[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1053461: marked as done (bookworm-pu: package openrefine/3.6.2-2+deb12u2)

Your message dated Sat, 09 Dec 2023 10:20:37 +0000
with message-id <83d3a3621a56b9af1e20d36ee9d390a46ab64a8a.camel@adam-barratt.org.uk>
and subject line Closing requests for updates included in 12.3 point release
has caused the Debian Bug report #1053461,
regarding bookworm-pu: package openrefine/3.6.2-2+deb12u2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1053461: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053461
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: apo@debian.org

[ Reason ]

Fixing CVE-2023-41886 and CVE-2023-41887.

OpenRefine is a powerful free, open source tool for working with messy
data. Prior to this version, a remote code execution vulnerability
allows any unauthenticated user to execute code on the server.

[ Tests ]

I have verified that the new test case works as expected.

[ Risks ]

Low, leaf package, all tests work as expected.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Other info ]

Please note that I have previously uploaded another bookworm-pu,
#1051429, to fix CVE-2023-37476. This update addresses the new CVE
mentioned in this bug report. CVE-2023-37476 has been fixed with
3.6.2-2+deb12u1 already.

diff --git a/debian/changelog b/debian/changelog
index 16033d8..37acbbf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+openrefine (3.6.2-2+deb12u2) bookworm; urgency=medium
+
+  * Fix CVE-2023-41887 and CVE-2023-41886:
+    OpenRefine is a powerful free, open source tool for working with messy
+    data. Prior to this version, a remote code execution vulnerability allows
+    any unauthenticated user to execute code on the server.
+
+ -- Markus Koschany <apo@debian.org>  Wed, 04 Oct 2023 15:02:45 +0200
+
 openrefine (3.6.2-2+deb12u1) bookworm; urgency=medium
 
   * Fix CVE-2023-37476:
diff --git a/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch b/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch
new file mode 100644
index 0000000..274b758
--- /dev/null
+++ b/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch
@@ -0,0 +1,183 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 4 Oct 2023 14:39:55 +0200
+Subject: CVE-2023-41887 and CVE-2023-41886
+
+Origin: https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511
+---
+ .../extension/database/DatabaseConfiguration.java   | 16 ++++++++++++++++
+ .../database/mariadb/MariaDBConnectionManager.java  | 12 +-----------
+ .../database/mysql/MySQLConnectionManager.java      | 11 +----------
+ .../database/pgsql/PgSQLConnectionManager.java      | 11 +----------
+ .../database/sqlite/SQLiteConnectionManager.java    |  9 ++++++++-
+ .../database/DatabaseConfigurationTest.java         | 21 +++++++++++++++++++++
+ 6 files changed, 48 insertions(+), 32 deletions(-)
+ create mode 100644 extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java
+
+diff --git a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
+index 47dad7f..3f0dd57 100644
+--- a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
++++ b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
+@@ -29,6 +29,9 @@
+ package com.google.refine.extension.database;
+ 
+ 
++import java.net.URI;
++import java.net.URISyntaxException;
++
+ public class DatabaseConfiguration {
+     
+     private String connectionName;
+@@ -128,4 +131,17 @@ public class DatabaseConfiguration {
+     
+     
+ 
++    public URI toURI() {
++        try {
++            return new URI(
++                    "jdbc:" + databaseType.toLowerCase(),
++                    databaseHost + ((databasePort == 0) ? "" : (":" + databasePort)),
++                    "/" + databaseName,
++                    useSSL ? "useSSL=true" : null,
++                    null
++            );
++        } catch (URISyntaxException e) {
++            throw new IllegalArgumentException(e);
++        }
++    }
+ }
+diff --git a/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java b/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java
+index 4af014a..04c7dc8 100644
+--- a/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java
++++ b/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java
+@@ -139,7 +139,7 @@ public class MariaDBConnectionManager {
+ 
+             Class.forName(type.getClassPath());
+             DriverManager.setLoginTimeout(10);
+-            String dbURL = getDatabaseUrl(databaseConfiguration);
++            String dbURL = databaseConfiguration.toURI().toString();
+             connection = DriverManager.getConnection(dbURL, databaseConfiguration.getDatabaseUser(),
+                     databaseConfiguration.getDatabasePassword());
+ 
+@@ -173,14 +173,4 @@ public class MariaDBConnectionManager {
+         }
+  
+     }
+-    
+-
+-   
+-    private static String getDatabaseUrl(DatabaseConfiguration dbConfig) {
+-       
+-            int port = dbConfig.getDatabasePort();
+-            return "jdbc:" + dbConfig.getDatabaseType().toLowerCase() + "://" + dbConfig.getDatabaseHost()
+-                    + ((port == 0) ? "" : (":" + port)) + "/" + dbConfig.getDatabaseName();
+-        
+-    }
+ }
+diff --git a/extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java b/extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java
+index 9e81fd2..ac11dfe 100644
+--- a/extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java
++++ b/extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java
+@@ -131,7 +131,7 @@ public class MySQLConnectionManager {
+                     return connection;
+                 }
+             }
+-            String dbURL = getDatabaseUrl(databaseConfiguration);
++            String dbURL = databaseConfiguration.toURI().toString();
+             Class.forName(type.getClassPath());
+             
+             //logger.info("*** type.getClassPath() ::{}, {}**** ", type.getClassPath());
+@@ -171,13 +171,4 @@ public class MySQLConnectionManager {
+         }
+  
+     }
+-    
+-   
+-    private  String getDatabaseUrl(DatabaseConfiguration dbConfig) {
+-       
+-            int port = dbConfig.getDatabasePort();
+-            return "jdbc:" + dbConfig.getDatabaseType() + "://" + dbConfig.getDatabaseHost()
+-                    + ((port == 0) ? "" : (":" + port)) + "/" + dbConfig.getDatabaseName() + "?useSSL=" + dbConfig.isUseSSL();
+-        
+-    }
+ }
+diff --git a/extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java b/extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java
+index bef6c9a..156997f 100644
+--- a/extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java
++++ b/extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java
+@@ -142,7 +142,7 @@ public class PgSQLConnectionManager {
+ 
+             Class.forName(type.getClassPath());
+             DriverManager.setLoginTimeout(10);
+-            String dbURL = getDatabaseUrl(databaseConfiguration);
++            String dbURL = databaseConfiguration.toURI().toString();
+             connection = DriverManager.getConnection(dbURL, databaseConfiguration.getDatabaseUser(),
+                     databaseConfiguration.getDatabasePassword());
+ 
+@@ -173,13 +173,4 @@ public class PgSQLConnectionManager {
+         }
+  
+     }
+-  
+-   
+-    private static String getDatabaseUrl(DatabaseConfiguration dbConfig) {
+-       
+-            int port = dbConfig.getDatabasePort();
+-            return "jdbc:" + dbConfig.getDatabaseType().toLowerCase() + "://" + dbConfig.getDatabaseHost()
+-                    + ((port == 0) ? "" : (":" + port)) + "/" + dbConfig.getDatabaseName();
+-        
+-    }
+ }
+diff --git a/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java b/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java
+index 5b9b4cf..7d42e00 100644
+--- a/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java
++++ b/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java
+@@ -35,6 +35,8 @@ import com.google.refine.extension.database.SQLType;
+ import org.slf4j.Logger;
+ import org.slf4j.LoggerFactory;
+ 
++import java.net.URI;
++import java.net.URISyntaxException;
+ import java.sql.Connection;
+ import java.sql.DriverManager;
+ import java.sql.SQLException;
+@@ -66,7 +68,12 @@ public class SQLiteConnectionManager {
+     }
+ 
+     public static String getDatabaseUrl(DatabaseConfiguration dbConfig) {
+-        return "jdbc:" + dbConfig.getDatabaseType().toLowerCase() + ":" + dbConfig.getDatabaseName();
++        try {
++            URI uri = new URI("jdbc:" + dbConfig.getDatabaseType().toLowerCase(), dbConfig.getDatabaseName(), null);
++            return uri.toASCIIString();
++        } catch (URISyntaxException e) {
++            throw new IllegalArgumentException(e);
++        }
+     }
+ 
+     /**
+diff --git a/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java b/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java
+new file mode 100644
+index 0000000..5a571e8
+--- /dev/null
++++ b/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java
+@@ -0,0 +1,21 @@
++package com.google.refine.extension.database;
++
++import org.testng.annotations.Test;
++
++import static org.testng.Assert.assertEquals;
++
++public class DatabaseConfigurationTest {
++
++    @Test
++    public void testToURI() {
++        DatabaseConfiguration config = new DatabaseConfiguration();
++        config.setDatabaseType("mysql");
++        config.setDatabaseHost("my.host");
++        // maliciously crafted database name which attempts to enable local file reads for an exploit
++        config.setDatabaseName("test?allowLoadLocalInfile=true#");
++
++        String url = config.toURI().toString();
++        // the database name is escaped, preventing the exploit
++        assertEquals(url, "jdbc:mysql://my.host/test%3FallowLoadLocalInfile=true%23");
++    }
++}
diff --git a/debian/patches/series b/debian/patches/series
index 2657037..ff5e387 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ log4j-api.patch
 no-java-files.patch
 gdata-extension.patch
 CVE-2023-37476.patch
+CVE-2023-41887-and-CVE-2023-41886.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 12.3

Hi,

Each of the updates discussed in these requests was included in this
morning's 12.3 bookworm point release.

Regards,

Adam

--- End Message ---
Reply to: