This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch master in repository lucene-solr.
commit 4e5f8a68c6a05d98dd90ee5d3d731e2445c9313a Author: Markus Koschany <a...@debian.org> Date: Sun Jan 14 00:54:38 2018 +0100 Fix CVE-2017-3163 --- debian/patches/CVE-2017-3163.patch | 50 ++++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 51 insertions(+) diff --git a/debian/patches/CVE-2017-3163.patch b/debian/patches/CVE-2017-3163.patch new file mode 100644 index 0000000..a5140ff --- /dev/null +++ b/debian/patches/CVE-2017-3163.patch @@ -0,0 +1,50 @@ +Description: Validation of filename params in ReplicationHandler + This is a backport of upstream patch available in commit + ae789c252687dc8a18bfdb677f2e6cd14570e4db made by janhoy <jan...@apache.org> +Author: Lucas Kanashiro <kanash...@debian.org> +Last-Updated: 2017-07-21 + +--- a/solr/core/src/java/org/apache/solr/handler/ReplicationHandler.java ++++ b/solr/core/src/java/org/apache/solr/handler/ReplicationHandler.java +@@ -42,6 +42,8 @@ + import java.io.*; + import java.nio.ByteBuffer; + import java.nio.channels.FileChannel; ++import java.nio.file.Path; ++import java.nio.file.Paths; + import java.text.NumberFormat; + import java.util.*; + import java.util.concurrent.locks.ReentrantLock; +@@ -1010,8 +1012,8 @@ + } + + public void write(OutputStream out) throws IOException { +- String fileName = params.get(FILE); +- String cfileName = params.get(CONF_FILE_SHORT); ++ String fileName = validateFilenameOrError(params.get(FILE)); ++ String cfileName = validateFilenameOrError(params.get(CONF_FILE_SHORT)); + String sOffset = params.get(OFFSET); + String sLen = params.get(LEN); + String compress = params.get(COMPRESSION); +@@ -1091,6 +1093,21 @@ + } + } + ++ // Throw exception on directory traversal attempts ++ protected String validateFilenameOrError(String filename) { ++ if (filename != null) { ++ Path filePath = Paths.get(filename); ++ for (Path subpath : filePath) { ++ if ("..".equals(subpath.toString())) { ++ throw new SolrException(ErrorCode.FORBIDDEN, "File name cannot contain .."); ++ } ++ } ++ if (filePath.isAbsolute()) { ++ throw new SolrException(ErrorCode.FORBIDDEN, "File name must be relative"); ++ } ++ return filename; ++ } else return null; ++ } + + /** + * Used to write a marker for EOF diff --git a/debian/patches/series b/debian/patches/series index 133e43c..efe950d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -13,3 +13,4 @@ commons-codec-compatibility.patch java8-compatibility.patch CVE-2017-12629.patch remove-RunExecutableListener.patch +CVE-2017-3163.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/lucene-solr.git _______________________________________________ pkg-java-commits mailing list pkg-java-comm...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits