This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch master in repository libxalan2-java.
commit 9caceccdeb09ec9b7c8ab082da7155ef38b8556e Author: Emmanuel Bourg <ebo...@apache.org> Date: Mon Sep 28 17:07:47 2015 +0200 Removed CVE-2014-0107.patch (fixed upstream) --- debian/changelog | 4 +- debian/patches/CVE-2014-0107.patch | 124 ------------------------------------- debian/patches/build.patch | 34 +++++----- debian/patches/series | 1 - 4 files changed, 20 insertions(+), 143 deletions(-) diff --git a/debian/changelog b/debian/changelog index 6928d73..993ced6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,8 @@ -libxalan2-java (2.7.1-10) UNRELEASED; urgency=medium +libxalan2-java (2.7.2-1) UNRELEASED; urgency=medium * Team upload. + * New upstream release + - Removed CVE-2014-0107.patch (fixed upstream) * Simplified debian/patches/build.patch * debian/control: - Standards-Version updated to 3.9.6 (no changes) diff --git a/debian/patches/CVE-2014-0107.patch b/debian/patches/CVE-2014-0107.patch deleted file mode 100644 index 85ccb68..0000000 --- a/debian/patches/CVE-2014-0107.patch +++ /dev/null @@ -1,124 +0,0 @@ -Description: Fix for CVE-2014-0107: Strengthen the secure processing mode by - disabling external general entities, foreign attributes and access to the - system properties. This could be exploited to execute arbitrary code remotely. -Origin: https://svn.apache.org/r1581058 -Bug-Debian: https://bugs.debian.org/742577 ---- a/src/org/apache/xalan/transformer/TransformerImpl.java -+++ b/src/org/apache/xalan/transformer/TransformerImpl.java -@@ -438,7 +438,9 @@ - try - { - if (sroot.getExtensions() != null) -- m_extensionsTable = new ExtensionsTable(sroot); -+ //only load extensions if secureProcessing is disabled -+ if(!sroot.isSecureProcessing()) -+ m_extensionsTable = new ExtensionsTable(sroot); - } - catch (javax.xml.transform.TransformerException te) - {te.printStackTrace();} ---- a/src/org/apache/xalan/processor/XSLTElementProcessor.java -+++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java -@@ -338,17 +338,29 @@ - } - else - { -- // Can we switch the order here: -- -- boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName, -- attributes.getQName(i), attributes.getValue(i), -- target); -- -- // Now we only add the element if it passed a validation check -- if (success) -- processedDefs.add(attrDef); -+ //handle secure processing -+ if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing()) -+ { -+ //foreign attributes are not allowed in secure processing mode -+ // Then barf, because this element does not allow this attribute. -+ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\"" -+ //+ " attribute is not allowed on the " + rawName -+ // + " element!", null); -+ } - else -- errorDefs.add(attrDef); -+ { -+ -+ -+ boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName, -+ attributes.getQName(i), attributes.getValue(i), -+ target); -+ -+ // Now we only add the element if it passed a validation check -+ if (success) -+ processedDefs.add(attrDef); -+ else -+ errorDefs.add(attrDef); -+ } - } - } - ---- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java -+++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java -@@ -335,6 +335,10 @@ - reader = XMLReaderFactory.createXMLReader(); - } - -+ if(m_isSecureProcessing) -+ { -+ reader.setFeature("http://xml.org/sax/features/external-general-entities",false); -+ } - // Need to set options! - reader.setContentHandler(handler); - reader.parse(isource); ---- a/src/org/apache/xpath/functions/FuncSystemProperty.java -+++ b/src/org/apache/xpath/functions/FuncSystemProperty.java -@@ -58,7 +58,7 @@ - - String fullName = m_arg0.execute(xctxt).str(); - int indexOfNSSep = fullName.indexOf(':'); -- String result; -+ String result = null; - String propName = ""; - - // List of properties where the name of the -@@ -98,8 +98,17 @@ - - try - { -- result = System.getProperty(propName); -- -+ //if secure procession is enabled only handle required properties do not not map any valid system property -+ if(!xctxt.isSecureProcessing()) -+ { -+ result = System.getProperty(propName); -+ } -+ else -+ { -+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION, -+ new Object[]{ propName }); //"SecurityException when trying to access XSL system property: "+propName); -+ result = xsltInfo.getProperty(propName); -+ } - if (null == result) - { - -@@ -120,8 +129,17 @@ - { - try - { -- result = System.getProperty(fullName); -- -+ //if secure procession is enabled only handle required properties do not not map any valid system property -+ if(!xctxt.isSecureProcessing()) -+ { -+ result = System.getProperty(fullName); -+ } -+ else -+ { -+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION, -+ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName); -+ result = xsltInfo.getProperty(fullName); -+ } - if (null == result) - { - diff --git a/debian/patches/build.patch b/debian/patches/build.patch index 82ecc5c..2fbce63 100644 --- a/debian/patches/build.patch +++ b/debian/patches/build.patch @@ -1,6 +1,6 @@ --- a/build.xml +++ b/build.xml -@@ -354,11 +354,13 @@ +@@ -365,11 +365,13 @@ puts the result in xdocs/sources/xalan for inclusion in the readme.xml --> <echo message="Transform commits.xml and put the result in ${xdocs.dir}"/> <java fork="yes" classname="${xalan.cmdline.class}" > @@ -14,7 +14,7 @@ <classpath refid="docs.class.path" /> <arg line="loaderConfig=sbk:/style/loaderdesign.xml targetDirectory=./build/docs/design/ ./xdocs/sources/xalandesign.xml ./xdocs/style"/> -@@ -406,7 +408,9 @@ +@@ -419,7 +421,9 @@ <exclude name="${xsltc.reldir}/**/*.java" /> <classpath refid="compile.class.path" /> <bootclasspath refid="xslt.boot.class.path" /> @@ -24,7 +24,7 @@ </javac> <!-- Copy needed properties, resource, etc. files to be put into .jar file --> <copy todir="${build.classes}"> -@@ -475,6 +479,7 @@ +@@ -489,6 +493,7 @@ <echo message="java_cup preparsing"/> <java fork="yes" failonerror="true" classname="org.apache.xalan.xsltc.util.JavaCupRedirect" > @@ -32,7 +32,7 @@ <classpath refid="xsltc.class.path" /> <!-- need to bootclasspath java_cup for JDKs that include JavaCupRedirect --> <jvmarg value="-Xbootclasspath/p:${java_cup.jar}${path.separator}${runtime.jar}"/> -@@ -493,8 +498,9 @@ +@@ -507,8 +512,9 @@ has to be generated after sym.java, so order is important. --> <echo message="JLex preparsing"/> <java fork="yes" failonerror="true" classname="JLex.Main" > @@ -43,7 +43,7 @@ </java> <echo message="JLex move output file"/> <move file="${src.dir}/${xsltc.reldir}/compiler/xpath.lex.java" tofile="${generated.xpathlexer}"/> -@@ -588,6 +594,12 @@ +@@ -604,6 +610,12 @@ <param name="param_jar_name" value="${runtime.jar.name}" /> </antcall> @@ -56,7 +56,7 @@ <antcall target="xsltc.copy-deps-jar"> <param name="param_unless" value="xsltc.regexp_jar.not_needed" /> <param name="param_jar_name" value="${regexp.jar.name}" /> -@@ -958,6 +970,7 @@ +@@ -1002,6 +1014,7 @@ <java fork="yes" classname="${doc.generator}" classpathref="docs.class.path" > @@ -64,7 +64,7 @@ <arg line="targetDirectory=${build.docs} ${xdocs.book} ${xdocs.style}"/> </java> </target> -@@ -1028,6 +1041,7 @@ +@@ -1072,6 +1085,7 @@ <javadoc additionalparam="-breakiterator" destdir="${build.apidocs}" @@ -72,7 +72,7 @@ public="true" sourcepath="${src.dir}" overview="${src.dir}/javadocOverview.html" -@@ -1039,7 +1053,9 @@ +@@ -1083,7 +1097,9 @@ doctitle="${Name-in-docs} ${impl.version}" bottom="Copyright © ${year} Apache XML Project. All Rights Reserved."> <classpath refid="docs.class.path" /> @@ -82,7 +82,7 @@ <group title="Transformations API for XML (TrAX)" packages="javax.xml.transform*"/> <group title="Java API for XML Parsing" packages="javax.xml.parsers"/> <group title="Xalan Core" -@@ -1394,6 +1410,7 @@ +@@ -1439,6 +1455,7 @@ <java fork="yes" classname="${doc.generator}" classpathref="docs.class.path" > @@ -90,7 +90,7 @@ <arg line="targetDirectory=${site.dir} ${site.book} ${xdocs.style}"/> </java> -@@ -1422,6 +1439,7 @@ +@@ -1467,6 +1484,7 @@ <java fork="yes" classname="${doc.generator}" classpathref="docs.class.path" > @@ -98,7 +98,7 @@ <arg line="targetDirectory=${xalan.apache.org.site.dir} ${xalan.apache.org.site.book} ${xdocs.style}"/> </java> -@@ -1474,6 +1492,7 @@ +@@ -1519,6 +1537,7 @@ <java fork="yes" classname="${doc.generator}" classpathref="docs.class.path" > @@ -106,7 +106,7 @@ <arg line="loaderConfig=sbk:/style/loaderdesign.xml targetDirectory=${build.dir}/docs/design/ ${xdocs.dir}/sources/xalandesign.xml ${xdocs.style}"/> </java> -@@ -1490,6 +1509,7 @@ +@@ -1535,6 +1554,7 @@ <java fork="yes" classname="${xalan.cmdline.class}" classpathref="docs.class.path" > @@ -114,7 +114,7 @@ <arg line="-xsl ${xdocs.dir}/sources/xalan-collate.xsl -out xdocs/sources/xalan/xalan-collate.xml"/> </java> -@@ -1499,6 +1519,7 @@ +@@ -1544,6 +1564,7 @@ <java fork="yes" classname="${xalan.cmdline.class}" classpathref="docs.class.path" > @@ -122,7 +122,7 @@ <arg line="-in ${xdocs.dir}/sources/xalan/xalan-collate.xml -param resourceFile '../../sources/xalan/resources.xml' -param project ${Name-in-docs} -@@ -1510,6 +1531,7 @@ +@@ -1555,6 +1576,7 @@ <java fork="yes" classname="org.apache.fop.apps.CommandLine" classpath="${java.class.path}:${build.xalan.jar}:${bin.dir}/fop.jar:${bin.dir}/w3c.jar"> @@ -130,7 +130,7 @@ <arg line="${build.docs}/xalan-collate.fo build/docs/xalan.pdf"/> </java> </target> -@@ -1536,6 +1558,7 @@ +@@ -1581,6 +1603,7 @@ <java fork="yes" classname="${doc.generator}" classpathref="docs.class.path" > @@ -138,7 +138,7 @@ <arg line="targetDirectory=${build.docs}/xsltc ${xdocs.dir}/sources/xsltc.xml ${xdocs.style}"/> </java> <copy todir="${build.docs}/xsltc" -@@ -1695,7 +1718,7 @@ +@@ -1741,7 +1764,7 @@ use="true" windowtitle="${Name-in-docs} Serializer ${impl.version}" doctitle="${Name-in-docs} Serializer ${impl.version}" @@ -147,7 +147,7 @@ <classpath refid="docs.class.path" /> <taglet name="xalan2jtaglet.XSLUsageTag" path="${taglet.jar}"/> <group title="Serializer" packages="org.apache.xml.serialize*"/> -@@ -1713,7 +1736,7 @@ +@@ -1759,7 +1782,7 @@ use="true" windowtitle="${Name-in-docs} Serializer ${impl.version}" doctitle="${Name-in-docs} Serializer ${impl.version}" diff --git a/debian/patches/series b/debian/patches/series index 1d5fa85..5879227 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1 @@ build.patch -CVE-2014-0107.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libxalan2-java.git _______________________________________________ pkg-java-commits mailing list pkg-java-comm...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits