Tony Mancill pushed to branch master at Debian Java Maintainers / libquartz2-java
Commits: 22d63fb4 by tony mancill at 2019-10-08T21:24:15-07:00 Add patch for CVE-2019-13990 (Closes: #933170) - - - - - edf2c930 by tony mancill at 2020-07-05T21:46:59-07:00 prepare for upload to unstable - - - - - 3 changed files: - debian/changelog - + debian/patches/03-CVE-2019-13990.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,9 @@ +libquartz2-java (2.3.0-3) unstable; urgency=medium + + * Add patch for CVE-2019-13990 (Closes: #933170) + + -- tony mancill <[email protected]> Sun, 05 Jul 2020 21:39:41 -0700 + libquartz2-java (2.3.0-2) unstable; urgency=medium * Team upload. ===================================== debian/patches/03-CVE-2019-13990.patch ===================================== @@ -0,0 +1,92 @@ +Description: patch for CVE-2019-13990: XXE in initDocumentParser + provide XML parser with a strong configuration to prevent XXE attacks +Source: https://github.com/quartz-scheduler/quartz/commit/a1395ba118df306c7fe67c24fb0c9a95a4473140.patch +Author: Jonathan Gallimore <[email protected]> +Bug-Debian: https://bugs.debian.org/933170 +Bug: https://github.com/quartz-scheduler/quartz/issues/467 +Forwarded: not-needed + +--- + .../xml/XMLSchedulingDataProcessor.java | 7 +++++ + .../xml/XMLSchedulingDataProcessorTest.java | 26 +++++++++++++++++++ + .../org/quartz/xml/bad-job-config.xml | 15 +++++++++++ + 3 files changed, 48 insertions(+) + create mode 100755 quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml + +--- a/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java ++++ b/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java +@@ -174,6 +174,13 @@ + + docBuilderFactory.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaSource";, resolveSchemaSource()); + ++ docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); ++ docBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";, false); ++ docBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities";, false); ++ docBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";, false); ++ docBuilderFactory.setXIncludeAware(false); ++ docBuilderFactory.setExpandEntityReferences(false); ++ + docBuilder = docBuilderFactory.newDocumentBuilder(); + + docBuilder.setErrorHandler(this); +--- a/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java ++++ b/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java +@@ -30,6 +30,7 @@ + import org.quartz.simpl.SimpleThreadPool; + import org.quartz.spi.ClassLoadHelper; + import org.quartz.utils.DBConnectionManager; ++import org.xml.sax.SAXParseException; + + /** + * Unit test for XMLSchedulingDataProcessor. +@@ -112,6 +113,31 @@ + inStream.close(); + } + } ++ ++ public void testXmlParserConfiguration() throws Exception { ++ Scheduler scheduler = null; ++ try { ++ StdSchedulerFactory factory = new StdSchedulerFactory("org/quartz/xml/quartz-test.properties"); ++ scheduler = factory.getScheduler(); ++ ClassLoadHelper clhelper = new CascadingClassLoadHelper(); ++ clhelper.initialize(); ++ XMLSchedulingDataProcessor processor = new XMLSchedulingDataProcessor(clhelper); ++ processor.processFileAndScheduleJobs("org/quartz/xml/bad-job-config.xml", scheduler); ++ ++ ++ final JobKey jobKey = scheduler.getJobKeys(GroupMatcher.jobGroupEquals("native")).iterator().next(); ++ final JobDetail jobDetail = scheduler.getJobDetail(jobKey); ++ final String description = jobDetail.getDescription(); ++ ++ ++ fail("Expected parser configuration to block DOCTYPE. The following was injected into the job description field: " + description); ++ } catch (SAXParseException e) { ++ assertTrue(e.getMessage().contains("DOCTYPE is disallowed")); ++ } finally { ++ if (scheduler != null) ++ scheduler.shutdown(); ++ } ++ } + + /** QTZ-187 */ + public void testDirectivesNoOverwriteWithIgnoreDups() throws Exception { +--- /dev/null ++++ b/quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml +@@ -0,0 +1,15 @@ ++<?xml version="1.0" encoding="UTF-8"?> ++<!DOCTYPE foo [<!ELEMENT foo ANY > ++ <!ENTITY xxe SYSTEM "/" >]> ++<job-scheduling-data xmlns="http://www.quartz-scheduler.org/xml/JobSchedulingData"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://www.quartz-scheduler.org/xml/JobSchedulingData http://www.quartz-scheduler.org/xml/job_scheduling_data_2_0.xsd"; version="2.0"> ++ <schedule> ++ <job> ++ <name>xxe</name> ++ <group>native</group> ++ <description>&xxe;</description> ++ <job-class>org.quartz.xml.XMLSchedulingDataProcessorTest$MyJob</job-class> ++ <durability>true</durability> ++ <recover>false</recover> ++ </job> ++ </schedule> ++</job-scheduling-data> +\ No newline at end of file ===================================== debian/patches/series ===================================== @@ -1,2 +1,3 @@ -02-java10-compatibility.patch 01-j2ee-dependencies.patch +02-java10-compatibility.patch +03-CVE-2019-13990.patch View it on GitLab: https://salsa.debian.org/java-team/libquartz2-java/-/compare/2a801469be44c4e92af6bfc0e01008184322cbd3...edf2c930892726c57e301020aa29a311b210214f -- View it on GitLab: https://salsa.debian.org/java-team/libquartz2-java/-/compare/2a801469be44c4e92af6bfc0e01008184322cbd3...edf2c930892726c57e301020aa29a311b210214f You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
