Bug#970549: marked as done (buster-pu: package libcommons-compress-java/1.18-2)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#970549: marked as done (buster-pu: package libcommons-compress-java/1.18-2)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 26 Sep 2020 10:40:14 +0000
Message-id: <[🔎] handler.970549.D970549.160111665026669.ackdone@bugs.debian.org>
Reply-to: 970549@bugs.debian.org
References: <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk> <[🔎] 20200918122510.sv3qgntpblwmvdb7@debian>

Your message dated Sat, 26 Sep 2020 11:36:30 +0100
with message-id <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.6 point release
has caused the Debian Bug report #970549,
regarding buster-pu: package libcommons-compress-java/1.18-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
970549: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970549
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: buster-pu: package libcommons-compress-java/1.18-2
From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Date: Fri, 18 Sep 2020 13:25:10 +0100
Message-id: <[🔎] 20200918122510.sv3qgntpblwmvdb7@debian>

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: tmancill@debian.org

Hi,

This is an update for CVE-2019-12402. The change is same as done for
libcommons-compress-java_1.18-3 at:
https://salsa.debian.org/java-team/libcommons-compress-java/-/commit/b0f86e2643f1edde31f42a8245224b618030c6aa

Its a no-dsa so needs to be fixed via stable update.


--
Regards
Sudip

diff -Nru libcommons-compress-java-1.18/debian/changelog libcommons-compress-java-1.18/debian/changelog
--- libcommons-compress-java-1.18/debian/changelog	2019-03-01 22:27:13.000000000 +0000
+++ libcommons-compress-java-1.18/debian/changelog	2020-09-18 12:47:06.000000000 +0100
@@ -1,3 +1,10 @@
+libcommons-compress-java (1.18-2+deb10u1) buster; urgency=medium
+
+  * Team upload.
+  * Add patch for CVE-2019-12402 (Closes: #939610)
+
+ -- Sudip Mukherjee <sudipm.mukherjee@gmail.com>  Fri, 18 Sep 2020 12:47:06 +0100
+
 libcommons-compress-java (1.18-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru libcommons-compress-java-1.18/debian/patches/CVE-2019-12402-939610.patch libcommons-compress-java-1.18/debian/patches/CVE-2019-12402-939610.patch
--- libcommons-compress-java-1.18/debian/patches/CVE-2019-12402-939610.patch	1970-01-01 01:00:00.000000000 +0100
+++ libcommons-compress-java-1.18/debian/patches/CVE-2019-12402-939610.patch	2020-09-14 16:52:45.000000000 +0100
@@ -0,0 +1,127 @@
+Description: addresses CVE-2019-12402 (Debian: #939610)
+From: Stefan Bodewig <bodewig@apache.org>
+Date: Fri, 23 Aug 2019 14:12:05 +0000 (+0200)
+Subject: unit tests for encoding logic
+X-Git-Tag: 1.19-RC1~6
+X-Git-Url: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commitdiff_plain;h=4ad5d80a6272e007f64a6ac66829ca189a8093b9;hp=16a0c84e84b93cc8c107b7ff3080bd11317ab581
+
+unit tests for encoding logic
+---
+
+diff --git a/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java b/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java
+index 0a7581a..4ce9c20 100644
+--- a/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java
++++ b/src/main/java/org/apache/commons/compress/archivers/zip/NioZipEncoding.java
+@@ -112,6 +112,9 @@ class NioZipEncoding implements ZipEncoding, CharsetAccessor {
+             } else if (res.isOverflow()) {
+                 int increment = estimateIncrementalEncodingSize(enc, cb.remaining());
+                 out = ZipEncodingHelper.growBufferBy(out, increment);
++
++            } else if (res.isUnderflow() || res.isError()) {
++                break;
+             }
+         }
+         // tell the encoder we are done
+diff --git a/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java b/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java
+new file mode 100644
+index 0000000..a04730c
+--- /dev/null
++++ b/src/test/java/org/apache/commons/compress/archivers/zip/NioZipEncodingTest.java
+@@ -0,0 +1,97 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one
++ * or more contributor license agreements.  See the NOTICE file
++ * distributed with this work for additional information
++ * regarding copyright ownership.  The ASF licenses this file
++ * to you under the Apache License, Version 2.0 (the
++ * "License"); you may not use this file except in compliance
++ * with the License.  You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing,
++ * software distributed under the License is distributed on an
++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
++ * KIND, either express or implied.  See the License for the
++ * specific language governing permissions and limitations
++ * under the License.
++ */
++
++package org.apache.commons.compress.archivers.zip;
++
++import java.nio.ByteBuffer;
++import java.nio.charset.StandardCharsets;
++import java.util.Arrays;
++
++import org.junit.Assert;
++import org.junit.Test;
++
++public class NioZipEncodingTest {
++
++    private static final String UMLAUTS = "\u00e4\u00f6\u00fc";
++
++    @Test
++    public void umlautToUTF16BE() {
++        NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_16BE, false);
++        ByteBuffer bb = e.encode(UMLAUTS);
++        final int off = bb.arrayOffset();
++        byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
++        Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.UTF_16BE), result);
++    }
++
++    @Test
++    public void umlautToUTF8() {
++        NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_8, true);
++        ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
++        final int off = bb.arrayOffset();
++        byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
++        Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.UTF_8), result);
++    }
++
++    @Test
++    public void umlautToISO88591() {
++        NioZipEncoding e = new NioZipEncoding(StandardCharsets.ISO_8859_1, true);
++        ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
++        final int off = bb.arrayOffset();
++        byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
++        Assert.assertArrayEquals(UMLAUTS.getBytes(StandardCharsets.ISO_8859_1), result);
++    }
++
++    @Test
++    public void unmappableUmlauts() {
++        NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false);
++        ByteBuffer bb = e.encode("\u00e4\u00f6\u00fc");
++        final int off = bb.arrayOffset();
++        byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
++        Assert.assertEquals("%U00E4%U00F6%U00FC", new String(result, StandardCharsets.US_ASCII));
++    }
++
++    private static final String RAINBOW_EMOJI = "\ud83c\udf08";
++
++    @Test
++    public void unmappableRainbowEmoji() {
++        NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false);
++        ByteBuffer bb = e.encode(RAINBOW_EMOJI);
++        final int off = bb.arrayOffset();
++        byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
++        Assert.assertEquals("%UD83C%UDF08", new String(result, StandardCharsets.US_ASCII));
++    }
++
++    @Test
++    public void rainbowEmojiToSurrogatePairUTF16() {
++        NioZipEncoding e = new NioZipEncoding(StandardCharsets.UTF_16BE, false);
++        ByteBuffer bb = e.encode(RAINBOW_EMOJI);
++        final int off = bb.arrayOffset();
++        byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
++        Assert.assertArrayEquals(RAINBOW_EMOJI.getBytes(StandardCharsets.UTF_16BE), result);
++    }
++
++    @Test
++    public void partialSurrogatePair() {
++        NioZipEncoding e = new NioZipEncoding(StandardCharsets.US_ASCII, false);
++        ByteBuffer bb = e.encode("\ud83c");
++        final int off = bb.arrayOffset();
++        byte[] result = Arrays.copyOfRange(bb.array(), off, off + bb.limit() - bb.position());
++        Assert.assertEquals(0, result.length);
++    }
++}
diff -Nru libcommons-compress-java-1.18/debian/patches/series libcommons-compress-java-1.18/debian/patches/series
--- libcommons-compress-java-1.18/debian/patches/series	2019-03-01 22:27:13.000000000 +0000
+++ libcommons-compress-java-1.18/debian/patches/series	2020-09-14 16:52:45.000000000 +0100
@@ -1,3 +1,4 @@
 disable-brotli.patch
 disable-zstd.patch
 disable-osgi-tests.patch
+CVE-2019-12402-939610.patch

--- End Message ---

--- Begin Message ---

To: 947464-done@bugs.debian.org, 949826-done@bugs.debian.org, 953614-done@bugs.debian.org, 961843-done@bugs.debian.org, 965334-done@bugs.debian.org, 967995-done@bugs.debian.org, 967996-done@bugs.debian.org, 968037-done@bugs.debian.org, 968296-done@bugs.debian.org, 968502-done@bugs.debian.org, 968515-done@bugs.debian.org, 968548-done@bugs.debian.org, 968723-done@bugs.debian.org, 968846-done@bugs.debian.org, 969066-done@bugs.debian.org, 969163-done@bugs.debian.org, 969172-done@bugs.debian.org, 969190-done@bugs.debian.org, 969272-done@bugs.debian.org, 969348-done@bugs.debian.org, 969349-done@bugs.debian.org, 969366-done@bugs.debian.org, 969369-done@bugs.debian.org, 969706-done@bugs.debian.org, 969912-done@bugs.debian.org, 970096-done@bugs.debian.org, 970098-done@bugs.debian.org, 970132-done@bugs.debian.org, 970239-done@bugs.debian.org, 970241-done@bugs.debian.org, 970296-done@bugs.debian.org, 970307-done@bugs.debian.org, 970311-done@bugs.debian.org, 970349-done@bugs.debian.org, 970387-done@bugs.debian.org, 970424-done@bugs.debian.org, 970427-done@bugs.debian.org, 970549-done@bugs.debian.org, 970563-done@bugs.debian.org, 970564-done@bugs.debian.org, 970569-done@bugs.debian.org, 970583-done@bugs.debian.org, 970584-done@bugs.debian.org

Subject: Closing bugs for fixes included in 10.6 point release

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 26 Sep 2020 11:36:30 +0100

Message-id: <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk>
Package: release.debian.org
Version: 10.6

Hi,

Each of these bugs relates to an update that was included in today's
stable point release.

Regards,

Adam
--- End Message ---

Reply to:

References:
- Bug#970549: buster-pu: package libcommons-compress-java/1.18-2
  - From: Sudip Mukherjee <sudipm.mukherjee@gmail.com>

Prev by Date: Bug#970563: marked as done (buster-pu: package libx11/2:1.6.7-1+deb10u1)
Next by Date: Bug#970569: marked as done (buster-pu: package pyzmq/17.1.2-2+deb10u1)
Previous by thread: Processed: libcommons-compress-java 1.18-2+deb10u1 flagged for acceptance
Next by thread: Bug#970563: buster-pu: package libx11/2:1.6.7-1+deb10u1
Index(es):
- Date
- Thread