Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Dear release team, I would like to fix CVE-2019-0193 for Buster in lucene-solr. This issue was marked no-dsa by the security team. Please find attached the debdiff. Regards, Markus
diff -Nru lucene-solr-3.6.2+dfsg/debian/changelog lucene-solr-3.6.2+dfsg/debian/changelog --- lucene-solr-3.6.2+dfsg/debian/changelog 2019-09-04 22:30:29.000000000 +0200 +++ lucene-solr-3.6.2+dfsg/debian/changelog 2020-08-16 15:56:26.000000000 +0200 @@ -1,3 +1,19 @@ +lucene-solr (3.6.2+dfsg-20+deb10u2) buster; urgency=medium + + * Team upload. + * Fix CVE-2019-0193: + The DataImportHandler, an optional but popular module to pull in data from + databases and other sources, has a feature in which the whole DIH + configuration can come from a request's "dataConfig" parameter. The debug + mode of the DIH admin screen uses this to allow convenient debugging / + development of a DIH config. Since a DIH config can contain scripts, this + parameter is a security risk. Starting from now on, use of this parameter + requires setting the Java System property "enable.dih.dataConfigParam" to + true. For example this can be achieved with solr-tomcat by adding + -Denable.dih.dataConfigParam=true to JAVA_OPTS in /etc/default/tomcat9. + + -- Markus Koschany <a...@debian.org> Sun, 16 Aug 2020 15:56:26 +0200 + lucene-solr (3.6.2+dfsg-20+deb10u1) buster; urgency=medium * Team upload. diff -Nru lucene-solr-3.6.2+dfsg/debian/patches/CVE-2019-0193.patch lucene-solr-3.6.2+dfsg/debian/patches/CVE-2019-0193.patch --- lucene-solr-3.6.2+dfsg/debian/patches/CVE-2019-0193.patch 1970-01-01 01:00:00.000000000 +0100 +++ lucene-solr-3.6.2+dfsg/debian/patches/CVE-2019-0193.patch 2020-08-16 15:56:26.000000000 +0200 @@ -0,0 +1,70 @@ +From: Markus Koschany <a...@debian.org> +Date: Sat, 15 Aug 2020 18:41:28 +0200 +Subject: CVE-2019-0193 + +Bug-Upstream: https://issues.apache.org/jira/browse/SOLR-13669 +Origin: https://github.com/apache/lucene-solr/commit/325824cd391c8e71f36f17d687f52344e50e9715 +--- + .../apache/solr/handler/dataimport/DataImportHandler.java | 10 ++++++++++ + .../dataimport/AbstractDataImportHandlerTestCase.java | 13 ++++++------- + 2 files changed, 16 insertions(+), 7 deletions(-) + +diff --git a/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImportHandler.java b/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImportHandler.java +index 9e11c79..a4a39a0 100644 +--- a/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImportHandler.java ++++ b/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImportHandler.java +@@ -83,6 +83,10 @@ public class DataImportHandler extends RequestHandlerBase implements + + private Map<String , Object> coreScopeSession = new HashMap<String, Object>(); + ++ static final String ENABLE_DIH_DATA_CONFIG_PARAM = "enable.dih.dataConfigParam"; ++ ++ final boolean dataConfigParam_enabled = Boolean.getBoolean(ENABLE_DIH_DATA_CONFIG_PARAM); ++ + @Override + @SuppressWarnings("unchecked") + public void init(NamedList args) { +@@ -153,6 +157,12 @@ public class DataImportHandler extends RequestHandlerBase implements + return; + } + ++ if (dataConfigParam_enabled == false) { ++ throw new SolrException(SolrException.ErrorCode.FORBIDDEN, ++ "Use of the dataConfig param (DIH debug mode) requires the system property " + ++ ENABLE_DIH_DATA_CONFIG_PARAM + " because it's a security risk."); ++ } ++ + rsp.add("initArgs", initArgs); + String message = ""; + +diff --git a/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/AbstractDataImportHandlerTestCase.java b/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/AbstractDataImportHandlerTestCase.java +index 1b49028..1cce926 100644 +--- a/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/AbstractDataImportHandlerTestCase.java ++++ b/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/AbstractDataImportHandlerTestCase.java +@@ -30,7 +30,7 @@ import org.apache.solr.update.processor.UpdateRequestProcessor; + import org.apache.solr.update.processor.UpdateRequestProcessorFactory; + import org.apache.solr.common.util.NamedList; + import org.junit.After; +-import org.junit.Before; ++import org.junit.BeforeClass; + + import java.io.FileOutputStream; + import java.io.IOException; +@@ -57,12 +57,11 @@ public abstract class AbstractDataImportHandlerTestCase extends + public static void initCore(String config, String schema) throws Exception { + initCore(config, schema, getFile("dih/solr").getAbsolutePath()); + } +- +- @Override +- @Before +- public void setUp() throws Exception { +- super.setUp(); +- } ++ ++ @BeforeClass ++ public static void baseBeforeClass() { ++ System.setProperty(DataImportHandler.ENABLE_DIH_DATA_CONFIG_PARAM, "true"); ++ } + + @Override + @After diff -Nru lucene-solr-3.6.2+dfsg/debian/patches/series lucene-solr-3.6.2+dfsg/debian/patches/series --- lucene-solr-3.6.2+dfsg/debian/patches/series 2019-09-04 22:30:29.000000000 +0200 +++ lucene-solr-3.6.2+dfsg/debian/patches/series 2020-08-16 15:56:26.000000000 +0200 @@ -17,3 +17,4 @@ ant-1.10.patch CVE-2018-1308.patch web.xml.patch +CVE-2019-0193.patch
