Bug#927072: stretch-pu: package jabref/3.8.1+ds-3

2019-04-14 Thread Adam D. Barratt 
Control: tags -1 + confirmed

On Sun, 2019-04-14 at 10:47 -0700, tony mancill wrote:
> This proposed update for jabref addresses CVE-2018-1000652 [1], which
> will not be issued a DSA [2].  The debdiff is attached.
> 
> Thank you,
> tony
> 
> [1] https://security-tracker.debian.org/tracker/CVE-2018-1000652
> [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921772#48

Please go ahead.

Regards,

Adam

Bug#927072: stretch-pu: package jabref/3.8.1+ds-3

2019-04-14 Thread tony mancill 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

Hello,

This proposed update for jabref addresses CVE-2018-1000652 [1], which
will not be issued a DSA [2].  The debdiff is attached.

Thank you,
tony

[1] https://security-tracker.debian.org/tracker/CVE-2018-1000652
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921772#48
diff -Nru jabref-3.8.1+ds/debian/changelog jabref-3.8.1+ds/debian/changelog
--- jabref-3.8.1+ds/debian/changelog2017-01-11 12:27:19.0 -0800
+++ jabref-3.8.1+ds/debian/changelog2019-02-10 11:25:26.0 -0800
@@ -1,3 +1,12 @@
+jabref (3.8.1+ds-3+deb9u1) stretch; urgency=medium
+
+  [ gregor herrmann & tony mancill ]
+  * Add patch from upstream commit to fix CVE-2018-1000652: XML External
+Entity attack.
+Thanks to Moritz Muehlenhoff for the bug report. (Closes: #921772)
+
+ -- gregor herrmann   Sun, 10 Feb 2019 20:25:26 +0100
+
 jabref (3.8.1+ds-3) unstable; urgency=medium
 
   * Remove postgresql entry from debian/maven.rules.
diff -Nru 
jabref-3.8.1+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch 
jabref-3.8.1+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch
--- jabref-3.8.1+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch 
1969-12-31 16:00:00.0 -0800
+++ jabref-3.8.1+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch 
2019-02-10 11:25:26.0 -0800
@@ -0,0 +1,81 @@
+From 89f855d76713b4cd25ac0830c719cd61c511851e Mon Sep 17 00:00:00 2001
+From: Nick 
+Date: Mon, 30 Jul 2018 16:06:07 +
+Subject: [PATCH] Fix importer vulnerability (#4240)
+
+* Fix importer vulnerability
+Fixed issue #4229  where importer was vulnerable to XXE attacks by
+disabling DTDs along with adding warning to logger if features are
+unavailable. fixes #4229
+
+Bugs-Debian: https://bugs.debian.org/921772
+Bug: https://github.com/JabRef/jabref/issues/4229
+
+--- a/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java
 b/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java
+@@ -6,12 +6,15 @@
+ 
+ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
++import javax.xml.parsers.ParserConfigurationException;
+ 
+ import net.sf.jabref.logic.importer.Importer;
+ import net.sf.jabref.logic.importer.ParserResult;
+ import net.sf.jabref.logic.msbib.MSBibDatabase;
+ import net.sf.jabref.logic.util.FileExtensions;
+ 
++import org.apache.commons.logging.Log;
++import org.apache.commons.logging.LogFactory;
+ import org.w3c.dom.Document;
+ import org.xml.sax.InputSource;
+ 
+@@ -23,6 +26,10 @@
+  */
+ public class MsBibImporter extends Importer {
+ 
++private static final Log LOGGER = LogFactory.getLog(MsBibImporter.class);
++private static final String DISABLEDTD = 
"http://apache.org/xml/features/disallow-doctype-decl;;
++private static final String DISABLEEXTERNALDTD = 
"http://apache.org/xml/features/nonvalidating/load-external-dtd;;
++
+ @Override
+ public boolean isRecognizedFormat(BufferedReader reader) throws 
IOException {
+ Objects.requireNonNull(reader);
+@@ -34,7 +41,7 @@
+  */
+ Document docin;
+ try {
+-DocumentBuilder dbuild = 
DocumentBuilderFactory.newInstance().newDocumentBuilder();
++DocumentBuilder dbuild = 
makeSafeDocBuilderFactory(DocumentBuilderFactory.newInstance()).newDocumentBuilder();
+ docin = dbuild.parse(new InputSource(reader));
+ } catch (Exception e) {
+ return false;
+@@ -65,4 +72,29 @@
+ return "Importer for the MS Office 2007 XML bibliography format.";
+ }
+ 
++/**
++ * DocumentBuilderFactory makes a XXE safe Builder factory from dBuild. 
If not supported by current
++ * XML then returns original builder given and logs error.
++ * @param dBuild | DocumentBuilderFactory to be made XXE safe.
++ * @return If supported, XXE safe DocumentBuilderFactory. Else, returns 
original builder given
++ */
++private DocumentBuilderFactory 
makeSafeDocBuilderFactory(DocumentBuilderFactory dBuild) {
++String feature = null;
++
++try {
++feature = DISABLEDTD;
++dBuild.setFeature(feature, true);
++
++feature = DISABLEEXTERNALDTD;
++dBuild.setFeature(feature, false);
++
++dBuild.setXIncludeAware(false);
++dBuild.setExpandEntityReferences(false);
++
++} catch (ParserConfigurationException e) {
++LOGGER.warn("Builder not fully configured. Feature:'" + feature + 
"' is probably not supported by current XML processor.", e);
++}
++
++return dBuild;
++}
+ }
diff -Nru jabref-3.8.1+ds/debian/patches/series 
jabref-3.8.1+ds/debian/patches/series
--- jabref-3.8.1+ds/debian/patches/series   2017-01-11 12:27:19.0 
-0800
+++ jabref-3.8.1+ds/debian/patches/series   2019-02-10