This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch master in repository libxalan2-java.
commit 24b0d42e39a9780f53f01ed8f8e5b282ff1e6948 Author: Emmanuel Bourg <ebo...@apache.org> Date: Tue Mar 25 14:21:38 2014 +0000 Fix CVE-2014-0107: Remote code execution --- debian/changelog | 4 ++ debian/patches/CVE-2014-0107.patch | 124 +++++++++++++++++++++++++++++++++++++ debian/patches/series | 2 +- 3 files changed, 129 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index e726ab4..3cac6f8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,10 @@ libxalan2-java (2.7.1-9) UNRELEASED; urgency=medium * Team upload. + * Fix CVE-2014-0107: Strengthen the secure processing mode by disabling + external general entities, foreign attributes and access to the system + properties. This could be exploited to execute arbitrary code remotely. + (Closes: #742577) * debian/control: - Standards-Version updated to 3.9.5 (no changes) - Use canonical URLs for the Vcs-* fields diff --git a/debian/patches/CVE-2014-0107.patch b/debian/patches/CVE-2014-0107.patch new file mode 100644 index 0000000..85ccb68 --- /dev/null +++ b/debian/patches/CVE-2014-0107.patch @@ -0,0 +1,124 @@ +Description: Fix for CVE-2014-0107: Strengthen the secure processing mode by + disabling external general entities, foreign attributes and access to the + system properties. This could be exploited to execute arbitrary code remotely. +Origin: https://svn.apache.org/r1581058 +Bug-Debian: https://bugs.debian.org/742577 +--- a/src/org/apache/xalan/transformer/TransformerImpl.java ++++ b/src/org/apache/xalan/transformer/TransformerImpl.java +@@ -438,7 +438,9 @@ + try + { + if (sroot.getExtensions() != null) +- m_extensionsTable = new ExtensionsTable(sroot); ++ //only load extensions if secureProcessing is disabled ++ if(!sroot.isSecureProcessing()) ++ m_extensionsTable = new ExtensionsTable(sroot); + } + catch (javax.xml.transform.TransformerException te) + {te.printStackTrace();} +--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java ++++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java +@@ -338,17 +338,29 @@ + } + else + { +- // Can we switch the order here: +- +- boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName, +- attributes.getQName(i), attributes.getValue(i), +- target); +- +- // Now we only add the element if it passed a validation check +- if (success) +- processedDefs.add(attrDef); ++ //handle secure processing ++ if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing()) ++ { ++ //foreign attributes are not allowed in secure processing mode ++ // Then barf, because this element does not allow this attribute. ++ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\"" ++ //+ " attribute is not allowed on the " + rawName ++ // + " element!", null); ++ } + else +- errorDefs.add(attrDef); ++ { ++ ++ ++ boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName, ++ attributes.getQName(i), attributes.getValue(i), ++ target); ++ ++ // Now we only add the element if it passed a validation check ++ if (success) ++ processedDefs.add(attrDef); ++ else ++ errorDefs.add(attrDef); ++ } + } + } + +--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java ++++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java +@@ -335,6 +335,10 @@ + reader = XMLReaderFactory.createXMLReader(); + } + ++ if(m_isSecureProcessing) ++ { ++ reader.setFeature("http://xml.org/sax/features/external-general-entities",false); ++ } + // Need to set options! + reader.setContentHandler(handler); + reader.parse(isource); +--- a/src/org/apache/xpath/functions/FuncSystemProperty.java ++++ b/src/org/apache/xpath/functions/FuncSystemProperty.java +@@ -58,7 +58,7 @@ + + String fullName = m_arg0.execute(xctxt).str(); + int indexOfNSSep = fullName.indexOf(':'); +- String result; ++ String result = null; + String propName = ""; + + // List of properties where the name of the +@@ -98,8 +98,17 @@ + + try + { +- result = System.getProperty(propName); +- ++ //if secure procession is enabled only handle required properties do not not map any valid system property ++ if(!xctxt.isSecureProcessing()) ++ { ++ result = System.getProperty(propName); ++ } ++ else ++ { ++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION, ++ new Object[]{ propName }); //"SecurityException when trying to access XSL system property: "+propName); ++ result = xsltInfo.getProperty(propName); ++ } + if (null == result) + { + +@@ -120,8 +129,17 @@ + { + try + { +- result = System.getProperty(fullName); +- ++ //if secure procession is enabled only handle required properties do not not map any valid system property ++ if(!xctxt.isSecureProcessing()) ++ { ++ result = System.getProperty(fullName); ++ } ++ else ++ { ++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION, ++ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName); ++ result = xsltInfo.getProperty(fullName); ++ } + if (null == result) + { + diff --git a/debian/patches/series b/debian/patches/series index 385dc21..1d5fa85 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,2 @@ build.patch - +CVE-2014-0107.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libxalan2-java.git _______________________________________________ pkg-java-commits mailing list pkg-java-comm...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits