ++ } ++ ++ @Test ++ public void rainbowEmojiToSurrogatePairUTF16() { ++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_16BE, false); ++ ByteBuffer bb = e.encode(RAINBOW_EMOJI); ++ final int off = bb.arrayOffset(); ++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position()); ++ Assert.assertArrayEquals(RAINBOW_EMOJI.getBytes(StandardCharsets.UTF_16BE), result); ++ } ++ ++ @Test ++ public void partialSurrogatePair() { ++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false); ++ ByteBuffer bb = e.encode("\ud83c"); ++ final int off = bb.arrayOffset(); ++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position()); ++ Assert.assertEquals(0, result.length); ++ } ++} diff -Nru libcommons-compress-java-1.18/debian/patches/series libcommons-compress-java-1.18/debian/patches/series --- libcommons-compress-java-1.18/debian/patches/series 2019-03-01 22:27:13.000000000 +0000 +++ libcommons-compress-java-1.18/debian/patches/series 2020-09-14 16:52:45.000000000 +0100 @@ -1,3 +1,4 @@ disable-brotli.patch disable-zstd.patch disable-osgi-tests.patch +CVE-2019-12402-939610.patch