--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package openrefine/3.6.2-2+deb12u1
- From: Markus Koschany <apo@debian.org>
- Date: Wed, 04 Oct 2023 15:37:30 +0200
- Message-id: <169642665023.70255.4540169254494652638.reportbug@faye>
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: apo@debian.org
[ Reason ]
Fixing CVE-2023-41886 and CVE-2023-41887.
OpenRefine is a powerful free, open source tool for working with messy
data. Prior to this version, a remote code execution vulnerability
allows any unauthenticated user to execute code on the server.
[ Tests ]
I have verified that the new test case works as expected.
[ Risks ]
Low, leaf package, all tests work as expected.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Other info ]
Please note that I have previously uploaded another bookworm-pu,
#1051429, to fix CVE-2023-37476. This update addresses the new CVE
mentioned in this bug report. CVE-2023-37476 has been fixed with
3.6.2-2+deb12u1 already.
diff --git a/debian/changelog b/debian/changelog
index 16033d8..37acbbf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+openrefine (3.6.2-2+deb12u2) bookworm; urgency=medium
+
+ * Fix CVE-2023-41887 and CVE-2023-41886:
+ OpenRefine is a powerful free, open source tool for working with messy
+ data. Prior to this version, a remote code execution vulnerability allows
+ any unauthenticated user to execute code on the server.
+
+ -- Markus Koschany <apo@debian.org> Wed, 04 Oct 2023 15:02:45 +0200
+
openrefine (3.6.2-2+deb12u1) bookworm; urgency=medium
* Fix CVE-2023-37476:
diff --git a/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch b/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch
new file mode 100644
index 0000000..274b758
--- /dev/null
+++ b/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch
@@ -0,0 +1,183 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 4 Oct 2023 14:39:55 +0200
+Subject: CVE-2023-41887 and CVE-2023-41886
+
+Origin: https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511
+---
+ .../extension/database/DatabaseConfiguration.java | 16 ++++++++++++++++
+ .../database/mariadb/MariaDBConnectionManager.java | 12 +-----------
+ .../database/mysql/MySQLConnectionManager.java | 11 +----------
+ .../database/pgsql/PgSQLConnectionManager.java | 11 +----------
+ .../database/sqlite/SQLiteConnectionManager.java | 9 ++++++++-
+ .../database/DatabaseConfigurationTest.java | 21 +++++++++++++++++++++
+ 6 files changed, 48 insertions(+), 32 deletions(-)
+ create mode 100644 extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java
+
+diff --git a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
+index 47dad7f..3f0dd57 100644
+--- a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
++++ b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java
+@@ -29,6 +29,9 @@
+ package com.google.refine.extension.database;
+
+
++import java.net.URI;
++import java.net.URISyntaxException;
++
+ public class DatabaseConfiguration {
+
+ private String connectionName;
+@@ -128,4 +131,17 @@ public class DatabaseConfiguration {
+
+
+
++ public URI toURI() {
++ try {
++ return new URI(
++ "jdbc:" + databaseType.toLowerCase(),
++ databaseHost + ((databasePort == 0) ? "" : (":" + databasePort)),
++ "/" + databaseName,
++ useSSL ? "useSSL=true" : null,
++ null
++ );
++ } catch (URISyntaxException e) {
++ throw new IllegalArgumentException(e);
++ }
++ }
+ }
+diff --git a/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java b/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java
+index 4af014a..04c7dc8 100644
+--- a/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java
++++ b/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java
+@@ -139,7 +139,7 @@ public class MariaDBConnectionManager {
+
+ Class.forName(type.getClassPath());
+ DriverManager.setLoginTimeout(10);
+- String dbURL = getDatabaseUrl(databaseConfiguration);
++ String dbURL = databaseConfiguration.toURI().toString();
+ connection = DriverManager.getConnection(dbURL, databaseConfiguration.getDatabaseUser(),
+ databaseConfiguration.getDatabasePassword());
+
+@@ -173,14 +173,4 @@ public class MariaDBConnectionManager {
+ }
+
+ }
+-
+-
+-
+- private static String getDatabaseUrl(DatabaseConfiguration dbConfig) {
+-
+- int port = dbConfig.getDatabasePort();
+- return "jdbc:" + dbConfig.getDatabaseType().toLowerCase() + "://" + dbConfig.getDatabaseHost()
+- + ((port == 0) ? "" : (":" + port)) + "/" + dbConfig.getDatabaseName();
+-
+- }
+ }
+diff --git a/extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java b/extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java
+index 9e81fd2..ac11dfe 100644
+--- a/extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java
++++ b/extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java
+@@ -131,7 +131,7 @@ public class MySQLConnectionManager {
+ return connection;
+ }
+ }
+- String dbURL = getDatabaseUrl(databaseConfiguration);
++ String dbURL = databaseConfiguration.toURI().toString();
+ Class.forName(type.getClassPath());
+
+ //logger.info("*** type.getClassPath() ::{}, {}**** ", type.getClassPath());
+@@ -171,13 +171,4 @@ public class MySQLConnectionManager {
+ }
+
+ }
+-
+-
+- private String getDatabaseUrl(DatabaseConfiguration dbConfig) {
+-
+- int port = dbConfig.getDatabasePort();
+- return "jdbc:" + dbConfig.getDatabaseType() + "://" + dbConfig.getDatabaseHost()
+- + ((port == 0) ? "" : (":" + port)) + "/" + dbConfig.getDatabaseName() + "?useSSL=" + dbConfig.isUseSSL();
+-
+- }
+ }
+diff --git a/extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java b/extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java
+index bef6c9a..156997f 100644
+--- a/extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java
++++ b/extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java
+@@ -142,7 +142,7 @@ public class PgSQLConnectionManager {
+
+ Class.forName(type.getClassPath());
+ DriverManager.setLoginTimeout(10);
+- String dbURL = getDatabaseUrl(databaseConfiguration);
++ String dbURL = databaseConfiguration.toURI().toString();
+ connection = DriverManager.getConnection(dbURL, databaseConfiguration.getDatabaseUser(),
+ databaseConfiguration.getDatabasePassword());
+
+@@ -173,13 +173,4 @@ public class PgSQLConnectionManager {
+ }
+
+ }
+-
+-
+- private static String getDatabaseUrl(DatabaseConfiguration dbConfig) {
+-
+- int port = dbConfig.getDatabasePort();
+- return "jdbc:" + dbConfig.getDatabaseType().toLowerCase() + "://" + dbConfig.getDatabaseHost()
+- + ((port == 0) ? "" : (":" + port)) + "/" + dbConfig.getDatabaseName();
+-
+- }
+ }
+diff --git a/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java b/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java
+index 5b9b4cf..7d42e00 100644
+--- a/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java
++++ b/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java
+@@ -35,6 +35,8 @@ import com.google.refine.extension.database.SQLType;
+ import org.slf4j.Logger;
+ import org.slf4j.LoggerFactory;
+
++import java.net.URI;
++import java.net.URISyntaxException;
+ import java.sql.Connection;
+ import java.sql.DriverManager;
+ import java.sql.SQLException;
+@@ -66,7 +68,12 @@ public class SQLiteConnectionManager {
+ }
+
+ public static String getDatabaseUrl(DatabaseConfiguration dbConfig) {
+- return "jdbc:" + dbConfig.getDatabaseType().toLowerCase() + ":" + dbConfig.getDatabaseName();
++ try {
++ URI uri = new URI("jdbc:" + dbConfig.getDatabaseType().toLowerCase(), dbConfig.getDatabaseName(), null);
++ return uri.toASCIIString();
++ } catch (URISyntaxException e) {
++ throw new IllegalArgumentException(e);
++ }
+ }
+
+ /**
+diff --git a/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java b/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java
+new file mode 100644
+index 0000000..5a571e8
+--- /dev/null
++++ b/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java
+@@ -0,0 +1,21 @@
++package com.google.refine.extension.database;
++
++import org.testng.annotations.Test;
++
++import static org.testng.Assert.assertEquals;
++
++public class DatabaseConfigurationTest {
++
++ @Test
++ public void testToURI() {
++ DatabaseConfiguration config = new DatabaseConfiguration();
++ config.setDatabaseType("mysql");
++ config.setDatabaseHost("my.host");
++ // maliciously crafted database name which attempts to enable local file reads for an exploit
++ config.setDatabaseName("test?allowLoadLocalInfile=true#");
++
++ String url = config.toURI().toString();
++ // the database name is escaped, preventing the exploit
++ assertEquals(url, "jdbc:mysql://my.host/test%3FallowLoadLocalInfile=true%23");
++ }
++}
diff --git a/debian/patches/series b/debian/patches/series
index 2657037..ff5e387 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ log4j-api.patch
no-java-files.patch
gdata-extension.patch
CVE-2023-37476.patch
+CVE-2023-41887-and-CVE-2023-41886.patch
--- End Message ---