Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id
<d50ba4de424290cd2840a09ef19950156fcf51ab.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #970549,
regarding buster-pu: package libcommons-compress-java/1.18-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
970549: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970549
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
X-Debbugs-CC: [email protected]
Hi,
This is an update for CVE-2019-12402. The change is same as done for
libcommons-compress-java_1.18-3 at:
https://salsa.debian.org/java-team/libcommons-compress-java/-/commit/b0f86e2643f1edde31f42a8245224b618030c6aa
Its a no-dsa so needs to be fixed via stable update.
--
Regards
Sudip
diff -Nru libcommons-compress-java-1.18/debian/changelog
libcommons-compress-java-1.18/debian/changelog
--- libcommons-compress-java-1.18/debian/changelog 2019-03-01
22:27:13.000000000 +0000
+++ libcommons-compress-java-1.18/debian/changelog 2020-09-18
12:47:06.000000000 +0100
@@ -1,3 +1,10 @@
+libcommons-compress-java (1.18-2+deb10u1) buster; urgency=medium
+
+ * Team upload.
+ * Add patch for CVE-2019-12402 (Closes: #939610)
+
+ -- Sudip Mukherjee <[email protected]> Fri, 18 Sep 2020 12:47:06
+0100
+
libcommons-compress-java (1.18-2) unstable; urgency=medium
* Team upload.
diff -Nru
libcommons-compress-java-1.18/debian/patches/CVE-2019-12402-939610.patch
libcommons-compress-java-1.18/debian/patches/CVE-2019-12402-939610.patch
--- libcommons-compress-java-1.18/debian/patches/CVE-2019-12402-939610.patch
1970-01-01 01:00:00.000000000 +0100
+++ libcommons-compress-java-1.18/debian/patches/CVE-2019-12402-939610.patch
2020-09-14 16:52:45.000000000 +0100
@@ -0,0 +1,127 @@
+Description: addresses CVE-2019-12402 (Debian: #939610)
+From: Stefan Bodewig <[email protected]>
+Date: Fri, 23 Aug 2019 14:12:05 +0000 (+0200)
+Subject: unit tests for encoding logic
+X-Git-Tag: 1.19-RC1~6
+X-Git-Url:
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commitdiff_plain;h=4ad5d80a6272e007f64a6ac66829ca189a8093b9;hp=16a0c84e84b93cc8c107b7ff3080bd11317ab581
+
+unit tests for encoding logic
+---
+
+diff --git
a/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java
b/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java
+index 0a7581a..4ce9c20 100644
+---
a/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java
++++
b/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java
+@@ -112,6 +112,9 @@ class NioZipEncoding implements ZipEncoding,
CharsetAccessor {
+ } else if (res.isOverflow()) {
+ int increment = estimateIncrementalEncodingSize(enc,
cb.remaining());
+ out = ZipEncodingHelper.growBufferBy(out, increment);
++
++ } else if (res.isUnderflow() || res.isError()) {
++ break;
+ }
+ }
+ // tell the encoder we are done
+diff --git
a/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java
b/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java
+new file mode 100644
+index 0000000..a04730c
+--- /dev/null
++++
b/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java
+@@ -0,0 +1,97 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one
++ * or more contributor license agreements. See the NOTICE file
++ * distributed with this work for additional information
++ * regarding copyright ownership. The ASF licenses this file
++ * to you under the Apache License, Version 2.0 (the
++ * "License"); you may not use this file except in compliance
++ * with the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing,
++ * software distributed under the License is distributed on an
++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
++ * KIND, either express or implied. See the License for the
++ * specific language governing permissions and limitations
++ * under the License.
++ */
++
++package org.apache.commons.compress.archivers.zip;
++
++import java.nio.ByteBuffer;
++import java.nio.charset.StandardCharsets;
++import java.util.Arrays;
++
++import org.junit.Assert;
++import org.junit.Test;
++
++public class NioZipEncodingTest {
++
++ private static final String UMLAUTS = "\u00e4\u00f6\u00fc";
++
++ @Test
++ public void umlautToUTF16BE() {
++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_16BE,
false);
++ ByteBuffer bb = e.encode(UMLAUTS);
++ final int off = bb.arrayOffset();
++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit()
- bb.position());
++ Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.UTF_16BE),
result);
++ }
++
++ @Test
++ public void umlautToUTF8() {
++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_8, true);
++ ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
++ final int off = bb.arrayOffset();
++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit()
- bb.position());
++ Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.UTF_8),
result);
++ }
++
++ @Test
++ public void umlautToISO88591() {
++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.ISO_8859_1,
true);
++ ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
++ final int off = bb.arrayOffset();
++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit()
- bb.position());
++
Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.ISO_8859_1), result);
++ }
++
++ @Test
++ public void unmappableUmlauts() {
++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII,
false);
++ ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
++ final int off = bb.arrayOffset();
++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit()
- bb.position());
++ Assert.assertEquals("%U00E4%U00F6%U00FC", new String(result,
StandardCharsets.US_ASCII));
++ }
++
++ private static final String RAINBOW_EMOJI = "\ud83c\udf08";
++
++ @Test
++ public void unmappableRainbowEmoji() {
++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII,
false);
++ ByteBuffer bb = e.encode(RAINBOW_EMOJI);
++ final int off = bb.arrayOffset();
++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit()
- bb.position());
++ Assert.assertEquals("%UD83C%UDF08", new String(result,
StandardCharsets.US_ASCII));
++ }
++
++ @Test
++ public void rainbowEmojiToSurrogatePairUTF16() {
++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_16BE,
false);
++ ByteBuffer bb = e.encode(RAINBOW_EMOJI);
++ final int off = bb.arrayOffset();
++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit()
- bb.position());
++
Assert.assertArrayEquals(RAINBOW_EMOJI.getBytes(StandardCharsets.UTF_16BE),
result);
++ }
++
++ @Test
++ public void partialSurrogatePair() {
++ NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII,
false);
++ ByteBuffer bb = e.encode("\ud83c");
++ final int off = bb.arrayOffset();
++ byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit()
- bb.position());
++ Assert.assertEquals(0, result.length);
++ }
++}
diff -Nru libcommons-compress-java-1.18/debian/patches/series
libcommons-compress-java-1.18/debian/patches/series
--- libcommons-compress-java-1.18/debian/patches/series 2019-03-01
22:27:13.000000000 +0000
+++ libcommons-compress-java-1.18/debian/patches/series 2020-09-14
16:52:45.000000000 +0100
@@ -1,3 +1,4 @@
disable-brotli.patch
disable-zstd.patch
disable-osgi-tests.patch
+CVE-2019-12402-939610.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.6
Hi,
Each of these bugs relates to an update that was included in today's
stable point release.
Regards,
Adam
--- End Message ---
