This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch master in repository lucene-solr.
commit b1a7ccd489a7cc389bdb71200a424b28dfddbaef Author: Markus Koschany <a...@debian.org> Date: Sat Jan 13 21:30:08 2018 +0100 Fix CVE-2017-12629 --- debian/conf/solrconfig.xml | 23 ---- debian/patches/CVE-2017-12629.patch | 130 ++++++++++++++++++++ debian/patches/remove-RunExecutableListener.patch | 137 ++++++++++++++++++++++ debian/patches/series | 2 + 4 files changed, 269 insertions(+), 23 deletions(-) diff --git a/debian/conf/solrconfig.xml b/debian/conf/solrconfig.xml index 007ff72..e74ea3e 100644 --- a/debian/conf/solrconfig.xml +++ b/debian/conf/solrconfig.xml @@ -338,29 +338,6 @@ postCommit - fired after every commit or optimize command postOptimize - fired after every optimize command --> - <!-- The RunExecutableListener executes an external command from a - hook such as postCommit or postOptimize. - - exe - the name of the executable to run - dir - dir to use as the current working directory. (default=".") - wait - the calling thread waits until the executable returns. - (default="true") - args - the arguments to pass to the program. (default is none) - env - environment variables to set. (default is none) - --> - <!-- This example shows how RunExecutableListener could be used - with the script based replication... - http://wiki.apache.org/solr/CollectionDistribution - --> - <!-- - <listener event="postCommit" class="solr.RunExecutableListener"> - <str name="exe">solr/bin/snapshooter</str> - <str name="dir">.</str> - <bool name="wait">true</bool> - <arr name="args"> <str>arg1</str> <str>arg2</str> </arr> - <arr name="env"> <str>MYVAR=val1</str> </arr> - </listener> - --> </updateHandler> <!-- IndexReaderFactory diff --git a/debian/patches/CVE-2017-12629.patch b/debian/patches/CVE-2017-12629.patch new file mode 100644 index 0000000..96f06e8 --- /dev/null +++ b/debian/patches/CVE-2017-12629.patch @@ -0,0 +1,130 @@ +From: Markus Koschany <a...@debian.org> +Date: Sat, 13 Jan 2018 16:48:33 +0100 +Subject: CVE-2017-12629 + +--- + .../org/apache/lucene/xmlparser/CoreParser.java | 77 +++++++++++++++++----- + 1 file changed, 59 insertions(+), 18 deletions(-) + +diff --git a/lucene/contrib/xml-query-parser/src/java/org/apache/lucene/xmlparser/CoreParser.java b/lucene/contrib/xml-query-parser/src/java/org/apache/lucene/xmlparser/CoreParser.java +index c84b90a..21b943a 100644 +--- a/lucene/contrib/xml-query-parser/src/java/org/apache/lucene/xmlparser/CoreParser.java ++++ b/lucene/contrib/xml-query-parser/src/java/org/apache/lucene/xmlparser/CoreParser.java +@@ -1,9 +1,12 @@ + package org.apache.lucene.xmlparser; + + import java.io.InputStream; ++import java.util.Locale; + + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; ++import javax.xml.parsers.ParserConfigurationException; ++import javax.xml.XMLConstants; + + import org.apache.lucene.analysis.Analyzer; + import org.apache.lucene.queryParser.QueryParser; +@@ -11,6 +14,10 @@ import org.apache.lucene.search.Query; + import org.apache.lucene.xmlparser.builders.*; + import org.w3c.dom.Document; + import org.w3c.dom.Element; ++import org.xml.sax.EntityResolver; ++import org.xml.sax.ErrorHandler; ++import org.xml.sax.SAXException; ++import org.xml.sax.InputSource; + + /** + * Licensed to the Apache Software Foundation (ASF) under one or more +@@ -124,6 +131,10 @@ public class CoreParser implements QueryBuilder + queryFactory.addBuilder("SpanNot",snot); + } + ++ /** ++ * Parses the given stream as XML file and returns a {@link Query}. ++ * By default this disallows external entities for security reasons. ++ */ + public Query parse(InputStream xmlStream) throws ParserException + { + return getQuery(parseXML(xmlStream).getDocumentElement()); +@@ -137,34 +148,64 @@ public class CoreParser implements QueryBuilder + { + filterFactory.addBuilder(nodeName,builder); + } +- +- private static Document parseXML(InputStream pXmlFile) throws ParserException +- { +- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); +- DocumentBuilder db = null; ++ /** ++ * Returns a SAX {@link EntityResolver} to be used by {@link DocumentBuilder}. ++ * By default this returns {@link #DISALLOW_EXTERNAL_ENTITY_RESOLVER}, which disallows the ++ * expansion of external entities (for security reasons). To restore legacy behavior, ++ * override this method to return {@code null}. ++ */ ++ protected EntityResolver getEntityResolver() { ++ return DISALLOW_EXTERNAL_ENTITY_RESOLVER; ++ } ++ ++ /** ++ * Subclass and override to return a SAX {@link ErrorHandler} to be used by {@link DocumentBuilder}. ++ * By default this returns {@code null} so no error handler is used. ++ * This method can be used to redirect XML parse errors/warnings to a custom logger. ++ */ ++ protected ErrorHandler getErrorHandler() { ++ return null; ++ } ++ ++ private Document parseXML(InputStream pXmlFile) throws ParserException { ++ final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); ++ dbf.setValidating(false); + try + { +- db = dbf.newDocumentBuilder(); +- } +- catch (Exception se) +- { +- throw new ParserException("XML Parser configuration error", se); ++ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); ++ } catch (ParserConfigurationException e) { ++ // ignore since all implementations are required to support the ++ // {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} feature + } +- org.w3c.dom.Document doc = null; ++ final DocumentBuilder db; + try + { +- doc = db.parse(pXmlFile); +- } +- catch (Exception se) +- { +- throw new ParserException("Error parsing XML stream:" + se, se); ++ db = dbf.newDocumentBuilder(); ++ } catch (Exception se) { ++ throw new ParserException("XML Parser configuration error.", se); + } +- return doc; ++ try { ++ db.setEntityResolver(getEntityResolver()); ++ db.setErrorHandler(getErrorHandler()); ++ return db.parse(pXmlFile); ++ } catch (Exception se) { ++ throw new ParserException("Error parsing XML stream: " + se, se); + } +- ++ } + + public Query getQuery(Element e) throws ParserException + { + return queryFactory.getQuery(e); + } ++ public static final EntityResolver DISALLOW_EXTERNAL_ENTITY_RESOLVER = createEntityResolver(); ++ ++ public static EntityResolver createEntityResolver() { ++ return new EntityResolver() { ++ public InputSource resolveEntity(String publicId, String systemId) throws SAXException { ++ throw new SAXException(String.format(Locale.ENGLISH, ++ "External Entity resolving unsupported: publicId=\"%s\" systemId=\"%s\"", ++ publicId, systemId)); ++ } ++ }; ++ } + } diff --git a/debian/patches/remove-RunExecutableListener.patch b/debian/patches/remove-RunExecutableListener.patch new file mode 100644 index 0000000..bdec749 --- /dev/null +++ b/debian/patches/remove-RunExecutableListener.patch @@ -0,0 +1,137 @@ +From: Markus Koschany <a...@debian.org> +Date: Sat, 13 Jan 2018 17:14:03 +0100 +Subject: remove RunExecutableListener + +--- + .../apache/solr/core/RunExecutableListener.java | 122 --------------------- + 1 file changed, 122 deletions(-) + delete mode 100644 solr/core/src/java/org/apache/solr/core/RunExecutableListener.java + +diff --git a/solr/core/src/java/org/apache/solr/core/RunExecutableListener.java b/solr/core/src/java/org/apache/solr/core/RunExecutableListener.java +deleted file mode 100644 +index 62f554e..0000000 +--- a/solr/core/src/java/org/apache/solr/core/RunExecutableListener.java ++++ /dev/null +@@ -1,122 +0,0 @@ +-/** +- * Licensed to the Apache Software Foundation (ASF) under one or more +- * contributor license agreements. See the NOTICE file distributed with +- * this work for additional information regarding copyright ownership. +- * The ASF licenses this file to You under the Apache License, Version 2.0 +- * (the "License"); you may not use this file except in compliance with +- * the License. You may obtain a copy of the License at +- * +- * http://www.apache.org/licenses/LICENSE-2.0 +- * +- * Unless required by applicable law or agreed to in writing, software +- * distributed under the License is distributed on an "AS IS" BASIS, +- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +- * See the License for the specific language governing permissions and +- * limitations under the License. +- */ +- +-package org.apache.solr.core; +- +-import org.apache.solr.common.SolrException; +-import org.apache.solr.common.util.NamedList; +-import org.apache.solr.search.SolrIndexSearcher; +- +-import java.io.File; +-import java.io.IOException; +-import java.util.List; +-import java.util.ArrayList; +- +-/** +- */ +-class RunExecutableListener extends AbstractSolrEventListener { +- public RunExecutableListener(SolrCore core) { +- super(core); +- } +- protected String[] cmd; +- protected File dir; +- protected String[] envp; +- protected boolean wait=true; +- +- @Override +- public void init(NamedList args) { +- super.init(args); +- +- List cmdlist = new ArrayList(); +- cmdlist.add(args.get("exe")); +- List lst = (List)args.get("args"); +- if (lst != null) cmdlist.addAll(lst); +- cmd = (String[])cmdlist.toArray(new String[cmdlist.size()]); +- +- lst = (List)args.get("env"); +- if (lst != null) { +- envp = (String[])lst.toArray(new String[lst.size()]); +- } +- +- String str = (String)args.get("dir"); +- if (str==null || str.equals("") || str.equals(".") || str.equals("./")) { +- dir = null; +- } else { +- dir = new File(str); +- } +- +- if ("false".equals(args.get("wait")) || Boolean.FALSE.equals(args.get("wait"))) wait=false; +- } +- +- /** +- * External executable listener. +- * +- * @param callback Unused (As of solr 1.4-dev) +- * @return Error code indicating if the command has executed successfully. <br /> +- * 0 , indicates normal termination.<br /> +- * non-zero , otherwise. +- */ +- protected int exec(String callback) { +- int ret = 0; +- +- try { +- boolean doLog = log.isDebugEnabled(); +- if (doLog) { +- log.debug("About to exec " + cmd[0]); +- } +- Process proc = Runtime.getRuntime().exec(cmd, envp ,dir); +- +- if (wait) { +- try { +- ret = proc.waitFor(); +- } catch (InterruptedException e) { +- SolrException.log(log,e); +- ret = INVALID_PROCESS_RETURN_CODE; +- } +- } +- +- if (wait && doLog) { +- log.debug("Executable " + cmd[0] + " returned " + ret); +- } +- +- } catch (IOException e) { +- // don't throw exception, just log it... +- SolrException.log(log,e); +- ret = INVALID_PROCESS_RETURN_CODE; +- } +- +- return ret; +- } +- +- +- @Override +- public void postCommit() { +- // anything generic need to be passed to the external program? +- // the directory of the index? the command that caused it to be +- // invoked? the version of the index? +- exec("postCommit"); +- } +- +- @Override +- public void newSearcher(SolrIndexSearcher newSearcher, SolrIndexSearcher currentSearcher) { +- exec("newSearcher"); +- } +- +- /** Non-zero value for an invalid return code **/ +- private static int INVALID_PROCESS_RETURN_CODE = -1; +- +-} diff --git a/debian/patches/series b/debian/patches/series index a197129..133e43c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -11,3 +11,5 @@ CVE-2013-6407_CVE-2013-6408.patch jetty-compatibility.patch commons-codec-compatibility.patch java8-compatibility.patch +CVE-2017-12629.patch +remove-RunExecutableListener.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/lucene-solr.git _______________________________________________ pkg-java-commits mailing list pkg-java-comm...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits