Author: ebourg-guest Date: 2014-03-25 14:44:47 +0000 (Tue, 25 Mar 2014) New Revision: 17945
Added: branches/libxalan2-java/wheezy-security/debian/patches/CVE-2014-0107.patch Modified: branches/libxalan2-java/wheezy-security/debian/changelog branches/libxalan2-java/wheezy-security/debian/patches/series Log: Fix CVE-2014-0107 for Wheezy Modified: branches/libxalan2-java/wheezy-security/debian/changelog =================================================================== --- branches/libxalan2-java/wheezy-security/debian/changelog 2014-03-25 14:35:22 UTC (rev 17944) +++ branches/libxalan2-java/wheezy-security/debian/changelog 2014-03-25 14:44:47 UTC (rev 17945) @@ -1,3 +1,13 @@ +libxalan2-java (2.7.1-7+deb7u1) wheezy-security; urgency=high + + * Team upload. + * Fix CVE-2014-0107: Strengthen the secure processing mode by disabling + external general entities, foreign attributes and access to the system + properties. This could be exploited to execute arbitrary code remotely. + (Closes: #742577) + + -- Emmanuel Bourg <[email protected]> Tue, 25 Mar 2014 15:37:47 +0100 + libxalan2-java (2.7.1-7) unstable; urgency=low [Jakub Adam] Added: branches/libxalan2-java/wheezy-security/debian/patches/CVE-2014-0107.patch =================================================================== --- branches/libxalan2-java/wheezy-security/debian/patches/CVE-2014-0107.patch (rev 0) +++ branches/libxalan2-java/wheezy-security/debian/patches/CVE-2014-0107.patch 2014-03-25 14:44:47 UTC (rev 17945) @@ -0,0 +1,124 @@ +Description: Fix for CVE-2014-0107: Strengthen the secure processing mode by + disabling external general entities, foreign attributes and access to the + system properties. This could be exploited to execute arbitrary code remotely. +Origin: https://svn.apache.org/r1581058 +Bug-Debian: https://bugs.debian.org/742577 +--- a/src/org/apache/xalan/transformer/TransformerImpl.java ++++ b/src/org/apache/xalan/transformer/TransformerImpl.java +@@ -438,7 +438,9 @@ + try + { + if (sroot.getExtensions() != null) +- m_extensionsTable = new ExtensionsTable(sroot); ++ //only load extensions if secureProcessing is disabled ++ if(!sroot.isSecureProcessing()) ++ m_extensionsTable = new ExtensionsTable(sroot); + } + catch (javax.xml.transform.TransformerException te) + {te.printStackTrace();} +--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java ++++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java +@@ -338,17 +338,29 @@ + } + else + { +- // Can we switch the order here: +- +- boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName, +- attributes.getQName(i), attributes.getValue(i), +- target); +- +- // Now we only add the element if it passed a validation check +- if (success) +- processedDefs.add(attrDef); ++ //handle secure processing ++ if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing()) ++ { ++ //foreign attributes are not allowed in secure processing mode ++ // Then barf, because this element does not allow this attribute. ++ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\"" ++ //+ " attribute is not allowed on the " + rawName ++ // + " element!", null); ++ } + else +- errorDefs.add(attrDef); ++ { ++ ++ ++ boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName, ++ attributes.getQName(i), attributes.getValue(i), ++ target); ++ ++ // Now we only add the element if it passed a validation check ++ if (success) ++ processedDefs.add(attrDef); ++ else ++ errorDefs.add(attrDef); ++ } + } + } + +--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java ++++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java +@@ -335,6 +335,10 @@ + reader = XMLReaderFactory.createXMLReader(); + } + ++ if(m_isSecureProcessing) ++ { ++ reader.setFeature("http://xml.org/sax/features/external-general-entities",false); ++ } + // Need to set options! + reader.setContentHandler(handler); + reader.parse(isource); +--- a/src/org/apache/xpath/functions/FuncSystemProperty.java ++++ b/src/org/apache/xpath/functions/FuncSystemProperty.java +@@ -58,7 +58,7 @@ + + String fullName = m_arg0.execute(xctxt).str(); + int indexOfNSSep = fullName.indexOf(':'); +- String result; ++ String result = null; + String propName = ""; + + // List of properties where the name of the +@@ -98,8 +98,17 @@ + + try + { +- result = System.getProperty(propName); +- ++ //if secure procession is enabled only handle required properties do not not map any valid system property ++ if(!xctxt.isSecureProcessing()) ++ { ++ result = System.getProperty(propName); ++ } ++ else ++ { ++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION, ++ new Object[]{ propName }); //"SecurityException when trying to access XSL system property: "+propName); ++ result = xsltInfo.getProperty(propName); ++ } + if (null == result) + { + +@@ -120,8 +129,17 @@ + { + try + { +- result = System.getProperty(fullName); +- ++ //if secure procession is enabled only handle required properties do not not map any valid system property ++ if(!xctxt.isSecureProcessing()) ++ { ++ result = System.getProperty(fullName); ++ } ++ else ++ { ++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION, ++ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName); ++ result = xsltInfo.getProperty(fullName); ++ } + if (null == result) + { + Modified: branches/libxalan2-java/wheezy-security/debian/patches/series =================================================================== --- branches/libxalan2-java/wheezy-security/debian/patches/series 2014-03-25 14:35:22 UTC (rev 17944) +++ branches/libxalan2-java/wheezy-security/debian/patches/series 2014-03-25 14:44:47 UTC (rev 17945) @@ -1,2 +1,2 @@ build.patch - +CVE-2014-0107.patch _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
