Your message dated Sat, 05 Dec 2020 11:02:00 +0000
with message-id
<b70f86aac27195271a9b5212c7acc936da6ff100.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates in 10.7 point release
has caused the Debian Bug report #971869,
regarding buster-pu: package freecol/0.11.6+dfsg2-2+deb10u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
971869: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971869
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected]
Low severity bugfix for freecol, which doesn't warrant a DSA.
The (identical) patch has been in unstable for half a year, also
doublechecked by playing for half an hour :-)
Cheers,
Moritz
diff -Nru freecol-0.11.6+dfsg2/debian/changelog
freecol-0.11.6+dfsg2/debian/changelog
--- freecol-0.11.6+dfsg2/debian/changelog 2018-08-31 19:22:57.000000000
+0200
+++ freecol-0.11.6+dfsg2/debian/changelog 2020-10-07 22:20:46.000000000
+0200
@@ -1,3 +1,9 @@
+freecol (0.11.6+dfsg2-2+deb10u1) buster; urgency=medium
+
+ * CVE-2018-1000825 (Closes: #917023)
+
+ -- Moritz Mühlenhoff <[email protected]> Wed, 07 Oct 2020 22:20:46 +0200
+
freecol (0.11.6+dfsg2-2) unstable; urgency=medium
* Declare compliance with Debian Policy 4.2.1.
diff -Nru freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch
freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch
--- freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch 1970-01-01
01:00:00.000000000 +0100
+++ freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch 2020-10-07
22:20:40.000000000 +0200
@@ -0,0 +1,142 @@
+From: Markus Koschany <[email protected]>
+Date: Mon, 24 Feb 2020 12:33:58 +0100
+Subject: CVE-2018-1000825
+
+Bug-Debian: https://bugs.debian.org/917023
+Origin:
https://github.com/FreeCol/freecol/commit/8963506897e3270a75b062f28486934bcb79b1e3
+---
+ src/net/sf/freecol/common/io/FreeColXMLReader.java | 19 +++++++++++++++++--
+ src/net/sf/freecol/common/model/FreeColObject.java | 3 +++
+ src/net/sf/freecol/common/networking/Connection.java | 3 +++
+ src/net/sf/freecol/common/networking/DOMMessage.java | 3 +++
+ src/net/sf/freecol/tools/GenerateDocumentation.java | 3 +++
+ 5 files changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/src/net/sf/freecol/common/io/FreeColXMLReader.java
b/src/net/sf/freecol/common/io/FreeColXMLReader.java
+index dd78a40..abbaba6 100644
+--- a/src/net/sf/freecol/common/io/FreeColXMLReader.java
++++ b/src/net/sf/freecol/common/io/FreeColXMLReader.java
+@@ -88,7 +88,7 @@ public class FreeColXMLReader extends StreamReaderDelegate
+ super();
+
+ try {
+- XMLInputFactory xif = XMLInputFactory.newInstance();
++ XMLInputFactory xif = newXMLInputFactory();
+ setParent(xif.createXMLStreamReader(inputStream, "UTF-8"));
+ } catch (XMLStreamException e) {
+ throw new IOException(e);
+@@ -109,7 +109,7 @@ public class FreeColXMLReader extends StreamReaderDelegate
+ super();
+
+ try {
+- XMLInputFactory xif = XMLInputFactory.newInstance();
++ XMLInputFactory xif = newXMLInputFactory();
+ setParent(xif.createXMLStreamReader(reader));
+ } catch (XMLStreamException e) {
+ throw new IOException(e);
+@@ -118,6 +118,21 @@ public class FreeColXMLReader extends StreamReaderDelegate
+ this.readScope = ReadScope.NORMAL;
+ }
+
++ /**
++ * Create a new XMLInputFactory.
++ *
++ * Respond to CVE 2018-1000825.
++ *
++ * @return A new <code>XMLInputFactory</code>.
++ */
++ private static XMLInputFactory newXMLInputFactory() {
++ XMLInputFactory xif = XMLInputFactory.newInstance();
++ // This disables DTDs entirely for that factory
++ xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
++ // disable external entities
++ xif.setProperty("javax.xml.stream.isSupportingExternalEntities",
false);
++ return xif;
++ }
+
+ /**
+ * Should reads from this stream intern their objects into the
+diff --git a/src/net/sf/freecol/common/model/FreeColObject.java
b/src/net/sf/freecol/common/model/FreeColObject.java
+index 01c9887..d8f3754 100644
+--- a/src/net/sf/freecol/common/model/FreeColObject.java
++++ b/src/net/sf/freecol/common/model/FreeColObject.java
+@@ -49,6 +49,7 @@ import javax.xml.transform.TransformerException;
+ import javax.xml.transform.TransformerFactory;
+ import javax.xml.transform.dom.DOMSource;
+ import javax.xml.transform.stream.StreamResult;
++import javax.xml.XMLConstants;
+
+ import net.sf.freecol.common.ObjectWithId;
+ import net.sf.freecol.common.io.FreeColXMLReader;
+@@ -895,6 +896,8 @@ public abstract class FreeColObject
+ public void readFromXMLElement(Element element) {
+ try {
+ TransformerFactory factory = TransformerFactory.newInstance();
++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ Transformer xmlTransformer = factory.newTransformer();
+ StringWriter stringWriter = new StringWriter();
+ xmlTransformer.transform(new DOMSource(element),
+diff --git a/src/net/sf/freecol/common/networking/Connection.java
b/src/net/sf/freecol/common/networking/Connection.java
+index f88d2ed..48954bd 100644
+--- a/src/net/sf/freecol/common/networking/Connection.java
++++ b/src/net/sf/freecol/common/networking/Connection.java
+@@ -40,6 +40,7 @@ import javax.xml.transform.TransformerException;
+ import javax.xml.transform.TransformerFactory;
+ import javax.xml.transform.dom.DOMSource;
+ import javax.xml.transform.stream.StreamResult;
++import javax.xml.XMLConstants;
+
+ import net.sf.freecol.common.FreeColException;
+ import net.sf.freecol.common.debug.FreeColDebugger;
+@@ -101,6 +102,8 @@ public class Connection implements Closeable {
+ Transformer myTransformer = null;
+ try {
+ TransformerFactory factory = TransformerFactory.newInstance();
++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ myTransformer = factory.newTransformer();
+ myTransformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION,
+ "yes");
+diff --git a/src/net/sf/freecol/common/networking/DOMMessage.java
b/src/net/sf/freecol/common/networking/DOMMessage.java
+index 7181a7d..8fe7295 100644
+--- a/src/net/sf/freecol/common/networking/DOMMessage.java
++++ b/src/net/sf/freecol/common/networking/DOMMessage.java
+@@ -37,6 +37,7 @@ import javax.xml.transform.TransformerException;
+ import javax.xml.transform.TransformerFactory;
+ import javax.xml.transform.dom.DOMSource;
+ import javax.xml.transform.stream.StreamResult;
++import javax.xml.XMLConstants;
+
+ import net.sf.freecol.common.io.FreeColXMLWriter;
+ import net.sf.freecol.common.debug.FreeColDebugger;
+@@ -448,6 +449,8 @@ public class DOMMessage {
+ public static String elementToString(Element element) {
+ try {
+ TransformerFactory factory = TransformerFactory.newInstance();
++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ Transformer xt = factory.newTransformer();
+ StringWriter sw = new StringWriter();
+ xt.transform(new DOMSource(element), new StreamResult(sw));
+diff --git a/src/net/sf/freecol/tools/GenerateDocumentation.java
b/src/net/sf/freecol/tools/GenerateDocumentation.java
+index aac0f55..a52cf5b 100644
+--- a/src/net/sf/freecol/tools/GenerateDocumentation.java
++++ b/src/net/sf/freecol/tools/GenerateDocumentation.java
+@@ -35,6 +35,7 @@ import javax.xml.transform.Source;
+ import javax.xml.transform.Transformer;
+ import javax.xml.transform.TransformerException;
+ import javax.xml.transform.TransformerFactory;
++import javax.xml.XMLConstants;
+
+ import net.sf.freecol.common.i18n.Messages;
+ import net.sf.freecol.common.model.StringTemplate;
+@@ -192,6 +193,8 @@ public class GenerateDocumentation {
+ Messages.loadMessageBundle(Messages.getLocale(languageCode));
+ try {
+ TransformerFactory factory =
TransformerFactory.newInstance();
++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD,
"");
++
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ Source xsl = new StreamSource(new File("doc", XSL));
+ Transformer stylesheet;
+ try {
diff -Nru freecol-0.11.6+dfsg2/debian/patches/series
freecol-0.11.6+dfsg2/debian/patches/series
--- freecol-0.11.6+dfsg2/debian/patches/series 2018-08-31 19:22:57.000000000
+0200
+++ freecol-0.11.6+dfsg2/debian/patches/series 2020-10-07 22:20:40.000000000
+0200
@@ -1,2 +1,3 @@
commons-cli-1.3.patch
valid-appdata.patch
+CVE-2018-1000825.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.7
Hi,
Each of the updates referenced by these bugs was included in this
morning's buster 10.7 point release.
Regards,
Adam
--- End Message ---
