Author: ebourg-guest Date: 2013-12-02 21:13:34 +0000 (Mon, 02 Dec 2013) New Revision: 17534
Added: trunk/libcommons-fileupload-java/debian/patches/CVE-2013-2186.patch Modified: trunk/libcommons-fileupload-java/debian/changelog trunk/libcommons-fileupload-java/debian/patches/series Log: Ack NMU Modified: trunk/libcommons-fileupload-java/debian/changelog =================================================================== --- trunk/libcommons-fileupload-java/debian/changelog 2013-12-02 17:23:20 UTC (rev 17533) +++ trunk/libcommons-fileupload-java/debian/changelog 2013-12-02 21:13:34 UTC (rev 17534) @@ -1,3 +1,14 @@ +libcommons-fileupload-java (1.3-2.1) unstable; urgency=low + + * Non-maintainer upload. + * Add CVE-2013-2186.patch patch. + CVE-2013-2186: Arbitrary file upload via deserialization. Properly + validate repository in src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java. + Thanks to Marc Deslauriers <[email protected]> for + providing the debdiff. (Closes: #726601) + + -- Salvatore Bonaccorso <[email protected]> Fri, 15 Nov 2013 15:04:17 +0100 + libcommons-fileupload-java (1.3-2) unstable; urgency=low * Team upload. Added: trunk/libcommons-fileupload-java/debian/patches/CVE-2013-2186.patch =================================================================== --- trunk/libcommons-fileupload-java/debian/patches/CVE-2013-2186.patch (rev 0) +++ trunk/libcommons-fileupload-java/debian/patches/CVE-2013-2186.patch 2013-12-02 21:13:34 UTC (rev 17534) @@ -0,0 +1,37 @@ +Description: fix arbitrary file overwrite via poison null byte +Origin: upstream, http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601 +Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=846174 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=974814 + +Index: libcommons-fileupload-java-1.3/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java +=================================================================== +--- libcommons-fileupload-java-1.3.orig/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-03-24 08:36:44.000000000 -0400 ++++ libcommons-fileupload-java-1.3/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-11-07 09:32:20.042865874 -0500 +@@ -656,6 +656,26 @@ + // read values + in.defaultReadObject(); + ++ /* One expected use of serialization is to migrate HTTP sessions ++ * containing a DiskFileItem between JVMs. Particularly if the JVMs are ++ * on different machines It is possible that the repository location is ++ * not valid so validate it. ++ */ ++ if (repository != null) { ++ if (repository.isDirectory()) { ++ // Check path for nulls ++ if (repository.getPath().contains("\0")) { ++ throw new IOException(format( ++ "The repository [%s] contains a null character", ++ repository.getPath())); ++ } ++ } else { ++ throw new IOException(format( ++ "The repository [%s] is not a directory", ++ repository.getAbsolutePath())); ++ } ++ } ++ + OutputStream output = getOutputStream(); + if (cachedContent != null) { + output.write(cachedContent); Modified: trunk/libcommons-fileupload-java/debian/patches/series =================================================================== --- trunk/libcommons-fileupload-java/debian/patches/series 2013-12-02 17:23:20 UTC (rev 17533) +++ trunk/libcommons-fileupload-java/debian/patches/series 2013-12-02 21:13:34 UTC (rev 17534) @@ -1 +1,2 @@ 001_update-tests-for-servlet3-api.patch +CVE-2013-2186.patch _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
