Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:c3p0 User: [email protected] Usertags: pu
* Backport fix for CVE-2019-5427. (Closes: #927936) This has already been in trixie for a year.
diffstat for c3p0-0.9.1.2 c3p0-0.9.1.2 changelog | 14 ++++++++ patches/CVE-2019-5427.patch | 76 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 91 insertions(+) diff -Nru c3p0-0.9.1.2/debian/changelog c3p0-0.9.1.2/debian/changelog --- c3p0-0.9.1.2/debian/changelog 2018-12-25 16:16:25.000000000 +0200 +++ c3p0-0.9.1.2/debian/changelog 2026-05-04 14:56:32.000000000 +0300 @@ -1,3 +1,17 @@ +c3p0 (0.9.1.2-10.1~deb12u1) bookworm; urgency=medium + + * Non-maintainer upload. + * Rebuild for bookworm + + -- Adrian Bunk <[email protected]> Mon, 04 May 2026 14:56:32 +0300 + +c3p0 (0.9.1.2-10.1) unstable; urgency=medium + + * Non-maintainer upload. + * Backport fix for CVE-2019-5427. (Closes: #927936) + + -- Bastian Germann <[email protected]> Fri, 04 Apr 2025 13:01:52 +0200 + c3p0 (0.9.1.2-10) unstable; urgency=medium * Team upload. diff -Nru c3p0-0.9.1.2/debian/patches/CVE-2019-5427.patch c3p0-0.9.1.2/debian/patches/CVE-2019-5427.patch --- c3p0-0.9.1.2/debian/patches/CVE-2019-5427.patch 1970-01-01 02:00:00.000000000 +0200 +++ c3p0-0.9.1.2/debian/patches/CVE-2019-5427.patch 2025-04-04 14:01:52.000000000 +0300 @@ -0,0 +1,76 @@ +Origin: upstream, f38f27635c384806c2a9d6500d80183d9f09d78b +From: Steve Waldman <[email protected]> +Date: Fri, 15 Mar 2019 22:29:39 -0700 +Subject: Address more potential security concerns associated with the + possibility of adversarially constructed XML files, many thanks to Aaron + Massey at HackerOne. +--- +--- a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java ++++ b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java +@@ -147,10 +141,65 @@ public static C3P0Config extractXmlConfigFromDefaultResource( boolean expandEnti + } + } + ++ private static void attemptSetFeature( DocumentBuilderFactory dbf, String featureUri, boolean setting ) ++ { ++ try { dbf.setFeature( featureUri, setting ); } ++ catch (ParserConfigurationException e) ++ { ++ if ( logger.isLoggable( MLevel.FINE ) ) ++ logger.log(MLevel.FINE, "Attempted but failed to set presumably unsupported feature '" + featureUri + "' to " + setting + "."); ++ } ++ } ++ ++ // thanks to zhutougg on GitHub https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b ++ // let's address hazards associated with overliberal parsing of XML, CVE-2018-20433 ++ // ++ // by default entity references will not be expanded, but callers can specify expansion if they wish (important ++ // to retain backwards compatibility with existing config files where users understand the risks) ++ // ++ // -=-=-=- ++ // ++ // disabling entity expansions turns out not to be sufficient to prevent attacks (if an attacker can control the ++ // XML config file that will be parsed). we now enable a wide variety of restrictions by default, but allow users ++ // to revert to the old behavior by setting usePermissiveParser to 'true' ++ // ++ // Many thanks to Aaron Massey (amassey) at HackerOne for calling attention to the continued vulnerability, ++ // and to Dominique Righetto (righettod on GitHub) for ++ // ++ // https://github.com/OWASP/CheatSheetSeries/blob/31c94f233c40af4237432008106f42a9c4bff05e/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md ++ // (via Aaron Massey) ++ // ++ // for instructions on how to overkill the fix ++ ++ private static void cautionDocumentBuilderFactory( DocumentBuilderFactory dbf ) ++ { ++ // the big one, if possible disable doctype declarations entirely ++ attemptSetFeature(dbf, "http://apache.org/xml/features/disallow-doctype-decl";, true); ++ ++ // for a varety of libraries, disable external general entities ++ attemptSetFeature(dbf, "http://xerces.apache.org/xerces-j/features.html#external-general-entities";, false); ++ attemptSetFeature(dbf, "http://xerces.apache.org/xerces2-j/features.html#external-general-entities";, false); ++ attemptSetFeature(dbf, "http://xml.org/sax/features/external-general-entities";, false); ++ ++ // for a variety of libraries, disable external parameter entities ++ attemptSetFeature(dbf, "http://xerces.apache.org/xerces-j/features.html#external-parameter-entities";, false); ++ attemptSetFeature(dbf, "http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities";, false); ++ attemptSetFeature(dbf, "http://xml.org/sax/features/external-parameter-entities";, false); ++ ++ // if possible, disable external DTDs ++ attemptSetFeature(dbf, "http://apache.org/xml/features/nonvalidating/load-external-dtd";, false); ++ ++ // disallow xinclude resolution ++ dbf.setXIncludeAware(false); ++ ++ // disallow entity reference expansion in general ++ dbf.setExpandEntityReferences( false ); ++ } ++ + public static C3P0Config extractXmlConfigFromInputStream(InputStream is) throws Exception + { + DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance(); +- fact.setExpandEntityReferences(false); ++ cautionDocumentBuilderFactory( fact ); + DocumentBuilder db = fact.newDocumentBuilder(); + Document doc = db.parse( is ); + diff -Nru c3p0-0.9.1.2/debian/patches/series c3p0-0.9.1.2/debian/patches/series --- c3p0-0.9.1.2/debian/patches/series 2018-12-25 16:16:25.000000000 +0200 +++ c3p0-0.9.1.2/debian/patches/series 2025-04-04 14:01:52.000000000 +0300 @@ -2,3 +2,4 @@ testing.patch java-7-compat.patch CVE-2018-20433.patch +CVE-2019-5427.patch
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
