Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Sébastien Delafondwrites: > On Apr/10, Felix Natter wrote: >> Yes and no. On jessie the patch did not cleanly apply, so I would have >> had to apply that change manually. Since removing the import has no >> effect on the semantics of the program (as long as it still compiles), >> I was too lazy. It should be ok. > > Let's leave it then. > > For further contributions, however, please make sure you cleanly > retrofit any patch that doesn't apply as-is: this will reduce the > overhead and questions when reviewing on our side. Ok, sure, I will do! >> May I ask why the full source must be included? > > Because they will be new on security-master. Ah, thanks for the explanation. Cheers and Best Regards, -- Felix Natter debian/rules!
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Hello, I am currently in the process to upload freeplane to security master. Regards, Markus signature.asc Description: OpenPGP digital signature
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
On Apr/10, Felix Natter wrote: > Yes and no. On jessie the patch did not cleanly apply, so I would have > had to apply that change manually. Since removing the import has no > effect on the semantics of the program (as long as it still compiles), > I was too lazy. It should be ok. Let's leave it then. For further contributions, however, please make sure you cleanly retrofit any patch that doesn't apply as-is: this will reduce the overhead and questions when reviewing on our side. > May I ask why the full source must be included? Because they will be new on security-master. Cheers, --Seb
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Salvatore Bonaccorsowrites: > Hi Felix, hello Salvatore, > Sorry for the delay in getting back to you. > > On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote: >> hello Security Team, >> >> here are the CVE-2018-169 security updates for jessie and stretch: >> >> [jessie] >> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-169 >> (jessie-CVE-2018-169 branch) >> >> [stretch] >> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-169 >> (stretch-CVE-2018-169 branch) >> >> Both are tested: >> - builds >> - activation log message is seen >> - Save and Load XML works >> >> In what format would you like the "tested packages"? *.deb? >> >> Here is the corrsponding upstream commit: >> https://github.com/freeplane/freeplane/commit/a5dce7f9f >> >> The debdiffs are attached. > > Debdiffs looks good to me. I just have a question, for the > jessie-debdiff: In the ScriptingRegistration.java was the removal of > the import of org.freeplane.n3.nanoxml.XMLParserFactory not done on > purpose? Yes and no. On jessie the patch did not cleanly apply, so I would have had to apply that change manually. Since removing the import has no effect on the semantics of the program (as long as it still compiles), I was too lazy. It should be ok. > Other than that, when above question commented on, feel free to upload > to security-master (AFICS you will need a sponsor, but guess Markus > will cime in here as well). Remember that both needs to be build with > -sa. May I ask why the full source must be included? @Markus: Would you be so kind to take care of uploading? Cheers and Best Regards, -- Felix Natter debian/rules!
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Hi Felix, Sorry for the delay in getting back to you. On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote: > hello Security Team, > > here are the CVE-2018-169 security updates for jessie and stretch: > > [jessie] > https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-169 > (jessie-CVE-2018-169 branch) > > [stretch] > https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-169 > (stretch-CVE-2018-169 branch) > > Both are tested: > - builds > - activation log message is seen > - Save and Load XML works > > In what format would you like the "tested packages"? *.deb? > > Here is the corrsponding upstream commit: > https://github.com/freeplane/freeplane/commit/a5dce7f9f > > The debdiffs are attached. Debdiffs looks good to me. I just have a question, for the jessie-debdiff: In the ScriptingRegistration.java was the removal of the import of org.freeplane.n3.nanoxml.XMLParserFactory not done on purpose? Other than that, when above question commented on, feel free to upload to security-master (AFICS you will need a sponsor, but guess Markus will cime in here as well). Remember that both needs to be build with -sa. Regards, Salvatore
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Hi Felix, On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote: > hello Security Team, > > here are the CVE-2018-169 security updates for jessie and stretch: > > [jessie] > https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-169 > (jessie-CVE-2018-169 branch) > > [stretch] > https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-169 > (stretch-CVE-2018-169 branch) > > Both are tested: > - builds > - activation log message is seen > - Save and Load XML works > > In what format would you like the "tested packages"? *.deb? > > Here is the corrsponding upstream commit: > https://github.com/freeplane/freeplane/commit/a5dce7f9f > > The debdiffs are attached. Thanks, I will try to review and ack those over this weekend. Thanks a lot for your both work. Reegarding the question: Regarding: > In what format would you like the "tested packages"? *.deb? That's not needed. We just have the requirement that the debdiff should be the resulting one from the packages in the archive against the built and tested packages, the later for obvious reason that we want some assurance the packages have been tested to work. The debdiff requirement (rather than only VCS commits) is to avoid surprises on the actual result which will be uploaded to the archive rather than just a series of commit in the packaging repos to be reviewed. Regards, Salvatore
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
hello Security Team, here are the CVE-2018-169 security updates for jessie and stretch: [jessie] https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-169 (jessie-CVE-2018-169 branch) [stretch] https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-169 (stretch-CVE-2018-169 branch) Both are tested: - builds - activation log message is seen - Save and Load XML works In what format would you like the "tested packages"? *.deb? Here is the corrsponding upstream commit: https://github.com/freeplane/freeplane/commit/a5dce7f9f The debdiffs are attached. @Markus: Did you already submit the update for wheezy? Cheers and Best Regards, -- Felix Natter debian/rules! jessie-CVE-2018-169.debdiff Description: Binary data stretch-CVE-2018-16.debdiff Description: Binary data
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Salvatore Bonaccorsowrites: > Hi Felix, hello Salvatore, > On Sun, Apr 01, 2018 at 06:04:27PM +0200, Markus Koschany wrote: >> >> >> Am 01.04.2018 um 17:57 schrieb Felix Natter: >> [...] >> > Thanks, done. >> > BTW: Is it ok to close the bug with the stretch-security upload even if >> > the jessie-security upload is still pending? >> >> Yes, that's ok. You can close the bug with both uploads. >> >> > What is there to do next? >> >> As soon as the security team has approved the changes, I can upload your >> packages to security-master. > > Thanks for working on it, the issue is severe enought that it warrants > a DSA. Could you send the security team alias > (t...@security.debian.org) debdiffs resulting from the build and > tested packages for a short review + ack? The stretch update is here (branch stretch-CVE-2018-169): https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-169=1 This is tested: - activation log message is seen - Save and Load XML works In what format would you like the "tested packages"? *.deb? Here is the upstream commit: https://github.com/freeplane/freeplane/commit/a5dce7f9f The debdiff (for stretch-security) is attached. I am still working on the jessie update, this could take until Saturday (sorry for the delay). Best Regards, -- Felix Natter debian/rules! stretch-CVE-2018-16.debdiff Description: Binary data
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Hi Felix, On Sun, Apr 01, 2018 at 06:04:27PM +0200, Markus Koschany wrote: > > > Am 01.04.2018 um 17:57 schrieb Felix Natter: > [...] > > Thanks, done. > > BTW: Is it ok to close the bug with the stretch-security upload even if > > the jessie-security upload is still pending? > > Yes, that's ok. You can close the bug with both uploads. > > > What is there to do next? > > As soon as the security team has approved the changes, I can upload your > packages to security-master. Thanks for working on it, the issue is severe enought that it warrants a DSA. Could you send the security team alias (t...@security.debian.org) debdiffs resulting from the build and tested packages for a short review + ack? Regards, Salvatore signature.asc Description: PGP signature
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Am 01.04.2018 um 17:57 schrieb Felix Natter: [...] > Thanks, done. > BTW: Is it ok to close the bug with the stretch-security upload even if > the jessie-security upload is still pending? Yes, that's ok. You can close the bug with both uploads. > What is there to do next? As soon as the security team has approved the changes, I can upload your packages to security-master. >> Distribution should be stretch-security though and the urgency is high. >> Similar for Jessie, jessie-security and the version is 1.3.12-1+deb8u1 > > I will do this soon, hopefully tomorrow. > > Cheers and Best Regards, Regards, Markus signature.asc Description: OpenPGP digital signature
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Markus Koschanywrites: > Hi Felix, hello Markus, > Am 01.04.2018 um 16:23 schrieb Felix Natter: >> hello Markus, >> >> I have prepared the patched 1.5.18-1+deb9u1 for stretch >> I hope I got the version number right? The changelog entry is probably >> not correct either. Can you advice what to read? >> >> I briefly tested saving+loading mindmaps. >> >> Here it is: >> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-169 >> (branch stretch-CVE-2018-169 in the freeplane alioth repo). >> >> I am in the process of setting up a vbox instance for jessie to address >> the other update. >> >> Cheers and Best Regards, > > The version is correct. I would write in your changelog: > > Fix CVE-2018-169: Wojciech Reguła discovered that FreePlane was > affected by a XML External Entity (XXE) vulnerability in its mindmap > loader that could compromise a user's machine by opening a specially > crafted mind map file. (Closes: #893663) Thanks, done. BTW: Is it ok to close the bug with the stretch-security upload even if the jessie-security upload is still pending? What is there to do next? > Distribution should be stretch-security though and the urgency is high. > Similar for Jessie, jessie-security and the version is 1.3.12-1+deb8u1 I will do this soon, hopefully tomorrow. Cheers and Best Regards, -- Felix Natter debian/rules!
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Hi Felix, Am 01.04.2018 um 16:23 schrieb Felix Natter: > hello Markus, > > I have prepared the patched 1.5.18-1+deb9u1 for stretch > I hope I got the version number right? The changelog entry is probably > not correct either. Can you advice what to read? > > I briefly tested saving+loading mindmaps. > > Here it is: > https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-169 > (branch stretch-CVE-2018-169 in the freeplane alioth repo). > > I am in the process of setting up a vbox instance for jessie to address > the other update. > > Cheers and Best Regards, The version is correct. I would write in your changelog: Fix CVE-2018-169: Wojciech Reguła discovered that FreePlane was affected by a XML External Entity (XXE) vulnerability in its mindmap loader that could compromise a user's machine by opening a specially crafted mind map file. (Closes: #893663) Distribution should be stretch-security though and the urgency is high. Similar for Jessie, jessie-security and the version is 1.3.12-1+deb8u1 Cheers, Markus signature.asc Description: OpenPGP digital signature
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
hello Markus, I have prepared the patched 1.5.18-1+deb9u1 for stretch I hope I got the version number right? The changelog entry is probably not correct either. Can you advice what to read? I briefly tested saving+loading mindmaps. Here it is: https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-169 (branch stretch-CVE-2018-169 in the freeplane alioth repo). I am in the process of setting up a vbox instance for jessie to address the other update. Cheers and Best Regards, -- Felix Natter debian/rules!
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Am 24.03.2018 um 11:32 schrieb Felix Natter: [...] > Since I am hiking this weekend, would it be possible to do this as the > first thing on the Easter weekend (next Friday)? I also need to fix the > knopflerfish RC bug (#893221), I will look into that this morning. > > BTW: I *think* the patch should apply without major problems (the XML > persistence hasn't changed much). But on the ant build systems (< 1.5) > the sources are in /src/** instead of /src/main/java/**, > so you can apply there with -p4 or something (and ignore the unmatched part > for freeplane_plugin_script [1]). That part ([1]) can be applied > manually. > I will checkout the respective tag (debian/1.3.12-1, debian/1.5.18-1), > create a branch from there ("jessie-security1", "stretch-security1"), > import the patch, create a new changelog entry (will read about that) > and test, ok? > > [1] > freeplane_plugin_script/src/main/java/org/freeplane/plugin/script/ScriptingRegistration.java > > Cheers and Best Regards, That's absolutely fine with me. Have a nice weekend! Cheers, Markus signature.asc Description: OpenPGP digital signature
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Markus Koschanywrites: > Am 22.03.2018 um 20:52 schrieb Felix Natter: >> Markus Koschany writes: >> >>> Package: freeplane >>> X-Debbugs-CC: t...@security.debian.org >>> X-Debbugs-CC: fnat...@gmx.net >>> Severity: important >>> Tags: security >>> >>> Hi, >> >> hello Markus, >> >>> the following vulnerability was published for freeplane. Apparently only >>> stretch/jessie/wheezy might be affected. >> >> Thank you for paying attention to this, I completely overlooked this! > Hi Markus, > Thanks for your reply! > >> >>> @Felix >>> Can you tell us more about this vulnerability? There only seems to be a >>> reference in freeplane's wiki. >> >> I think it is very well explained here: >> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing >> >> In short: External identities are "includes" for XML documents that can >> be specified in DTDs. >> >> Here is the commit that should fix it: >> https://github.com/freeplane/freeplane/commit/a5dce7f9f > > That's what we were looking for. > > [...] > > >> I can confirm that the the fix is in 1.5.20 and 1.6.1, so it's true that >> wheezy, jessie and stretch are affected. >> >> Shall I add the patch in git branches from the debian/X tags here? >> https://anonscm.debian.org/cgit/pkg-java/freeplane.git >> Or did you want to do this, Markus? > > Please prepare updates for Jessie and Stretch if time permits and I will > upload the fix either as a security update, provided the security team > agrees, or as a point-update. I will take care of Wheezy myself. Since I am hiking this weekend, would it be possible to do this as the first thing on the Easter weekend (next Friday)? I also need to fix the knopflerfish RC bug (#893221), I will look into that this morning. BTW: I *think* the patch should apply without major problems (the XML persistence hasn't changed much). But on the ant build systems (< 1.5) the sources are in /src/** instead of /src/main/java/**, so you can apply there with -p4 or something (and ignore the unmatched part for freeplane_plugin_script [1]). That part ([1]) can be applied manually. I will checkout the respective tag (debian/1.3.12-1, debian/1.5.18-1), create a branch from there ("jessie-security1", "stretch-security1"), import the patch, create a new changelog entry (will read about that) and test, ok? [1] freeplane_plugin_script/src/main/java/org/freeplane/plugin/script/ScriptingRegistration.java Cheers and Best Regards, -- Felix Natter debian/rules!
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Am 22.03.2018 um 20:52 schrieb Felix Natter: > Markus Koschanywrites: > >> Package: freeplane >> X-Debbugs-CC: t...@security.debian.org >> X-Debbugs-CC: fnat...@gmx.net >> Severity: important >> Tags: security >> >> Hi, > > hello Markus, > >> the following vulnerability was published for freeplane. Apparently only >> stretch/jessie/wheezy might be affected. > > Thank you for paying attention to this, I completely overlooked this! Thanks for your reply! > >> @Felix >> Can you tell us more about this vulnerability? There only seems to be a >> reference in freeplane's wiki. > > I think it is very well explained here: > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing > > In short: External identities are "includes" for XML documents that can > be specified in DTDs. > > Here is the commit that should fix it: > https://github.com/freeplane/freeplane/commit/a5dce7f9f That's what we were looking for. [...] > I can confirm that the the fix is in 1.5.20 and 1.6.1, so it's true that > wheezy, jessie and stretch are affected. > > Shall I add the patch in git branches from the debian/X tags here? > https://anonscm.debian.org/cgit/pkg-java/freeplane.git > Or did you want to do this, Markus? Please prepare updates for Jessie and Stretch if time permits and I will upload the fix either as a security update, provided the security team agrees, or as a point-update. I will take care of Wheezy myself. > > I will read more about security updates on the weekend. > > Cheers and Best Regards, Cheers, Markus signature.asc Description: OpenPGP digital signature
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Markus Koschanywrites: > Package: freeplane > X-Debbugs-CC: t...@security.debian.org > X-Debbugs-CC: fnat...@gmx.net > Severity: important > Tags: security > > Hi, hello Markus, > the following vulnerability was published for freeplane. Apparently only > stretch/jessie/wheezy might be affected. Thank you for paying attention to this, I completely overlooked this! > @Felix > Can you tell us more about this vulnerability? There only seems to be a > reference in freeplane's wiki. I think it is very well explained here: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing In short: External identities are "includes" for XML documents that can be specified in DTDs. Here is the commit that should fix it: https://github.com/freeplane/freeplane/commit/a5dce7f9f > https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser > > CVE-2018-169[0]: > | FreePlane version 1.5.9 and earlier contains a XML External Entity > | (XXE) vulnerability in XML Parser in mindmap loader that can result in > | stealing data from victim's machine. This attack appears to require > | the vicim to open a specially crafted mind map file. This > | vulnerability appears to have been fixed in 1.6+. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2018-169 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-169 > > Please adjust the affected versions in the BTS as needed. I can confirm that the the fix is in 1.5.20 and 1.6.1, so it's true that wheezy, jessie and stretch are affected. Shall I add the patch in git branches from the debian/X tags here? https://anonscm.debian.org/cgit/pkg-java/freeplane.git Or did you want to do this, Markus? I will read more about security updates on the weekend. Cheers and Best Regards, -- Felix Natter debian/rules!
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Looking at the release-1.5.20 tag: Security fix related to scripts and formulas Security fix related to loading of mind map files Change short cuts for MacOS to avoid collisions The fix might be: https://github.com/freeplane/freeplane/commit/a5dce7f9f4d29675fb256053aee3858bf8d76001 Regards, Salvatore
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
For reference: the issue is linked from the security advisory page at https://www.freeplane.org/wiki/index.php/Fixed_security_vulnerabilities . Ahtough there is unfortunately no reference to the fixing commit (which wuould have been good for downstreams to help), we know the versions fixed are 1.5.20 and 1.6.1_17. That might help identifying the required fix. HTH, Regards, Salvatore
Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability
Package: freeplane X-Debbugs-CC: t...@security.debian.org X-Debbugs-CC: fnat...@gmx.net Severity: important Tags: security Hi, the following vulnerability was published for freeplane. Apparently only stretch/jessie/wheezy might be affected. @Felix Can you tell us more about this vulnerability? There only seems to be a reference in freeplane's wiki. https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser CVE-2018-169[0]: | FreePlane version 1.5.9 and earlier contains a XML External Entity | (XXE) vulnerability in XML Parser in mindmap loader that can result in | stealing data from victim's machine. This attack appears to require | the vicim to open a specially crafted mind map file. This | vulnerability appears to have been fixed in 1.6+. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-169 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-169 Please adjust the affected versions in the BTS as needed. signature.asc Description: OpenPGP digital signature