[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

libpdfbox-java security update

Hi,

I have prepared a security update for libpdfbox-java (Jessie). Please
find attached the proposed debdiff.

Regards,

Markus

diff -Nru libpdfbox-java-1.8.7+dfsg/debian/changelog libpdfbox-java-1.8.7+dfsg/debian/changelog
--- libpdfbox-java-1.8.7+dfsg/debian/changelog	2014-09-19 17:22:46.000000000 +0200
+++ libpdfbox-java-1.8.7+dfsg/debian/changelog	2016-06-12 14:43:29.000000000 +0200
@@ -1,3 +1,16 @@
+libpdfbox-java (1:1.8.7+dfsg-1+deb8u1) jessie-security; urgency=high
+
+  * Team upload
+  * Fix CVE-2016-2175:
+    Apache PDFBox did not properly initialize the XML parsers, which allows
+    context-dependent attackers to conduct XML External Entity (XXE) attacks
+    via a crafted PDF. This may lead to the disclosure of confidential data,
+    denial of service, server side request forgery, port scanning from the
+    perspective of the machine where the parser is located, and other system
+    impacts.
+
+ -- Markus Koschany <apo@debian.org>  Sun, 12 Jun 2016 14:42:07 +0200
+
 libpdfbox-java (1:1.8.7+dfsg-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libpdfbox-java-1.8.7+dfsg/debian/patches/CVE-2016-2175.patch libpdfbox-java-1.8.7+dfsg/debian/patches/CVE-2016-2175.patch
--- libpdfbox-java-1.8.7+dfsg/debian/patches/CVE-2016-2175.patch	1970-01-01 01:00:00.000000000 +0100
+++ libpdfbox-java-1.8.7+dfsg/debian/patches/CVE-2016-2175.patch	2016-06-12 14:43:29.000000000 +0200
@@ -0,0 +1,98 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sun, 12 Jun 2016 14:40:37 +0200
+Subject: CVE-2016-2175
+
+Properly initialize the xml parsers.
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1739564
+---
+ jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java        | 6 ++++++
+ .../java/org/apache/pdfbox/pdmodel/interactive/form/PDXFA.java    | 6 ++++++
+ pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java          | 6 ++++++
+ xmpbox/src/main/java/org/apache/xmpbox/xml/DomXmpParser.java      | 8 ++++++--
+ 4 files changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java b/jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java
+index 07db2b7..8759902 100644
+--- a/jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java
++++ b/jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java
+@@ -71,6 +71,12 @@ public class XMLUtil
+         try
+         {
+             DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
++            builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true);
++            builderFactory.setFeature("http://xml.org/sax/features/external-general-entities";, false);
++            builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";, false);
++            builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";, false);
++            builderFactory.setXIncludeAware(false);
++            builderFactory.setExpandEntityReferences(false);
+             DocumentBuilder builder = builderFactory.newDocumentBuilder();
+             return builder.parse( is );
+         }
+diff --git a/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/interactive/form/PDXFA.java b/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/interactive/form/PDXFA.java
+index 23cdf71..d1c7be0 100644
+--- a/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/interactive/form/PDXFA.java
++++ b/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/interactive/form/PDXFA.java
+@@ -148,6 +148,12 @@ public class PDXFA implements COSObjectable
+     public Document getDocument() throws ParserConfigurationException, SAXException, IOException 
+     {
+         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true);
++        factory.setFeature("http://xml.org/sax/features/external-general-entities";, false);
++        factory.setFeature("http://xml.org/sax/features/external-parameter-entities";, false);
++        factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";, false);
++        factory.setXIncludeAware(false);
++        factory.setExpandEntityReferences(false);
+         factory.setNamespaceAware(true);
+         DocumentBuilder builder = factory.newDocumentBuilder();
+         Document xfaDocument = builder.parse(new ByteArrayInputStream(this.getBytes())); 
+diff --git a/pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java b/pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java
+index ae6c6df..49a207b 100644
+--- a/pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java
++++ b/pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java
+@@ -56,6 +56,12 @@ public class XMLUtil
+         try
+         {
+             DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
++            builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true);
++            builderFactory.setFeature("http://xml.org/sax/features/external-general-entities";, false);
++            builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";, false);
++            builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";, false);
++            builderFactory.setXIncludeAware(false);
++            builderFactory.setExpandEntityReferences(false);
+             DocumentBuilder builder = builderFactory.newDocumentBuilder();
+             return builder.parse( is );
+         }
+diff --git a/xmpbox/src/main/java/org/apache/xmpbox/xml/DomXmpParser.java b/xmpbox/src/main/java/org/apache/xmpbox/xml/DomXmpParser.java
+index b0256f4..5ee4a9c 100644
+--- a/xmpbox/src/main/java/org/apache/xmpbox/xml/DomXmpParser.java
++++ b/xmpbox/src/main/java/org/apache/xmpbox/xml/DomXmpParser.java
+@@ -67,7 +67,6 @@ import org.xml.sax.SAXException;
+ 
+ public class DomXmpParser
+ {
+-
+     private DocumentBuilder dBuilder;
+ 
+     private NamespaceFinder nsFinder;
+@@ -79,6 +78,12 @@ public class DomXmpParser
+         try
+         {
+             DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
++            dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true);
++            dbFactory.setFeature("http://xml.org/sax/features/external-general-entities";, false);
++            dbFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";, false);
++            dbFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";, false);
++            dbFactory.setXIncludeAware(false);
++            dbFactory.setExpandEntityReferences(false);
+             dbFactory.setNamespaceAware(true);
+             dBuilder = dbFactory.newDocumentBuilder();
+             nsFinder = new NamespaceFinder();
+@@ -87,7 +92,6 @@ public class DomXmpParser
+         {
+             throw new XmpParsingException(ErrorType.Configuration, "Failed to initilalize", e);
+         }
+-
+     }
+ 
+     public boolean isStrictParsing()
diff -Nru libpdfbox-java-1.8.7+dfsg/debian/patches/series libpdfbox-java-1.8.7+dfsg/debian/patches/series
--- libpdfbox-java-1.8.7+dfsg/debian/patches/series	2014-09-19 17:22:46.000000000 +0200
+++ libpdfbox-java-1.8.7+dfsg/debian/patches/series	2016-06-12 14:43:29.000000000 +0200
@@ -1,3 +1,4 @@
 build.xml.patch
 build-subproject-docs.patch
 bc-1.47.patch
+CVE-2016-2175.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: