Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-14 Thread Felix Natter 
Sébastien Delafond  writes:

> On Apr/10, Felix Natter wrote:
>> Yes and no. On jessie the patch did not cleanly apply, so I would have
>> had to apply that change manually. Since removing the import has no
>> effect on the semantics of the program (as long as it still compiles),
>> I was too lazy. It should be ok.
>
> Let's leave it then.
>
> For further contributions, however, please make sure you cleanly
> retrofit any patch that doesn't apply as-is: this will reduce the
> overhead and questions when reviewing on our side.

Ok, sure, I will do!

>> May I ask why the full source must be included?
>
> Because they will be new on security-master.

Ah, thanks for the explanation.

Cheers and Best Regards,
-- 
Felix Natter
debian/rules!

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-11 Thread Markus Koschany 
Hello,

I am currently in the process to upload freeplane to security master.

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-11 Thread Sébastien Delafond 
On Apr/10, Felix Natter wrote:
> Yes and no. On jessie the patch did not cleanly apply, so I would have
> had to apply that change manually. Since removing the import has no
> effect on the semantics of the program (as long as it still compiles),
> I was too lazy. It should be ok.

Let's leave it then.

For further contributions, however, please make sure you cleanly
retrofit any patch that doesn't apply as-is: this will reduce the
overhead and questions when reviewing on our side.

> May I ask why the full source must be included?

Because they will be new on security-master.

Cheers,

--Seb

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-10 Thread Felix Natter 
Salvatore Bonaccorso  writes:

> Hi Felix,

hello Salvatore,

> Sorry for the delay in getting back to you.
>
> On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote:
>> hello Security Team,
>> 
>> here are the CVE-2018-169 security updates for jessie and stretch:
>> 
>> [jessie]
>> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-169
>> (jessie-CVE-2018-169 branch)
>> 
>> [stretch]
>> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-169
>> (stretch-CVE-2018-169 branch)
>> 
>> Both are tested:
>> - builds
>> - activation log message is seen
>> - Save and Load XML works
>> 
>> In what format would you like the "tested packages"? *.deb?
>> 
>> Here is the corrsponding upstream commit:
>> https://github.com/freeplane/freeplane/commit/a5dce7f9f
>> 
>> The debdiffs are attached.
>
> Debdiffs looks good to me. I just have a question, for the
> jessie-debdiff: In the ScriptingRegistration.java was the removal of
> the import of org.freeplane.n3.nanoxml.XMLParserFactory not done on
> purpose?

Yes and no. On jessie the patch did not cleanly apply, so I would have
had to apply that change manually. Since removing the import has no
effect on the semantics of the program (as long as it still compiles), I
was too lazy. It should be ok.

> Other than that, when above question commented on, feel free to upload
> to security-master (AFICS you will need a sponsor, but guess Markus
> will cime in here as well). Remember that both needs to be build with
> -sa.

May I ask why the full source must be included?

@Markus: Would you be so kind to take care of uploading?

Cheers and Best Regards,
-- 
Felix Natter
debian/rules!

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-09 Thread Salvatore Bonaccorso 
Hi Felix,

Sorry for the delay in getting back to you.

On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote:
> hello Security Team,
> 
> here are the CVE-2018-169 security updates for jessie and stretch:
> 
> [jessie]
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-169
> (jessie-CVE-2018-169 branch)
> 
> [stretch]
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-169
> (stretch-CVE-2018-169 branch)
> 
> Both are tested:
> - builds
> - activation log message is seen
> - Save and Load XML works
> 
> In what format would you like the "tested packages"? *.deb?
> 
> Here is the corrsponding upstream commit:
> https://github.com/freeplane/freeplane/commit/a5dce7f9f
> 
> The debdiffs are attached.

Debdiffs looks good to me. I just have a question, for the
jessie-debdiff: In the ScriptingRegistration.java was the removal of
the import of org.freeplane.n3.nanoxml.XMLParserFactory not done on
purpose?

Other than that, when above question commented on, feel free to upload
to security-master (AFICS you will need a sponsor, but guess Markus
will cime in here as well). Remember that both needs to be build with
-sa.

Regards,
Salvatore

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-06 Thread Salvatore Bonaccorso 
Hi Felix,

On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote:
> hello Security Team,
> 
> here are the CVE-2018-169 security updates for jessie and stretch:
> 
> [jessie]
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-169
> (jessie-CVE-2018-169 branch)
> 
> [stretch]
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-169
> (stretch-CVE-2018-169 branch)
> 
> Both are tested:
> - builds
> - activation log message is seen
> - Save and Load XML works
> 
> In what format would you like the "tested packages"? *.deb?
> 
> Here is the corrsponding upstream commit:
> https://github.com/freeplane/freeplane/commit/a5dce7f9f
> 
> The debdiffs are attached.

Thanks, I will try to review and ack those over this weekend. Thanks a
lot for your both work.

Reegarding the question:

Regarding: 

> In what format would you like the "tested packages"? *.deb?

That's not needed. We just have the requirement that the debdiff
should be the resulting one from the packages in the archive against
the built and tested packages, the later for obvious reason that we
want some assurance the packages have been tested to work.

The debdiff requirement (rather than only VCS commits) is to avoid
surprises on the actual result which will be uploaded to the archive
rather than just a series of commit in the packaging repos to be
reviewed.

Regards,
Salvatore

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-06 Thread Felix Natter 
hello Security Team,

here are the CVE-2018-169 security updates for jessie and stretch:

[jessie]
https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-169
(jessie-CVE-2018-169 branch)

[stretch]
https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-169
(stretch-CVE-2018-169 branch)

Both are tested:
- builds
- activation log message is seen
- Save and Load XML works

In what format would you like the "tested packages"? *.deb?

Here is the corrsponding upstream commit:
https://github.com/freeplane/freeplane/commit/a5dce7f9f

The debdiffs are attached.

@Markus: Did you already submit the update for wheezy?

Cheers and Best Regards,
-- 
Felix Natter
debian/rules!


jessie-CVE-2018-169.debdiff
Description: Binary data


stretch-CVE-2018-16.debdiff
Description: Binary data

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-03 Thread Felix Natter 
Salvatore Bonaccorso  writes:

> Hi Felix,

hello Salvatore,

> On Sun, Apr 01, 2018 at 06:04:27PM +0200, Markus Koschany wrote:
>> 
>> 
>> Am 01.04.2018 um 17:57 schrieb Felix Natter:
>> [...]
>> > Thanks, done.
>> > BTW: Is it ok to close the bug with the stretch-security upload even if
>> > the jessie-security upload is still pending?
>> 
>> Yes, that's ok. You can close the bug with both uploads.
>> 
>> > What is there to do next?
>> 
>> As soon as the security team has approved the changes, I can upload your
>> packages to security-master.
>
> Thanks for working on it, the issue is severe enought that it warrants
> a DSA. Could you send the security team alias
> (t...@security.debian.org) debdiffs resulting from the build and
> tested packages for a short review + ack?

The stretch update is here (branch stretch-CVE-2018-169):
https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-169=1

This is tested:
- activation log message is seen
- Save and Load XML works

In what format would you like the "tested packages"? *.deb?

Here is the upstream commit:
https://github.com/freeplane/freeplane/commit/a5dce7f9f

The debdiff (for stretch-security) is attached.

I am still working on the jessie update, this could take until Saturday
(sorry for the delay).

Best Regards,
-- 
Felix Natter
debian/rules!


stretch-CVE-2018-16.debdiff
Description: Binary data

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-03 Thread Salvatore Bonaccorso 
Hi Felix,

On Sun, Apr 01, 2018 at 06:04:27PM +0200, Markus Koschany wrote:
> 
> 
> Am 01.04.2018 um 17:57 schrieb Felix Natter:
> [...]
> > Thanks, done.
> > BTW: Is it ok to close the bug with the stretch-security upload even if
> > the jessie-security upload is still pending?
> 
> Yes, that's ok. You can close the bug with both uploads.
> 
> > What is there to do next?
> 
> As soon as the security team has approved the changes, I can upload your
> packages to security-master.

Thanks for working on it, the issue is severe enought that it warrants
a DSA. Could you send the security team alias
(t...@security.debian.org) debdiffs resulting from the build and
tested packages for a short review + ack?

Regards,
Salvatore


signature.asc
Description: PGP signature

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-01 Thread Markus Koschany 


Am 01.04.2018 um 17:57 schrieb Felix Natter:
[...]
> Thanks, done.
> BTW: Is it ok to close the bug with the stretch-security upload even if
> the jessie-security upload is still pending?

Yes, that's ok. You can close the bug with both uploads.

> What is there to do next?

As soon as the security team has approved the changes, I can upload your
packages to security-master.

>> Distribution should be stretch-security though and the urgency is high.
>> Similar for Jessie, jessie-security and the version is 1.3.12-1+deb8u1
> 
> I will do this soon, hopefully tomorrow.
> 
> Cheers and Best Regards,

Regards,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-01 Thread Felix Natter 
Markus Koschany  writes:

> Hi Felix,

hello Markus,

> Am 01.04.2018 um 16:23 schrieb Felix Natter:
>> hello Markus,
>> 
>> I have prepared the patched 1.5.18-1+deb9u1 for stretch
>> I hope I got the version number right? The changelog entry is probably
>> not correct either. Can you advice what to read?
>> 
>> I briefly tested saving+loading mindmaps.
>> 
>> Here it is:
>> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-169
>> (branch stretch-CVE-2018-169 in the freeplane alioth repo).
>> 
>> I am in the process of setting up a vbox instance for jessie to address
>> the other update.
>> 
>> Cheers and Best Regards,
>
> The version is correct. I would write in your changelog:
>
> Fix CVE-2018-169: Wojciech Reguła discovered that FreePlane was
> affected by a XML External Entity (XXE) vulnerability in its mindmap
> loader that could compromise a user's machine by opening a specially
> crafted mind map file. (Closes: #893663)

Thanks, done.
BTW: Is it ok to close the bug with the stretch-security upload even if
the jessie-security upload is still pending?

What is there to do next?

> Distribution should be stretch-security though and the urgency is high.
> Similar for Jessie, jessie-security and the version is 1.3.12-1+deb8u1

I will do this soon, hopefully tomorrow.

Cheers and Best Regards,
-- 
Felix Natter
debian/rules!

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-01 Thread Markus Koschany 
Hi Felix,

Am 01.04.2018 um 16:23 schrieb Felix Natter:
> hello Markus,
> 
> I have prepared the patched 1.5.18-1+deb9u1 for stretch
> I hope I got the version number right? The changelog entry is probably
> not correct either. Can you advice what to read?
> 
> I briefly tested saving+loading mindmaps.
> 
> Here it is:
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-169
> (branch stretch-CVE-2018-169 in the freeplane alioth repo).
> 
> I am in the process of setting up a vbox instance for jessie to address
> the other update.
> 
> Cheers and Best Regards,

The version is correct. I would write in your changelog:

Fix CVE-2018-169: Wojciech Reguła discovered that FreePlane was
affected by a XML External Entity (XXE) vulnerability in its mindmap
loader that could compromise a user's machine by opening a specially
crafted mind map file. (Closes: #893663)

Distribution should be stretch-security though and the urgency is high.
Similar for Jessie, jessie-security and the version is 1.3.12-1+deb8u1


Cheers,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-04-01 Thread Felix Natter 
hello Markus,

I have prepared the patched 1.5.18-1+deb9u1 for stretch
I hope I got the version number right? The changelog entry is probably
not correct either. Can you advice what to read?

I briefly tested saving+loading mindmaps.

Here it is:
https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-169
(branch stretch-CVE-2018-169 in the freeplane alioth repo).

I am in the process of setting up a vbox instance for jessie to address
the other update.

Cheers and Best Regards,
-- 
Felix Natter
debian/rules!

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-03-24 Thread Markus Koschany 


Am 24.03.2018 um 11:32 schrieb Felix Natter:
[...]

> Since I am hiking this weekend, would it be possible to do this as the
> first thing on the Easter weekend (next Friday)? I also need to fix the
> knopflerfish RC bug (#893221), I will look into that this morning.
> 
> BTW: I *think* the patch should apply without major problems (the XML
> persistence hasn't changed much). But on the ant build systems (< 1.5)
> the sources are in /src/** instead of /src/main/java/**,
> so you can apply there with -p4 or something (and ignore the unmatched part
> for freeplane_plugin_script [1]). That part ([1]) can be applied
> manually.
> I will checkout the respective tag (debian/1.3.12-1, debian/1.5.18-1),
> create a branch from there ("jessie-security1", "stretch-security1"),
> import the patch, create a new changelog entry (will read about that)
> and test, ok?
> 
> [1] 
> freeplane_plugin_script/src/main/java/org/freeplane/plugin/script/ScriptingRegistration.java
> 
> Cheers and Best Regards,

That's absolutely fine with me. Have a nice weekend!

Cheers,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-03-24 Thread Felix Natter 
Markus Koschany  writes:

> Am 22.03.2018 um 20:52 schrieb Felix Natter:
>> Markus Koschany  writes:
>> 
>>> Package: freeplane
>>> X-Debbugs-CC: t...@security.debian.org
>>> X-Debbugs-CC: fnat...@gmx.net
>>> Severity: important
>>> Tags: security
>>>
>>> Hi,
>> 
>> hello Markus,
>> 
>>> the following vulnerability was published for freeplane. Apparently only
>>> stretch/jessie/wheezy might be affected.
>> 
>> Thank you for paying attention to this, I completely overlooked this!
>

Hi Markus,

> Thanks for your reply!
>
>> 
>>> @Felix
>>> Can you tell us more about this vulnerability? There only seems to be a
>>> reference in freeplane's wiki.
>> 
>> I think it is very well explained here:
>> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>> 
>> In short: External identities are "includes" for XML documents that can
>> be specified in DTDs.
>> 
>> Here is the commit that should fix it:
>> https://github.com/freeplane/freeplane/commit/a5dce7f9f
>
> That's what we were looking for.
>
> [...]
>
>
>> I can confirm that the the fix is in 1.5.20 and 1.6.1, so it's true that
>> wheezy, jessie and stretch are affected.
>> 
>> Shall I add the patch in git branches from the debian/X tags here?
>> https://anonscm.debian.org/cgit/pkg-java/freeplane.git
>> Or did you want to do this, Markus?
>
> Please prepare updates for Jessie and Stretch if time permits and I will
> upload the fix either as a security update, provided the security team
> agrees, or as a point-update. I will take care of Wheezy myself.

Since I am hiking this weekend, would it be possible to do this as the
first thing on the Easter weekend (next Friday)? I also need to fix the
knopflerfish RC bug (#893221), I will look into that this morning.

BTW: I *think* the patch should apply without major problems (the XML
persistence hasn't changed much). But on the ant build systems (< 1.5)
the sources are in /src/** instead of /src/main/java/**,
so you can apply there with -p4 or something (and ignore the unmatched part
for freeplane_plugin_script [1]). That part ([1]) can be applied
manually.
I will checkout the respective tag (debian/1.3.12-1, debian/1.5.18-1),
create a branch from there ("jessie-security1", "stretch-security1"),
import the patch, create a new changelog entry (will read about that)
and test, ok?

[1] 
freeplane_plugin_script/src/main/java/org/freeplane/plugin/script/ScriptingRegistration.java

Cheers and Best Regards,
-- 
Felix Natter
debian/rules!

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-03-22 Thread Markus Koschany 
Am 22.03.2018 um 20:52 schrieb Felix Natter:
> Markus Koschany  writes:
> 
>> Package: freeplane
>> X-Debbugs-CC: t...@security.debian.org
>> X-Debbugs-CC: fnat...@gmx.net
>> Severity: important
>> Tags: security
>>
>> Hi,
> 
> hello Markus,
> 
>> the following vulnerability was published for freeplane. Apparently only
>> stretch/jessie/wheezy might be affected.
> 
> Thank you for paying attention to this, I completely overlooked this!


Thanks for your reply!

> 
>> @Felix
>> Can you tell us more about this vulnerability? There only seems to be a
>> reference in freeplane's wiki.
> 
> I think it is very well explained here:
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
> 
> In short: External identities are "includes" for XML documents that can
> be specified in DTDs.
> 
> Here is the commit that should fix it:
> https://github.com/freeplane/freeplane/commit/a5dce7f9f

That's what we were looking for.

[...]


> I can confirm that the the fix is in 1.5.20 and 1.6.1, so it's true that
> wheezy, jessie and stretch are affected.
> 
> Shall I add the patch in git branches from the debian/X tags here?
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git
> Or did you want to do this, Markus?

Please prepare updates for Jessie and Stretch if time permits and I will
upload the fix either as a security update, provided the security team
agrees, or as a point-update. I will take care of Wheezy myself.

> 
> I will read more about security updates on the weekend.
> 
> Cheers and Best Regards,

Cheers,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-03-22 Thread Felix Natter 
Markus Koschany  writes:

> Package: freeplane
> X-Debbugs-CC: t...@security.debian.org
> X-Debbugs-CC: fnat...@gmx.net
> Severity: important
> Tags: security
>
> Hi,

hello Markus,

> the following vulnerability was published for freeplane. Apparently only
> stretch/jessie/wheezy might be affected.

Thank you for paying attention to this, I completely overlooked this!

> @Felix
> Can you tell us more about this vulnerability? There only seems to be a
> reference in freeplane's wiki.

I think it is very well explained here:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

In short: External identities are "includes" for XML documents that can
be specified in DTDs.

Here is the commit that should fix it:
https://github.com/freeplane/freeplane/commit/a5dce7f9f

> https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser
>
> CVE-2018-169[0]:
> | FreePlane version 1.5.9 and earlier contains a XML External Entity
> | (XXE) vulnerability in XML Parser in mindmap loader that can result in
> | stealing data from victim's machine. This attack appears to require
> | the vicim to open a specially crafted mind map file. This
> | vulnerability appears to have been fixed in 1.6+.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-169
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-169
>
> Please adjust the affected versions in the BTS as needed.

I can confirm that the the fix is in 1.5.20 and 1.6.1, so it's true that
wheezy, jessie and stretch are affected.

Shall I add the patch in git branches from the debian/X tags here?
https://anonscm.debian.org/cgit/pkg-java/freeplane.git
Or did you want to do this, Markus?

I will read more about security updates on the weekend.

Cheers and Best Regards,
-- 
Felix Natter
debian/rules!

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-03-21 Thread Salvatore Bonaccorso 
Looking at the release-1.5.20 tag:

Security fix related to scripts and formulas
Security fix related to loading of mind map files
Change short cuts for MacOS to avoid collisions

The fix might be:

https://github.com/freeplane/freeplane/commit/a5dce7f9f4d29675fb256053aee3858bf8d76001

Regards,
Salvatore

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-03-21 Thread Salvatore Bonaccorso 
For reference: the issue is linked from the security advisory page at
https://www.freeplane.org/wiki/index.php/Fixed_security_vulnerabilities
. Ahtough there is unfortunately no reference to the fixing commit
(which wuould have been good for downstreams to help), we know the
versions fixed are 1.5.20 and 1.6.1_17.

That might help identifying the required fix.

HTH,

Regards,
Salvatore

Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

2018-03-20 Thread Markus Koschany 
Package: freeplane
X-Debbugs-CC: t...@security.debian.org
X-Debbugs-CC: fnat...@gmx.net
Severity: important
Tags: security

Hi,

the following vulnerability was published for freeplane. Apparently only
stretch/jessie/wheezy might be affected.

@Felix
Can you tell us more about this vulnerability? There only seems to be a
reference in freeplane's wiki.

https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser

CVE-2018-169[0]:
| FreePlane version 1.5.9 and earlier contains a XML External Entity
| (XXE) vulnerability in XML Parser in mindmap loader that can result in
| stealing data from victim's machine. This attack appears to require
| the vicim to open a specially crafted mind map file. This
| vulnerability appears to have been fixed in 1.6+.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-169

Please adjust the affected versions in the BTS as needed.



signature.asc
Description: OpenPGP digital signature