Markus Koschany pushed to branch master at Debian Java Maintainers / openrefine
Commits: c965725c by Markus Koschany at 2023-08-18T01:35:30+02:00 Add CVE-2023-37476.patch and automatically refresh all other patches - - - - - 4f079c67 by Markus Koschany at 2023-08-18T01:35:42+02:00 Declare compliance with Debian Policy 4.6.2. - - - - - 5eef2063 by Markus Koschany at 2023-08-18T01:39:05+02:00 Update changelog - - - - - 8 changed files: - debian/changelog - debian/control - + debian/patches/CVE-2023-37476.patch - debian/patches/build.patch - debian/patches/gdata-extension.patch - debian/patches/log4j-api.patch - debian/patches/no-java-files.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,15 @@ +openrefine (3.6.2-3) unstable; urgency=medium + + * Tighten B-D on commons-io to >= 2.11.0. + * Fix CVE-2023-37476 and automatically refresh all other patches. + OpenRefine is a free, open source tool for data processing. A carefully + crafted malicious OpenRefine project tar file can be used to trigger + arbitrary code execution in the context of the OpenRefine process if a user + can be convinced to import it. (Closes: #1041422) + * Declare compliance with Debian Policy 4.6.2. + + -- Markus Koschany <[email protected]> Fri, 18 Aug 2023 01:37:01 +0200 + openrefine (3.6.2-2) unstable; urgency=medium * Depend on libjoda-time-java and liboro-java. ===================================== debian/control ===================================== @@ -69,7 +69,7 @@ Build-Depends: libxtc-rats-java, maven-debian-helper, velocity -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Vcs-Git: https://salsa.debian.org/java-team/openrefine.git Vcs-Browser: https://salsa.debian.org/java-team/openrefine Homepage: https://openrefine.org/ ===================================== debian/patches/CVE-2023-37476.patch ===================================== @@ -0,0 +1,24 @@ +From: Markus Koschany <[email protected]> +Date: Thu, 17 Aug 2023 21:33:50 +0200 +Subject: CVE-2023-37476 + +Bug-Debian: https://bugs.debian.org/1041422 +Origin: https://github.com/OpenRefine/OpenRefine/commit/c40c84d8170c4d61c6a0926531b552a50caa5651 +--- + main/src/com/google/refine/io/FileProjectManager.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/main/src/com/google/refine/io/FileProjectManager.java b/main/src/com/google/refine/io/FileProjectManager.java +index 09197f7..c913199 100644 +--- a/main/src/com/google/refine/io/FileProjectManager.java ++++ b/main/src/com/google/refine/io/FileProjectManager.java +@@ -167,6 +167,9 @@ public class FileProjectManager extends ProjectManager { + + while ((tarEntry = tin.getNextTarEntry()) != null) { + File destEntry = new File(destDir, tarEntry.getName()); ++ if (!destEntry.toPath().normalize().startsWith(destDir.toPath().normalize())) { ++ throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed."); ++ } + File parent = destEntry.getParentFile(); + + if (!parent.exists()) { ===================================== debian/patches/build.patch ===================================== @@ -7,7 +7,7 @@ Subject: build 1 file changed, 4 insertions(+) diff --git a/main/pom.xml b/main/pom.xml -index c0b409c..27f789d 100644 +index 17b8ddc..4b61428 100644 --- a/main/pom.xml +++ b/main/pom.xml @@ -337,6 +337,10 @@ ===================================== debian/patches/gdata-extension.patch ===================================== @@ -7,7 +7,7 @@ Subject: gdata extension 1 file changed, 5 insertions(+) diff --git a/extensions/gdata/pom.xml b/extensions/gdata/pom.xml -index 4fc64e5..ce9b906 100644 +index ed8b740..e310e8c 100644 --- a/extensions/gdata/pom.xml +++ b/extensions/gdata/pom.xml @@ -97,6 +97,11 @@ ===================================== debian/patches/log4j-api.patch ===================================== @@ -7,7 +7,7 @@ Subject: log4j-api 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/pom.xml b/server/pom.xml -index 8bb528a..89dd5ab 100644 +index 2408c76..e168085 100644 --- a/server/pom.xml +++ b/server/pom.xml @@ -180,7 +180,7 @@ ===================================== debian/patches/no-java-files.patch ===================================== @@ -8,7 +8,7 @@ Subject: no-java-files 2 files changed, 10 deletions(-) diff --git a/main/pom.xml b/main/pom.xml -index 27f789d..0ef3eab 100644 +index 4b61428..8ea4ef6 100644 --- a/main/pom.xml +++ b/main/pom.xml @@ -27,11 +27,6 @@ @@ -24,7 +24,7 @@ index 27f789d..0ef3eab 100644 <testResources> <testResource> diff --git a/server/pom.xml b/server/pom.xml -index 89dd5ab..94fda4c 100644 +index e168085..f2955e4 100644 --- a/server/pom.xml +++ b/server/pom.xml @@ -28,11 +28,6 @@ ===================================== debian/patches/series ===================================== @@ -4,3 +4,4 @@ butterfly.properties.patch log4j-api.patch no-java-files.patch gdata-extension.patch +CVE-2023-37476.patch View it on GitLab: https://salsa.debian.org/java-team/openrefine/-/compare/056c7e43b2b47cfa861b047d2b20f4832f68984c...5eef2063146c92e67f28568c663aa99335978e5d -- View it on GitLab: https://salsa.debian.org/java-team/openrefine/-/compare/056c7e43b2b47cfa861b047d2b20f4832f68984c...5eef2063146c92e67f28568c663aa99335978e5d You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
