The following commit has been merged in the master branch:
commit 2a3f6862943784be345d575edada2677a9ebad65
Author: Miguel Landaeta <mig...@miguel.cc>
Date:   Tue Nov 29 19:54:35 2011 -0430

    Fix CVE-2011-4358

diff --git a/debian/changelog b/debian/changelog
index f5028a0..ee50897 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+mojarra (2.0.3-1squeeze1) stable; urgency=high
+
+  * Fixed critical bug by not allowing the value of UIViewParam to be an
+    EL Expression: CVE-2011-4358. (Closes: #650430).
+
+ -- Miguel Landaeta <mig...@miguel.cc>  Tue, 29 Nov 2011 19:45:48 -0430
+
 mojarra (2.0.3-1) unstable; urgency=low
 
   * New upstream release.
diff --git a/debian/patches/650430.diff b/debian/patches/650430.diff
new file mode 100644
index 0000000..bbb6c7f
--- /dev/null
+++ b/debian/patches/650430.diff
@@ -0,0 +1,365 @@
+Description: Do not allow the value of UIViewParam to be an EL Expression
+Author: Ed Burns <ed.bu...@sun.com>
+Origin: upstream, http://java.net/projects/mojarra/sources/svn/revision/9468
+Bug: http://java.net/jira/browse/JAVASERVERFACES-2247
+Bug-Debian: http://bugs.debian.org/650430
+Forwarded: http://java.net/projects/mojarra/sources/svn/revision/9468
+Reviewed-By: Ed Burns <ed.bu...@sun.com>
+Last-Update: 2011-11-29
+
+--- mojarra-2.0.3.orig/jsf-api/build.xml
++++ mojarra-2.0.3/jsf-api/build.xml
+@@ -308,6 +308,9 @@
+               filtering="true"/>
+ 
+         <filter token="package" value="javax.faces.component"/>
++        <copy file="${tools.dir}/template-src/SharedUtils.java"
++              todir="${build.generate.dir}/javax/faces/component"
++              filtering="true"/>
+         <copy file="${tools.dir}/template-src/MessageFactory.java"
+               todir="${build.generate.dir}/javax/faces/component"
+               filtering="true"/>
+--- 
mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_zh_TW.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_zh_TW.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=\
+ severe.component.unable_to_process_expression=\u8655\u7406\u5c6c\u6027 {1} 
\u7684\u8868\u793a\u5f0f {0} \u6642\u767c\u751f\u7570\u5e38\u3002 
+ severe.component.uiviewroot_error_invoking_phaselistener=\u547c\u53eb 
UIViewRoot PhaseListener {0} \u6642\u767c\u751f\u7570\u5e38\u3002
+ 
warning.component.uiviewroot_non_serializable_attribute_viewmap=\u5c07\u4e0d\u53ef\u4e32\u5217\u5316\u7684\u5c6c\u6027\u503c\u8a2d\u70ba
 ViewMap\uff1a(\u6a5f\u78bc: {0}\uff0c\u503c\u985e\u5225: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be 
an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context 
--------------------------------------------------
+ 
+ 
+--- 
mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_fr.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_fr.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=E
+ severe.component.unable_to_process_expression=Exception lors du traitement de 
l''expression {0} de l''attribut {1}.
+ severe.component.uiviewroot_error_invoking_phaselistener=Exception invoquant 
UIViewRoot PhaseListener {0}.
+ 
warning.component.uiviewroot_non_serializable_attribute_viewmap=D\u00e9finition 
d''une valeur d''attribut non-s\u00e9rialisable dans ViewMap\u00a0: 
(cl\u00e9\u00a0: {0}, classe de la valeur\u00a0: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be 
an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context 
--------------------------------------------------
+ 
+ 
+--- 
mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_zh_CN.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_zh_CN.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=\
+ severe.component.unable_to_process_expression=\u5904\u7406\u5c5e\u6027 {1} 
\u7684\u8868\u8fbe\u5f0f {0} \u65f6\u51fa\u73b0\u5f02\u5e38\u3002
+ severe.component.uiviewroot_error_invoking_phaselistener=\u8c03\u7528 
UIViewRoot PhaseListener {0} \u65f6\u51fa\u73b0\u5f02\u5e38\u3002
+ 
warning.component.uiviewroot_non_serializable_attribute_viewmap=\u5c06\u4e0d\u53ef\u5e8f\u5217\u5316\u5c5e\u6027\u503c\u8bbe\u7f6e\u4e3a
 ViewMap\uff1a\uff08\u5bc6\u94a5\uff1a{0}\uff0c\u503c\u7c7b\uff1a{1}\uff09
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be 
an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context 
--------------------------------------------------
+ 
+ 
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=A
+ severe.component.unable_to_process_expression=Exception while processing 
expression {0} for attribute {1}.
+ severe.component.uiviewroot_error_invoking_phaselistener=Exception invoking 
UIViewRoot PhaseListener {0}.
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=Setting 
non-serializable attribute value into ViewMap: (key: {0}, value class: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be 
an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context 
--------------------------------------------------
+ 
+ 
+--- 
mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_de.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_de.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=A
+ severe.component.unable_to_process_expression=Ausnahme beim Verarbeiten von 
Ausdruck {0} f\u00fcr Attribut {1}.
+ severe.component.uiviewroot_error_invoking_phaselistener=Ausnahme ruft 
UIViewRoot PhaseListener {0} auf.
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=Der nicht 
serialisierbare Attributswert wird in ViewMap eingestellt: (Schl\u00fcssel: 
{0}, Wertklasse: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be 
an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context 
--------------------------------------------------
+ 
+ 
+--- 
mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_es.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_es.properties
+@@ -54,6 +54,9 @@ error.component.abortprocessing_thrown=S
+ severe.component.unable_to_process_expression=Excepci\u00f3n al procesar la 
expresi\u00f3n {0} para el atributo {1}.
+ severe.component.uiviewroot_error_invoking_phaselistener=Excepci\u00f3n al 
invocar la escucha de fase UIViewRoot {0}.
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=Definiendo 
valor de atributo no serializable en ViewMap: (clave: {0}, clase de valor: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be 
an expression literal. Ignoring expression value {0}.
++
++
+ # PACKAGE javax.faces.context 
--------------------------------------------------
+ 
+ 
+--- 
mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_pt_BR.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_pt_BR.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=A
+ severe.component.unable_to_process_expression=Exce\u00e7\u00e3o criada 
durante o processamento da express\u00e3o {0} para o atributo {1}.
+ severe.component.uiviewroot_error_invoking_phaselistener=Exce\u00e7\u00e3o 
criada ao invocar\u00b7UIViewRoot PhaseListener {0}.
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=Definindo 
valor de atributo n\u00e3o serializ\u00e1vel em ViewMap (chave: {0}, classe do 
valor: {1}).
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be 
an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context 
--------------------------------------------------
+ 
+ 
+--- 
mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_ko.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_ko.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=I
+ severe.component.unable_to_process_expression={1} \uc18d\uc131\uc5d0 
\ub300\ud55c \ud45c\ud604\uc2dd {0}\uc744(\ub97c) \ucc98\ub9ac\ud558\ub294 
\uc911 \uc624\ub958\uac00 \ubc1c\uc0dd\ud588\uc2b5\ub2c8\ub2e4.
+ severe.component.uiviewroot_error_invoking_phaselistener=UIViewRoot 
PhaseListener {0}\uc744(\ub97c) \ud638\ucd9c\ud558\ub294 \uc911 
\uc608\uc678\uac00 \ubc1c\uc0dd\ud588\uc2b5\ub2c8\ub2e4.
+ 
warning.component.uiviewroot_non_serializable_attribute_viewmap=\uc77c\ub828\ud654\ud560
 \uc218 \uc5c6\ub294 \uc18d\uc131 \uac12\uc744 ViewMap\uc5d0 
\uc124\uc815\ud558\ub294 \uc911: (\ud0a4: {0}, \uac12 \ud074\ub798\uc2a4: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be 
an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context 
--------------------------------------------------
+ 
+ 
+--- 
mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_ja.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_ja.properties
+@@ -54,6 +54,9 @@ error.component.abortprocessing_thrown=I
+ severe.component.unable_to_process_expression=\u5c5e\u6027 {1} \u306e\u5f0f 
{0} 
\u306e\u51e6\u7406\u4e2d\u306b\u4f8b\u5916\u304c\u767a\u751f\u3057\u307e\u3057\u305f\u3002
+ severe.component.uiviewroot_error_invoking_phaselistener=UIViewRoot 
PhaseListener {0} 
\u306e\u547c\u3073\u51fa\u3057\u4e2d\u306b\u4f8b\u5916\u304c\u767a\u751f\u3057\u307e\u3057\u305f\u3002
+ 
warning.component.uiviewroot_non_serializable_attribute_viewmap=\u30b7\u30ea\u30a2\u30e9\u30a4\u30ba\u3067\u304d\u306a\u3044\u5c5e\u6027\u5024\u3092
 ViewMap \u306b\u8a2d\u5b9a\u3057\u3066\u3044\u307e\u3059: (\u30ad\u30fc: 
{0}\u3001\u5024\u30af\u30e9\u30b9: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be 
an expression literal. Ignoring expression value {0}.
++
++
+ # PACKAGE javax.faces.context 
--------------------------------------------------
+ 
+ 
+--- 
mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/component/UIViewParameter.java
++++ 
mojarra-2.0.3/jsf-api/src/main/java/javax/faces/component/UIViewParameter.java
+@@ -37,6 +37,8 @@
+ package javax.faces.component;
+ 
+ import java.io.IOException;
++import java.util.logging.Level;
++import java.util.logging.Logger;
+ import javax.el.ValueExpression;
+ import javax.faces.FactoryFinder;
+ import javax.faces.application.FacesMessage;
+@@ -71,6 +73,9 @@ import javax.faces.render.Renderer;
+  * @since 2.0
+  */
+ public class UIViewParameter extends UIInput {
++    
++    private static Logger LOGGER = Logger.getLogger("javax.faces.component",
++            "javax.faces.LogStrings");
+ 
+     
+     // ------------------------------------------------------ Manifest 
Constants
+@@ -342,7 +347,8 @@ public class UIViewParameter extends UII
+         }
+ 
+         Object currentValue = ve.getValue(context.getELContext());
+-
++        String result = null;
++        
+         // If there is a converter attribute, use it to to ask application
+         // instance for a converter with this identifer.
+         Converter c = getConverter();
+@@ -355,23 +361,35 @@ public class UIViewParameter extends UII
+             }
+             // Do not look for "by-type" converters for Strings
+             if (currentValue instanceof String) {
+-                return (String) currentValue;
++                result = (String) currentValue;
++            } else {
++                // if converter attribute set, try to acquire a converter
++                // using its class type.
++                
++                Class converterType = currentValue.getClass();
++                c = context.getApplication().createConverter(converterType);
++                
++                // if there is no default converter available for this 
identifier,
++                // assume the model type to be String.
++                if (c == null) {
++                    result = currentValue.toString();
++                }
+             }
++        }
++        if (null == result && null != c) {
++            result = c.getAsString(context, this, currentValue);
++        }
+ 
+-            // if converter attribute set, try to acquire a converter
+-            // using its class type.
+-
+-            Class converterType = currentValue.getClass();
+-            c = context.getApplication().createConverter(converterType);
+-
+-            // if there is no default converter available for this identifier,
+-            // assume the model type to be String.
+-            if (c == null) {
+-                return currentValue.toString();
++        if (SharedUtils.isExpression(result)) {
++            if (LOGGER.isLoggable(Level.SEVERE)) {
++                LOGGER.log(Level.SEVERE,
++                        "severe.uiviewparam_value_is_expression",
++                        new Object[] { result });
+             }
++            result = null;
+         }
+ 
+-        return c.getAsString(context, this, currentValue);
++        return result;
+     }
+ 
+     /**
+--- /dev/null
++++ mojarra-2.0.3/jsf-tools/template-src/SharedUtils.java
+@@ -0,0 +1,79 @@
++/*
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
++ *
++ * Copyright (c) 1997-2010 Oracle and/or its affiliates. All rights reserved.
++ *
++ * The contents of this file are subject to the terms of either the GNU
++ * General Public License Version 2 only ("GPL") or the Common Development
++ * and Distribution License("CDDL") (collectively, the "License").  You
++ * may not use this file except in compliance with the License.  You can
++ * obtain a copy of the License at
++ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
++ * or packager/legal/LICENSE.txt.  See the License for the specific
++ * language governing permissions and limitations under the License.
++ *
++ * When distributing the software, include this License Header Notice in each
++ * file and include the License file at packager/legal/LICENSE.txt.
++ *
++ * GPL Classpath Exception:
++ * Oracle designates this particular file as subject to the "Classpath"
++ * exception as provided by Oracle in the GPL Version 2 section of the License
++ * file that accompanied this code.
++ *
++ * Modifications:
++ * If applicable, add the following below the License Header, with the fields
++ * enclosed by brackets [] replaced by your own identifying information:
++ * "Portions Copyright [year] [name of copyright owner]"
++ *
++ * Contributor(s):
++ * If you wish your version of this file to be governed by only the CDDL or
++ * only the GPL Version 2, indicate your decision by adding "[Contributor]
++ * elects to include this software in this distribution under the [CDDL or GPL
++ * Version 2] license."  If you don't indicate a single choice of license, a
++ * recipient has the option to distribute your version of this file under
++ * either the CDDL, the GPL Version 2 or to extend the choice of license to
++ * its licensees as provided above.  However, if you add GPL Version 2 code
++ * and therefore, elected the GPL Version 2 license, then the option applies
++ * only if the new code is made subject to such option by the copyright
++ * holder.
++ */
++
++package @package@;
++
++class SharedUtils {
++
++    /*
++    * Determine whether String is a mixed value binding expression or not.
++    */
++    public static boolean isMixedExpression(String expression) {
++
++        if (null == expression) {
++            return false;
++        }
++
++        // if it doesn't start and end with delimiters
++        return (!(expression.startsWith("#{") && expression.endsWith("}")))
++                  && isExpression(expression);
++
++    }
++
++
++    /*
++    * Determine whether String is a value binding expression or not.
++    */
++    public static boolean isExpression(String expression) {
++
++        if (null == expression) {
++            return false;
++        }
++        int start = expression.indexOf("#{");
++
++        //check to see if attribute has an expression
++        return (expression.indexOf("#{") != -1) &&
++               (start < expression.indexOf('}'));
++
++
++    }
++
++
++}
+--- /dev/null
++++ mojarra-2.0.3/template-src/SharedUtils.java
+@@ -0,0 +1,79 @@
++/*
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
++ *
++ * Copyright (c) 1997-2010 Oracle and/or its affiliates. All rights reserved.
++ *
++ * The contents of this file are subject to the terms of either the GNU
++ * General Public License Version 2 only ("GPL") or the Common Development
++ * and Distribution License("CDDL") (collectively, the "License").  You
++ * may not use this file except in compliance with the License.  You can
++ * obtain a copy of the License at
++ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
++ * or packager/legal/LICENSE.txt.  See the License for the specific
++ * language governing permissions and limitations under the License.
++ *
++ * When distributing the software, include this License Header Notice in each
++ * file and include the License file at packager/legal/LICENSE.txt.
++ *
++ * GPL Classpath Exception:
++ * Oracle designates this particular file as subject to the "Classpath"
++ * exception as provided by Oracle in the GPL Version 2 section of the License
++ * file that accompanied this code.
++ *
++ * Modifications:
++ * If applicable, add the following below the License Header, with the fields
++ * enclosed by brackets [] replaced by your own identifying information:
++ * "Portions Copyright [year] [name of copyright owner]"
++ *
++ * Contributor(s):
++ * If you wish your version of this file to be governed by only the CDDL or
++ * only the GPL Version 2, indicate your decision by adding "[Contributor]
++ * elects to include this software in this distribution under the [CDDL or GPL
++ * Version 2] license."  If you don't indicate a single choice of license, a
++ * recipient has the option to distribute your version of this file under
++ * either the CDDL, the GPL Version 2 or to extend the choice of license to
++ * its licensees as provided above.  However, if you add GPL Version 2 code
++ * and therefore, elected the GPL Version 2 license, then the option applies
++ * only if the new code is made subject to such option by the copyright
++ * holder.
++ */
++
++package @package@;
++
++class SharedUtils {
++
++    /*
++    * Determine whether String is a mixed value binding expression or not.
++    */
++    public static boolean isMixedExpression(String expression) {
++
++        if (null == expression) {
++            return false;
++        }
++
++        // if it doesn't start and end with delimiters
++        return (!(expression.startsWith("#{") && expression.endsWith("}")))
++                  && isExpression(expression);
++
++    }
++
++
++    /*
++    * Determine whether String is a value binding expression or not.
++    */
++    public static boolean isExpression(String expression) {
++
++        if (null == expression) {
++            return false;
++        }
++        int start = expression.indexOf("#{");
++
++        //check to see if attribute has an expression
++        return (expression.indexOf("#{") != -1) &&
++               (start < expression.indexOf('}'));
++
++
++    }
++
++
++}
diff --git a/debian/patches/series b/debian/patches/series
index 13125f2..485a252 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 fix_debian_build.diff
+650430.diff

-- 
mojarra: JavaServer Faces 2.0 Java EE web framework

_______________________________________________
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits

Reply via email to