Hello security team, I have prepared a new version of libspring-java to fix CVE-2014-0054 and CVE-2014-1904 (#741604) by backporting the corresponding upstream commits. Please find attached the debdiff against the last version of libspring-java in stable-security. Please let me know if the changes qualify for a stable-security release and an upload to security-master. Description =========== * CVE-2014-0054 Addresses an incomplete fix for CVE-2013-4152 / CVE-2013-6429 (XXE). * CVE-2014-1904 XSS when using Spring MVC. Cheers, -- Miguel Landaeta, nomadium at debian.org secure email with PGP 0x6E608B637D8967E9 available at http://db.debian.org/fetchkey.cgi?fingerprint=4CB7FE1E280ECC90F29A597E6E608B637D8967E9 "Faith means not wanting to know what is true." -- Nietzsche
diff -Nru libspring-java-3.0.6.RELEASE/debian/changelog libspring-java-3.0.6.RELEASE/debian/changelog --- libspring-java-3.0.6.RELEASE/debian/changelog 2014-02-07 20:43:48.000000000 -0300 +++ libspring-java-3.0.6.RELEASE/debian/changelog 2014-03-24 18:20:48.000000000 -0300 @@ -1,3 +1,10 @@ +libspring-java (3.0.6.RELEASE-6+deb7u3) wheezy-security; urgency=high + + * Team upload. + * Fix CVE-2013-6429 and CVE-2013-6430. (Closes: #741604). + + -- Miguel Landaeta <nomadium@debian.org> Mon, 24 Mar 2014 18:12:13 -0300 + libspring-java (3.0.6.RELEASE-6+deb7u2) wheezy-security; urgency=high * Team upload. diff -Nru libspring-java-3.0.6.RELEASE/debian/patches/CVE-2014-0054.patch libspring-java-3.0.6.RELEASE/debian/patches/CVE-2014-0054.patch --- libspring-java-3.0.6.RELEASE/debian/patches/CVE-2014-0054.patch 1969-12-31 21:00:00.000000000 -0300 +++ libspring-java-3.0.6.RELEASE/debian/patches/CVE-2014-0054.patch 2014-03-24 18:10:42.000000000 -0300 @@ -0,0 +1,319 @@ +From: Miguel Landaeta <nomadium@debian.org> +Date: Mon, 24 Mar 2014 16:57:19 -0300 +Subject: CVE-2014-0054 + +Bug: http://bugs.debian.org/741604 + +diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java +index 871075f..fea0519 100644 +--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java ++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java +@@ -120,6 +120,11 @@ public class CastorMarshaller extends AbstractMarshaller implements Initializing + this.encoding = encoding; + } + ++ @Override ++ protected String getDefaultEncoding() { ++ return this.encoding; ++ } ++ + /** + * Set the locations of the Castor XML Mapping files. + */ +diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java +index 1b3412d..37d7937 100644 +--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java ++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java +@@ -317,6 +317,13 @@ public class Jaxb2Marshaller + this.processExternalEntities = processExternalEntities; + } + ++ /** ++ * @return the configured value for whether XML external entities are allowed. ++ */ ++ public boolean isProcessExternalEntities() { ++ return this.processExternalEntities; ++ } ++ + public void setBeanClassLoader(ClassLoader classLoader) { + this.beanClassLoader = classLoader; + } +diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java +index 5d6a053..0de00b2 100644 +--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java ++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java +@@ -1,5 +1,5 @@ + /* +- * Copyright 2002-2010 the original author or authors. ++ * Copyright 2002-2014 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. +@@ -28,6 +28,7 @@ import javax.xml.stream.XMLEventWriter; + import javax.xml.stream.XMLStreamException; + import javax.xml.stream.XMLStreamReader; + import javax.xml.stream.XMLStreamWriter; ++import javax.xml.transform.OutputKeys; + import javax.xml.transform.Result; + import javax.xml.transform.Source; + import javax.xml.transform.Transformer; +@@ -133,6 +134,11 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe + this.encoding = encoding; + } + ++ @Override ++ protected String getDefaultEncoding() { ++ return this.encoding; ++ } ++ + /** + * Set the document standalone flag for marshalling. By default, this flag is not present. + */ +@@ -301,7 +307,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe + } + catch (TransformerException ex) { + throw new MarshallingFailureException( +- "Could not transform to [" + ClassUtils.getShortName(result.getClass()) + "]"); ++ "Could not transform to [" + ClassUtils.getShortName(result.getClass()) + "]", ex); + } + + } +@@ -367,7 +373,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe + @Override + protected Object unmarshalDomNode(Node node) throws XmlMappingException { + try { +- return transformAndUnmarshal(new DOMSource(node)); ++ return transformAndUnmarshal(new DOMSource(node), null); + } + catch (IOException ex) { + throw new UnmarshallingFailureException("JiBX unmarshalling exception", ex); +@@ -377,12 +383,15 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe + @Override + protected Object unmarshalSaxReader(XMLReader xmlReader, InputSource inputSource) + throws XmlMappingException, IOException { +- return transformAndUnmarshal(new SAXSource(xmlReader, inputSource)); ++ return transformAndUnmarshal(new SAXSource(xmlReader, inputSource), inputSource.getEncoding()); + } + +- private Object transformAndUnmarshal(Source source) throws IOException { ++ private Object transformAndUnmarshal(Source source, String encoding) throws IOException { + try { + Transformer transformer = transformerFactory.newTransformer(); ++ if (encoding != null) { ++ transformer.setOutputProperty(OutputKeys.ENCODING, encoding); ++ } + ByteArrayOutputStream os = new ByteArrayOutputStream(); + transformer.transform(source, new StreamResult(os)); + ByteArrayInputStream is = new ByteArrayInputStream(os.toByteArray()); +@@ -390,7 +399,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe + } + catch (TransformerException ex) { + throw new MarshallingFailureException( +- "Could not transform from [" + ClassUtils.getShortName(source.getClass()) + "]"); ++ "Could not transform from [" + ClassUtils.getShortName(source.getClass()) + "]", ex); + } + } + +diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java +index cee37bb..09bc006 100644 +--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java ++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java +@@ -1,5 +1,5 @@ + /* +- * Copyright 2002-2010 the original author or authors. ++ * Copyright 2002-2014 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. +@@ -73,6 +73,34 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller { + + private final Object documentBuilderFactoryMonitor = new Object(); + ++ private boolean processExternalEntities = false; ++ ++ ++ /** ++ * Indicates whether external XML entities are processed when unmarshalling. ++ * <p>Default is {@code false}, meaning that external entities are not resolved. ++ * Note that processing of external entities will only be enabled/disabled when the ++ * {@code Source} passed to {@link #unmarshal(Source)} is a {@link SAXSource} or ++ * {@link StreamSource}. It has no effect for {@link DOMSource} or {@link StAXSource} ++ * instances. ++ */ ++ public void setProcessExternalEntities(boolean processExternalEntities) { ++ this.processExternalEntities = processExternalEntities; ++ } ++ ++ /** ++ * @return the configured value for whether XML external entities are allowed. ++ */ ++ public boolean isProcessExternalEntities() { ++ return this.processExternalEntities; ++ } ++ ++ /** ++ * @return the default encoding to use for marshalling or unmarshalling from ++ * a byte stream, or {@code null}. ++ */ ++ abstract protected String getDefaultEncoding(); ++ + + /** + * Marshals the object graph with the given root into the provided <code>javax.xml.transform.Result</code>. +@@ -131,7 +159,7 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller { + return unmarshalSaxSource((SAXSource) source); + } + else if (source instanceof StreamSource) { +- return unmarshalStreamSource((StreamSource) source); ++ return unmarshalStreamSourceNoExternalEntitities((StreamSource) source); + } + else { + throw new IllegalArgumentException("Unknown Source type: " + source.getClass()); +@@ -173,7 +201,9 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller { + * @throws SAXException if thrown by JAXP methods + */ + protected XMLReader createXmlReader() throws SAXException { +- return XMLReaderFactory.createXMLReader(); ++ XMLReader xmlReader = XMLReaderFactory.createXMLReader(); ++ xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", isProcessExternalEntities()); ++ return xmlReader; + } + + +@@ -356,8 +386,42 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller { + } + + /** ++ * Template method for handling {@code StreamSource}s with protection against ++ * the XML External Entity (XXE) processing vulnerability taking into account ++ * the value of the {@link #setProcessExternalEntities(boolean)} property. ++ * <p> ++ * The default implementation wraps the StreamSource as a SAXSource and delegates ++ * to {@link #unmarshalSaxSource(javax.xml.transform.sax.SAXSource)}. ++ * ++ * @param streamSource the {@code StreamSource} ++ * @return the object graph ++ * @throws IOException if an I/O exception occurs ++ * @throws XmlMappingException if the given source cannot be mapped to an object ++ * ++ * @see <a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">XML_External_Entity_(XXE)_Processing</a> ++ */ ++ protected Object unmarshalStreamSourceNoExternalEntitities(StreamSource streamSource) throws XmlMappingException, IOException { ++ InputSource inputSource; ++ if (streamSource.getInputStream() != null) { ++ inputSource = new InputSource(streamSource.getInputStream()); ++ inputSource.setEncoding(getDefaultEncoding()); ++ } ++ else if (streamSource.getReader() != null) { ++ inputSource = new InputSource(streamSource.getReader()); ++ } ++ else { ++ inputSource = new InputSource(streamSource.getSystemId()); ++ } ++ return unmarshalSaxSource(new SAXSource(inputSource)); ++ } ++ ++ /** + * Template method for handling <code>StreamSource</code>s. + * <p>This implementation defers to <code>unmarshalInputStream</code> or <code>unmarshalReader</code>. ++ * <p>As of 3.2.8 and 4.0.2 this method is no longer invoked from ++ * {@link #unmarshal(javax.xml.transform.Source)}. The method invoked instead is ++ * {@link #unmarshalStreamSourceNoExternalEntitities(javax.xml.transform.stream.StreamSource)}. ++ * + * @param streamSource the <code>StreamSource</code> + * @return the object graph + * @throws IOException if an I/O exception occurs +diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java +index eb5a6e6..9f06b35 100644 +--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java ++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java +@@ -1,5 +1,5 @@ + /* +- * Copyright 2002-2009 the original author or authors. ++ * Copyright 2002-2014 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. +@@ -116,6 +116,10 @@ public class XmlBeansMarshaller extends AbstractMarshaller { + return this.validating; + } + ++ @Override ++ protected String getDefaultEncoding() { ++ return null; ++ } + + /** + * This implementation returns true if the given class is an implementation of {@link XmlObject}. +diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java +index d6521ff..efa9403 100644 +--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java ++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java +@@ -26,11 +26,9 @@ import java.io.Writer; + import java.util.LinkedHashMap; + import java.util.List; + import java.util.Map; +-import javax.xml.stream.XMLEventReader; +-import javax.xml.stream.XMLEventWriter; +-import javax.xml.stream.XMLStreamException; +-import javax.xml.stream.XMLStreamReader; +-import javax.xml.stream.XMLStreamWriter; ++import javax.xml.stream.*; ++import javax.xml.transform.stax.StAXSource; ++import javax.xml.transform.stream.StreamSource; + + import com.thoughtworks.xstream.XStream; + import com.thoughtworks.xstream.converters.ConversionException; +@@ -349,6 +347,11 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin + this.encoding = encoding; + } + ++ @Override ++ protected String getDefaultEncoding() { ++ return this.encoding; ++ } ++ + /** + * Set the classes supported by this marshaller. + * <p>If this property is empty (the default), all classes are supported. +@@ -470,6 +473,13 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin + // Unmarshalling + + @Override ++ protected Object unmarshalStreamSourceNoExternalEntitities(StreamSource streamSource) ++ throws XmlMappingException, IOException { ++ ++ return super.unmarshalStreamSource(streamSource); ++ } ++ ++ @Override + protected Object unmarshalDomNode(Node node) throws XmlMappingException { + HierarchicalStreamReader streamReader; + if (node instanceof Document) { +diff --git a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java +index 15b7d8e..3126ca4 100644 +--- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java ++++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java +@@ -85,6 +85,13 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe + this.processExternalEntities = processExternalEntities; + } + ++ /** ++ * @return the configured value for whether XML external entities are allowed. ++ */ ++ public boolean isProcessExternalEntities() { ++ return this.processExternalEntities; ++ } ++ + @Override + public boolean supports(Class<?> clazz) { + return DOMSource.class.equals(clazz) || SAXSource.class.equals(clazz) +@@ -146,7 +153,7 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe + private Source readStAXSource(InputStream body) { + try { + XMLInputFactory inputFactory = XMLInputFactory.newFactory(); +- inputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", processExternalEntities); ++ inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, this.processExternalEntities); + XMLStreamReader streamReader = inputFactory.createXMLStreamReader(body); + return StaxUtils.createStaxSource(streamReader); + } diff -Nru libspring-java-3.0.6.RELEASE/debian/patches/CVE-2014-1904.patch libspring-java-3.0.6.RELEASE/debian/patches/CVE-2014-1904.patch --- libspring-java-3.0.6.RELEASE/debian/patches/CVE-2014-1904.patch 1969-12-31 21:00:00.000000000 -0300 +++ libspring-java-3.0.6.RELEASE/debian/patches/CVE-2014-1904.patch 2014-03-24 18:10:42.000000000 -0300 @@ -0,0 +1,46 @@ +From: Miguel Landaeta <nomadium@debian.org> +Date: Mon, 24 Mar 2014 17:07:58 -0300 +Subject: CVE-2014-1904 + +Bug: http://bugs.debian.org/741604 + +diff --git a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java +index 2e9cc84..b416084 100644 +--- a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java ++++ b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java +@@ -1,5 +1,5 @@ + /* +- * Copyright 2002-2010 the original author or authors. ++ * Copyright 2002-2014 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. +@@ -21,11 +21,14 @@ import javax.servlet.http.HttpServletResponse; + import javax.servlet.jsp.JspException; + import javax.servlet.jsp.PageContext; + ++import java.io.UnsupportedEncodingException; ++ + import org.springframework.beans.PropertyAccessor; + import org.springframework.core.Conventions; + import org.springframework.util.ObjectUtils; + import org.springframework.util.StringUtils; + import org.springframework.web.util.HtmlUtils; ++import org.springframework.web.util.UriUtils; + + /** + * Databinding-aware JSP tag for rendering an HTML '<code>form</code>' whose +@@ -397,6 +400,13 @@ public class FormTag extends AbstractHtmlElementTag { + } + else { + String requestUri = getRequestContext().getRequestUri(); ++ String encoding = pageContext.getResponse().getCharacterEncoding(); ++ try { ++ requestUri = UriUtils.encodePath(requestUri, encoding); ++ } ++ catch (UnsupportedEncodingException e) { ++ throw new JspException(e); ++ } + ServletResponse response = this.pageContext.getResponse(); + if (response instanceof HttpServletResponse) { + requestUri = ((HttpServletResponse) response).encodeURL(requestUri); diff -Nru libspring-java-3.0.6.RELEASE/debian/patches/series libspring-java-3.0.6.RELEASE/debian/patches/series --- libspring-java-3.0.6.RELEASE/debian/patches/series 2014-02-07 20:43:48.000000000 -0300 +++ libspring-java-3.0.6.RELEASE/debian/patches/series 2014-03-24 18:11:40.000000000 -0300 @@ -10,3 +10,5 @@ Add-processExternalEntities-to-JAXB2Marshaller.patch CVE-2013-6429.patch CVE-2013-6430.patch +CVE-2014-0054.patch +CVE-2014-1904.patch
Attachment:
signature.asc
Description: Digital signature