This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch wheezy in repository libxstream-java.
commit cc759a4f7c6cbce5e615bc93b48a17952c37f75d Author: Emmanuel Bourg <[email protected]> Date: Tue Mar 29 14:36:39 2016 +0200 Backported the fix for CVE-2016-3674 --- debian/changelog | 8 ++ debian/patches/CVE-2016-3674.patch | 282 +++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 291 insertions(+) diff --git a/debian/changelog b/debian/changelog index 250b4af..72fdb7a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +libxstream-java (1.4.2-1+deb7u1) wheezy-security; urgency=high + + * Security update: + - CVE-2016-3674: XML external entity injection vulnerability + (Closes: #819455) + + -- Emmanuel Bourg <[email protected]> Tue, 29 Mar 2016 14:23:13 +0200 + libxstream-java (1.4.2-1) unstable; urgency=low [ tony mancill ] diff --git a/debian/patches/CVE-2016-3674.patch b/debian/patches/CVE-2016-3674.patch new file mode 100644 index 0000000..e95d142 --- /dev/null +++ b/debian/patches/CVE-2016-3674.patch @@ -0,0 +1,282 @@ +Description: CVE-2016-3674: XML external entity injection vulnerability +Origin: backport, https://github.com/x-stream/xstream/commit/c9b121a + https://github.com/x-stream/xstream/commit/25c6704 + https://github.com/x-stream/xstream/commit/87172cf + https://github.com/x-stream/xstream/commit/7c77ac0 + https://github.com/x-stream/xstream/commit/7183131 + https://github.com/x-stream/xstream/commit/812a0fa + https://github.com/x-stream/xstream/commit/6438b65 +Bug: https://github.com/x-stream/xstream/issues/25 +Bug-Debian: https://bugs.debian.org/819455 +--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/BEAStaxDriver.java ++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/BEAStaxDriver.java +@@ -41,7 +41,9 @@ + } + + protected XMLInputFactory createInputFactory() { +- return new MXParserFactory(); ++ XMLInputFactory instance = new MXParserFactory(); ++ instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); ++ return instance; + } + + protected XMLOutputFactory createOutputFactory() { +--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/Dom4JDriver.java ++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/Dom4JDriver.java +@@ -26,6 +26,7 @@ + import org.dom4j.io.OutputFormat; + import org.dom4j.io.SAXReader; + import org.dom4j.io.XMLWriter; ++import org.xml.sax.SAXException; + + import com.thoughtworks.xstream.io.HierarchicalStreamReader; + import com.thoughtworks.xstream.io.HierarchicalStreamWriter; +@@ -89,8 +90,7 @@ + + public HierarchicalStreamReader createReader(Reader text) { + try { +- SAXReader reader = new SAXReader(); +- Document document = reader.read(text); ++ Document document = createReader().read(text); + return new Dom4JReader(document, getNameCoder()); + } catch (DocumentException e) { + throw new StreamException(e); +@@ -99,8 +99,7 @@ + + public HierarchicalStreamReader createReader(InputStream in) { + try { +- SAXReader reader = new SAXReader(); +- Document document = reader.read(in); ++ Document document = createReader().read(in); + return new Dom4JReader(document, getNameCoder()); + } catch (DocumentException e) { + throw new StreamException(e); +@@ -112,8 +111,7 @@ + */ + public HierarchicalStreamReader createReader(URL in) { + try { +- SAXReader reader = new SAXReader(); +- Document document = reader.read(in); ++ Document document = createReader().read(in); + return new Dom4JReader(document, getNameCoder()); + } catch (DocumentException e) { + throw new StreamException(e); +@@ -125,8 +123,7 @@ + */ + public HierarchicalStreamReader createReader(File in) { + try { +- SAXReader reader = new SAXReader(); +- Document document = reader.read(in); ++ Document document = createReader().read(in); + return new Dom4JReader(document, getNameCoder()); + } catch (DocumentException e) { + throw new StreamException(e); +@@ -148,4 +145,21 @@ + final Writer writer = new OutputStreamWriter(out); + return createWriter(writer); + } ++ ++ /** ++ * Create and initialize the SAX reader. ++ * ++ * @return the SAX reader instance. ++ * @throws DocumentException if DOCTYPE processing cannot be disabled ++ * @since upcoming ++ */ ++ protected SAXReader createReader() throws DocumentException { ++ SAXReader reader = new SAXReader(); ++ try { ++ reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); ++ } catch (SAXException e) { ++ throw new DocumentException("Cannot disable DOCTYPE processing", e); ++ } ++ return reader; ++ } + } +--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/DomDriver.java ++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/DomDriver.java +@@ -39,7 +39,7 @@ + public class DomDriver extends AbstractXmlDriver { + + private final String encoding; +- private final DocumentBuilderFactory documentBuilderFactory; ++ private DocumentBuilderFactory documentBuilderFactory; + + /** + * Construct a DomDriver. +@@ -61,7 +61,6 @@ + */ + public DomDriver(String encoding, NameCoder nameCoder) { + super(nameCoder); +- documentBuilderFactory = DocumentBuilderFactory.newInstance(); + this.encoding = encoding; + } + +@@ -91,6 +90,13 @@ + + private HierarchicalStreamReader createReader(InputSource source) { + try { ++ if (documentBuilderFactory == null) { ++ synchronized (this) { ++ if (documentBuilderFactory == null) { ++ documentBuilderFactory = createDocumentBuilderFactory(); ++ } ++ } ++ } + DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder(); + if (encoding != null) { + source.setEncoding(encoding); +@@ -121,4 +127,20 @@ + throw new StreamException(e); + } + } ++ ++ /** ++ * Create the DocumentBuilderFactory instance. ++ * ++ * @return the new instance ++ * @since upcoming ++ */ ++ protected DocumentBuilderFactory createDocumentBuilderFactory() { ++ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ try { ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); ++ } catch (ParserConfigurationException e) { ++ throw new StreamException(e); ++ } ++ return factory; ++ } + } +--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/JDomDriver.java ++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/JDomDriver.java +@@ -55,7 +55,7 @@ + + public HierarchicalStreamReader createReader(Reader reader) { + try { +- SAXBuilder builder = new SAXBuilder(); ++ SAXBuilder builder = createBuilder(); + Document document = builder.build(reader); + return new JDomReader(document, getNameCoder()); + } catch (IOException e) { +@@ -67,7 +67,7 @@ + + public HierarchicalStreamReader createReader(InputStream in) { + try { +- SAXBuilder builder = new SAXBuilder(); ++ SAXBuilder builder = createBuilder(); + Document document = builder.build(in); + return new JDomReader(document, getNameCoder()); + } catch (IOException e) { +@@ -79,7 +79,7 @@ + + public HierarchicalStreamReader createReader(URL in) { + try { +- SAXBuilder builder = new SAXBuilder(); ++ SAXBuilder builder = createBuilder(); + Document document = builder.build(in); + return new JDomReader(document, getNameCoder()); + } catch (IOException e) { +@@ -91,7 +91,7 @@ + + public HierarchicalStreamReader createReader(File in) { + try { +- SAXBuilder builder = new SAXBuilder(); ++ SAXBuilder builder = createBuilder(); + Document document = builder.build(in); + return new JDomReader(document, getNameCoder()); + } catch (IOException e) { +@@ -109,5 +109,17 @@ + return new PrettyPrintWriter(new OutputStreamWriter(out)); + } + ++ /** ++ * Create and initialize the SAX builder. ++ * ++ * @return the SAX builder instance. ++ * @since upcoming ++ */ ++ protected SAXBuilder createBuilder() { ++ SAXBuilder builder = new SAXBuilder(); ++ builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); ++ return builder; ++ } ++ + } + +--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/SjsxpDriver.java ++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/SjsxpDriver.java +@@ -42,7 +42,9 @@ + protected XMLInputFactory createInputFactory() { + Exception exception = null; + try { +- return (XMLInputFactory)Class.forName("com.sun.xml.internal.stream.XMLInputFactoryImpl").newInstance(); ++ XMLInputFactory instance = (XMLInputFactory)Class.forName("com.sun.xml.internal.stream.XMLInputFactoryImpl").newInstance(); ++ instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); ++ return instance; + } catch (InstantiationException e) { + exception = e; + } catch (IllegalAccessException e) { +--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/StaxDriver.java ++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/StaxDriver.java +@@ -202,7 +202,9 @@ + * @since 1.4 + */ + protected XMLInputFactory createInputFactory() { +- return XMLInputFactory.newInstance(); ++ XMLInputFactory instance = XMLInputFactory.newInstance(); ++ instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); ++ return instance; + } + + /** +--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/WstxDriver.java ++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/WstxDriver.java +@@ -41,7 +41,9 @@ + } + + protected XMLInputFactory createInputFactory() { +- return new WstxInputFactory(); ++ XMLInputFactory instance = new WstxInputFactory(); ++ instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); ++ return instance; + } + + protected XMLOutputFactory createOutputFactory() { +--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/XomDriver.java ++++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/XomDriver.java +@@ -79,7 +79,7 @@ + + public HierarchicalStreamReader createReader(Reader text) { + try { +- Document document = builder.build(text); ++ Document document = getBuilder().build(text); + return new XomReader(document, getNameCoder()); + } catch (ValidityException e) { + throw new StreamException(e); +@@ -92,7 +92,7 @@ + + public HierarchicalStreamReader createReader(InputStream in) { + try { +- Document document = builder.build(in); ++ Document document = getBuilder().build(in); + return new XomReader(document, getNameCoder()); + } catch (ValidityException e) { + throw new StreamException(e); +@@ -105,7 +105,7 @@ + + public HierarchicalStreamReader createReader(URL in) { + try { +- Document document = builder.build(in.toExternalForm()); ++ Document document = getBuilder().build(in.toExternalForm()); + return new XomReader(document, getNameCoder()); + } catch (ValidityException e) { + throw new StreamException(e); +@@ -118,7 +118,7 @@ + + public HierarchicalStreamReader createReader(File in) { + try { +- Document document = builder.build(in); ++ Document document = getBuilder().build(in); + return new XomReader(document, getNameCoder()); + } catch (ValidityException e) { + throw new StreamException(e); diff --git a/debian/patches/series b/debian/patches/series index e69de29..cfbb099 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2016-3674.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libxstream-java.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
