Re: Problems when building binary package of libcommons-fileupload-java under wheezy

Salvatore Bonaccorso Sat, 21 Dec 2013 10:26:19 -0800

Hi Emmanuel,

On Sat, Dec 21, 2013 at 05:58:33PM +0100, Emmanuel Bourg wrote:
> Le 21/12/2013 16:02, Salvatore Bonaccorso a écrit :
> 
> > Any idea what is happening?
> 
> Hi Salvatore,
> 
> I can't check in detail now, but the --java-lib flag is probably missing
> from the debian/libcommons-fileupload-java.poms file.


Thanks, this indeed seems to make it better. I have uploade the
resulting preliminary packages to [1]. If you have time in the coming
days to give them a bit of testing I would really appreciate.

 [1] http://people.debian.org/~carnil/libcommons-fileupload-java/

Let me know if this if fine with you (also if you prefer to prepare
the packges yourself).

Regards,
Salvatore

[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .deb but not in first
-------------------------------------
-rw-r--r--  root/root   
/usr/share/maven-repo/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2-javadoc.jar

Control files: lines which differ (wdiff format)
------------------------------------------------
Depends: [-default-jdk-doc, libportlet-api-2.0-spec-java-doc, 
libservlet2.5-java-doc-] {+default-jdk-doc+}
Installed-Size: [-1780-] {+1828+}
[-Recommends: libcommons-io-java-doc-]
Version: [-1.2.2-1-] {+1.2.2-1+deb7u1+}

[The following lists of changes regard files as different if they have
different names, permissions or owners.]

Files in second .deb but not in first
-------------------------------------
-rw-r--r--  root/root   /usr/share/java/commons-fileupload.jar
lrwxrwxrwx  root/root   /usr/share/java/commons-fileupload-1.2.2.jar -> 
commons-fileupload.jar
lrwxrwxrwx  root/root   
/usr/share/maven-repo/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
 -> ../../../../java/commons-fileupload.jar
lrwxrwxrwx  root/root   
/usr/share/maven-repo/commons-fileupload/commons-fileupload/debian/commons-fileupload-debian.jar
 -> ../../../../java/commons-fileupload.jar

Files in first .deb but not in second
-------------------------------------
-rw-r--r--  root/root   
/usr/share/maven-repo/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
lrwxrwxrwx  root/root   /usr/share/java/commons-fileupload-1.2.2.jar -> 
../maven-repo/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
lrwxrwxrwx  root/root   /usr/share/java/commons-fileupload.jar -> 
../maven-repo/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
lrwxrwxrwx  root/root   
/usr/share/maven-repo/commons-fileupload/commons-fileupload/debian/commons-fileupload-debian.jar
 -> ../1.2.2/commons-fileupload-1.2.2.jar

Control files: lines which differ (wdiff format)
------------------------------------------------
Installed-Size: [-136-] {+118+}
Version: [-1.2.2-1-] {+1.2.2-1+deb7u1+}

diff -Nru libcommons-fileupload-java-1.2.2/debian/changelog 
libcommons-fileupload-java-1.2.2/debian/changelog
--- libcommons-fileupload-java-1.2.2/debian/changelog   2010-08-04 
13:57:08.000000000 +0200
+++ libcommons-fileupload-java-1.2.2/debian/changelog   2013-12-21 
19:09:21.000000000 +0100
@@ -1,3 +1,17 @@
+libcommons-fileupload-java (1.2.2-1+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Add CVE-2013-2186.patch patch.
+    CVE-2013-2186: Arbitrary file upload via deserialization. Properly
+    validate repository in org.apache.commons.fileupload.disk.DiskFileItem.
+    Thanks to Marc Deslauriers <[email protected]> (Closes: #726601)
+  * Add --java-lib to libcommons-fileupload-java.poms.
+    Otherwise in the resulting binary package commons-fileupload.jar in
+    /usr/share/java is missing.
+    Thanks to Emmanuel Bourg <[email protected]>
+
+ -- Salvatore Bonaccorso <[email protected]>  Sat, 21 Dec 2013 19:08:48 +0100
+
 libcommons-fileupload-java (1.2.2-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru 
libcommons-fileupload-java-1.2.2/debian/libcommons-fileupload-java.poms 
libcommons-fileupload-java-1.2.2/debian/libcommons-fileupload-java.poms
--- libcommons-fileupload-java-1.2.2/debian/libcommons-fileupload-java.poms     
2010-03-31 01:02:11.000000000 +0200
+++ libcommons-fileupload-java-1.2.2/debian/libcommons-fileupload-java.poms     
2013-12-21 19:09:21.000000000 +0100
@@ -1 +1 @@
-pom.xml --no-parent
+pom.xml --no-parent --java-lib
diff -Nru libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch 
libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch
--- libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch 
1970-01-01 01:00:00.000000000 +0100
+++ libcommons-fileupload-java-1.2.2/debian/patches/CVE-2013-2186.patch 
2013-12-21 11:01:51.000000000 +0100
@@ -0,0 +1,39 @@
+Description: fix arbitrary file overwrite via poison null byte
+Origin: backport, 
http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601
+Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=846174
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=974814
+
+WARNING: this patch contains CRLF line endings, editing it may break it
+
+Index: 
libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java
+===================================================================
+--- 
libcommons-fileupload-java-1.2.2.orig/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java
        2013-11-07 10:56:14.286994776 -0500
++++ 
libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java
     2013-11-07 11:03:26.963005854 -0500
+@@ -712,6 +712,26 @@
+         // read values
+         in.defaultReadObject();
+ 
++        /* One expected use of serialization is to migrate HTTP sessions
++         * containing a DiskFileItem between JVMs. Particularly if the JVMs 
are
++         * on different machines It is possible that the repository location 
is
++         * not valid so validate it.
++         */
++        if (repository != null) {
++            if (repository.isDirectory()) {
++                // Check path for nulls
++                if (repository.getPath().contains("\0")) {
++                    throw new IOException("The repository [" +
++                            repository.getPath() +
++                            "] contains a null character");
++                }
++            } else {
++                throw new IOException("The repository [" +
++                        repository.getAbsolutePath() +
++                        "] is not a directory");
++            }
++        }
++
+         OutputStream output = getOutputStream();
+         if (cachedContent != null) {
+             output.write(cachedContent);
diff -Nru libcommons-fileupload-java-1.2.2/debian/patches/series 
libcommons-fileupload-java-1.2.2/debian/patches/series
--- libcommons-fileupload-java-1.2.2/debian/patches/series      1970-01-01 
01:00:00.000000000 +0100
+++ libcommons-fileupload-java-1.2.2/debian/patches/series      2013-12-21 
11:02:05.000000000 +0100
@@ -0,0 +1 @@
+CVE-2013-2186.patch

signature.asc
Description: Digital signature

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
[email protected] for discussions and questions.

Re: Problems when building binary package of libcommons-fileupload-java under wheezy

Reply via email to