Your message dated Fri, 6 Aug 2021 08:51:50 +0200
with message-id <[email protected]>
and subject line Re: Bug#991885: unblock: xmlgraphics-commons/2.4-1
has caused the Debian Bug report #991885,
regarding unblock: xmlgraphics-commons/2.4-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
991885: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991885
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected]
Please unblock package xmlgraphics-commons
[ Reason ]
I know we are past the deadline now but I hope you can make an
exception because the fix is straightforward. I would like to fix
CVE-2020-11988 in Bullseye.
[ Impact ]
xmlgraphics-commons would still be vulnerable and users had to wait
for the next point update.
[ Tests ]
Test case works as intended.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock xmlgraphics-commons/2.4-1
diff -Nru xmlgraphics-commons-2.4/debian/changelog
xmlgraphics-commons-2.4/debian/changelog
--- xmlgraphics-commons-2.4/debian/changelog 2020-02-14 22:20:36.000000000
+0100
+++ xmlgraphics-commons-2.4/debian/changelog 2021-08-02 07:48:42.000000000
+0200
@@ -1,3 +1,15 @@
+xmlgraphics-commons (2.4-2) unstable; urgency=high
+
+ * Team upload.
+ * Fix CVE-2020-11988:
+ Apache XmlGraphics Commons is vulnerable to server-side request forgery,
+ caused by improper input validation by the XMPParser. By using a
+ specially-crafted argument, an attacker could exploit this vulnerability to
+ cause the underlying server to make arbitrary GET requests.
+ (Closes: #984949)
+
+ -- Markus Koschany <[email protected]> Mon, 02 Aug 2021 07:48:42 +0200
+
xmlgraphics-commons (2.4-1) unstable; urgency=medium
* New upstream version 2.4
diff -Nru xmlgraphics-commons-2.4/debian/patches/CVE-2020-11988.patch
xmlgraphics-commons-2.4/debian/patches/CVE-2020-11988.patch
--- xmlgraphics-commons-2.4/debian/patches/CVE-2020-11988.patch 1970-01-01
01:00:00.000000000 +0100
+++ xmlgraphics-commons-2.4/debian/patches/CVE-2020-11988.patch 2021-08-02
07:48:42.000000000 +0200
@@ -0,0 +1,77 @@
+From: Markus Koschany <[email protected]>
+Date: Mon, 2 Aug 2021 07:47:01 +0200
+Subject: CVE-2020-11988
+
+Bug-Debian: https://bugs.debian.org/984949
+Origin:
https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183
+---
+ .../java/org/apache/xmlgraphics/xmp/XMPParser.java | 3 +++
+ .../org/apache/xmlgraphics/xmp/XMPParserTestCase.java | 19 +++++++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
+index b7c0e5f..4c58a11 100644
+--- a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
++++ b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
+@@ -21,6 +21,7 @@ package org.apache.xmlgraphics.xmp;
+
+ import java.net.URL;
+
++import javax.xml.XMLConstants;
+ import javax.xml.transform.Source;
+ import javax.xml.transform.Transformer;
+ import javax.xml.transform.TransformerException;
+@@ -54,6 +55,8 @@ public final class XMPParser {
+ */
+ public static Metadata parseXMP(Source src) throws TransformerException {
+ TransformerFactory tFactory = TransformerFactory.newInstance();
++ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ Transformer transformer = tFactory.newTransformer();
+ XMPHandler handler = createXMPHandler();
+ SAXResult res = new SAXResult(handler);
+diff --git a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
+index 02c4cf6..5f2ef05 100644
+--- a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
++++ b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
+@@ -19,16 +19,21 @@
+
+ package org.apache.xmlgraphics.xmp;
+
++import java.io.StringReader;
+ import java.net.URL;
+ import java.util.Calendar;
+ import java.util.Date;
+ import java.util.TimeZone;
+
++import javax.xml.transform.TransformerException;
++import javax.xml.transform.stream.StreamSource;
++
+ import org.junit.Test;
+
+ import static org.junit.Assert.assertEquals;
+ import static org.junit.Assert.assertNotNull;
+ import static org.junit.Assert.assertNull;
++import static org.junit.Assert.assertTrue;
+
+ import org.apache.xmlgraphics.xmp.schemas.DublinCoreAdapter;
+ import org.apache.xmlgraphics.xmp.schemas.DublinCoreSchema;
+@@ -189,4 +194,18 @@ public class XMPParserTestCase {
+ assertNull(title); //Empty value treated same as not existant
+ }
+
++ @Test
++ public void testExternalDTD() {
++ String payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
++ + "<!DOCTYPE root [\n<!ENTITY % remote SYSTEM
\"http://127.0.0.1:9999/eval.xml\";>\n%remote;]>\n"
++ + "<root></root>";
++ StreamSource streamSource = new StreamSource(new
StringReader(payload));
++ String msg = "";
++ try {
++ XMPParser.parseXMP(streamSource);
++ } catch (TransformerException e) {
++ msg = e.getMessage();
++ }
++ assertTrue(msg, msg.contains("access is not allowed"));
++ }
+ }
diff -Nru xmlgraphics-commons-2.4/debian/patches/series
xmlgraphics-commons-2.4/debian/patches/series
--- xmlgraphics-commons-2.4/debian/patches/series 1970-01-01
01:00:00.000000000 +0100
+++ xmlgraphics-commons-2.4/debian/patches/series 2021-08-02
07:48:42.000000000 +0200
@@ -0,0 +1 @@
+CVE-2020-11988.patch
--- End Message ---
--- Begin Message ---
Hi Markus,
On 04-08-2021 14:47, Markus Koschany wrote:
> Please unblock package xmlgraphics-commons
The issue is marked as minor issue by the security team and not fixed in
buster. Plain saying, the fix came too late (you had since March).
Paul
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
