This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch master
in repository libxalan2-java.
commit 24b0d42e39a9780f53f01ed8f8e5b282ff1e6948
Author: Emmanuel Bourg <ebo...@apache.org>
Date: Tue Mar 25 14:21:38 2014 +0000
Fix CVE-2014-0107: Remote code execution
---
debian/changelog | 4 ++
debian/patches/CVE-2014-0107.patch | 124 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 2 +-
3 files changed, 129 insertions(+), 1 deletion(-)
diff --git a/debian/changelog b/debian/changelog
index e726ab4..3cac6f8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,10 @@
libxalan2-java (2.7.1-9) UNRELEASED; urgency=medium
* Team upload.
+ * Fix CVE-2014-0107: Strengthen the secure processing mode by disabling
+ external general entities, foreign attributes and access to the system
+ properties. This could be exploited to execute arbitrary code remotely.
+ (Closes: #742577)
* debian/control:
- Standards-Version updated to 3.9.5 (no changes)
- Use canonical URLs for the Vcs-* fields
diff --git a/debian/patches/CVE-2014-0107.patch
b/debian/patches/CVE-2014-0107.patch
new file mode 100644
index 0000000..85ccb68
--- /dev/null
+++ b/debian/patches/CVE-2014-0107.patch
@@ -0,0 +1,124 @@
+Description: Fix for CVE-2014-0107: Strengthen the secure processing mode by
+ disabling external general entities, foreign attributes and access to the
+ system properties. This could be exploited to execute arbitrary code remotely.
+Origin: https://svn.apache.org/r1581058
+Bug-Debian: https://bugs.debian.org/742577
+--- a/src/org/apache/xalan/transformer/TransformerImpl.java
++++ b/src/org/apache/xalan/transformer/TransformerImpl.java
+@@ -438,7 +438,9 @@
+ try
+ {
+ if (sroot.getExtensions() != null)
+- m_extensionsTable = new ExtensionsTable(sroot);
++ //only load extensions if secureProcessing is disabled
++ if(!sroot.isSecureProcessing())
++ m_extensionsTable = new ExtensionsTable(sroot);
+ }
+ catch (javax.xml.transform.TransformerException te)
+ {te.printStackTrace();}
+--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java
++++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java
+@@ -338,17 +338,29 @@
+ }
+ else
+ {
+- // Can we switch the order here:
+-
+- boolean success = attrDef.setAttrValue(handler, attrUri,
attrLocalName,
+- attributes.getQName(i), attributes.getValue(i),
+- target);
+-
+- // Now we only add the element if it passed a validation check
+- if (success)
+- processedDefs.add(attrDef);
++ //handle secure processing
++ if(attrDef.getName().compareTo("*")==0 &&
handler.getStylesheetProcessor().isSecureProcessing())
++ {
++ //foreign attributes are not allowed in secure processing mode
++ // Then barf, because this element does not allow this attribute.
++ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new
Object[]{attributes.getQName(i), rawName},
null);//"\""+attributes.getQName(i)+"\""
++ //+ " attribute is not allowed on the " + rawName
++ // + " element!", null);
++ }
+ else
+- errorDefs.add(attrDef);
++ {
++
++
++ boolean success = attrDef.setAttrValue(handler, attrUri,
attrLocalName,
++ attributes.getQName(i),
attributes.getValue(i),
++ target);
++
++ // Now we only add the element if it passed a validation check
++ if (success)
++ processedDefs.add(attrDef);
++ else
++ errorDefs.add(attrDef);
++ }
+ }
+ }
+
+--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java
++++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
+@@ -335,6 +335,10 @@
+ reader = XMLReaderFactory.createXMLReader();
+ }
+
++ if(m_isSecureProcessing)
++ {
++
reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
++ }
+ // Need to set options!
+ reader.setContentHandler(handler);
+ reader.parse(isource);
+--- a/src/org/apache/xpath/functions/FuncSystemProperty.java
++++ b/src/org/apache/xpath/functions/FuncSystemProperty.java
+@@ -58,7 +58,7 @@
+
+ String fullName = m_arg0.execute(xctxt).str();
+ int indexOfNSSep = fullName.indexOf(':');
+- String result;
++ String result = null;
+ String propName = "";
+
+ // List of properties where the name of the
+@@ -98,8 +98,17 @@
+
+ try
+ {
+- result = System.getProperty(propName);
+-
++ //if secure procession is enabled only handle required properties
do not not map any valid system property
++ if(!xctxt.isSecureProcessing())
++ {
++ result = System.getProperty(propName);
++ }
++ else
++ {
++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
++ new Object[]{ propName }); //"SecurityException when trying
to access XSL system property: "+propName);
++ result = xsltInfo.getProperty(propName);
++ }
+ if (null == result)
+ {
+
+@@ -120,8 +129,17 @@
+ {
+ try
+ {
+- result = System.getProperty(fullName);
+-
++ //if secure procession is enabled only handle required properties do
not not map any valid system property
++ if(!xctxt.isSecureProcessing())
++ {
++ result = System.getProperty(fullName);
++ }
++ else
++ {
++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
++ new Object[]{ fullName }); //"SecurityException when trying
to access XSL system property: "+fullName);
++ result = xsltInfo.getProperty(fullName);
++ }
+ if (null == result)
+ {
+
diff --git a/debian/patches/series b/debian/patches/series
index 385dc21..1d5fa85 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,2 @@
build.patch
-
+CVE-2014-0107.patch
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-java/libxalan2-java.git
_______________________________________________
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
