[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian RT: libspring-java: CVE-2014-0054 and CVE-2014-1904

Hello security team,

I have prepared a new version of libspring-java to fix CVE-2014-0054
and CVE-2014-1904 (#741604) by backporting the corresponding upstream
commits. Please find attached the debdiff against the last version of
libspring-java in stable-security.

Please let me know if the changes qualify for a stable-security
release and an upload to security-master.

Description
===========

* CVE-2014-0054
Addresses an incomplete fix for CVE-2013-4152 / CVE-2013-6429 (XXE).

* CVE-2014-1904
XSS when using Spring MVC.

Cheers,

-- 
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at
http://db.debian.org/fetchkey.cgi?fingerprint=4CB7FE1E280ECC90F29A597E6E608B637D8967E9
"Faith means not wanting to know what is true." -- Nietzsche

diff -Nru libspring-java-3.0.6.RELEASE/debian/changelog libspring-java-3.0.6.RELEASE/debian/changelog
--- libspring-java-3.0.6.RELEASE/debian/changelog	2014-02-07 20:43:48.000000000 -0300
+++ libspring-java-3.0.6.RELEASE/debian/changelog	2014-03-24 18:20:48.000000000 -0300
@@ -1,3 +1,10 @@
+libspring-java (3.0.6.RELEASE-6+deb7u3) wheezy-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2013-6429 and CVE-2013-6430. (Closes: #741604).
+
+ -- Miguel Landaeta <nomadium@debian.org>  Mon, 24 Mar 2014 18:12:13 -0300
+
 libspring-java (3.0.6.RELEASE-6+deb7u2) wheezy-security; urgency=high
 
   * Team upload.
diff -Nru libspring-java-3.0.6.RELEASE/debian/patches/CVE-2014-0054.patch libspring-java-3.0.6.RELEASE/debian/patches/CVE-2014-0054.patch
--- libspring-java-3.0.6.RELEASE/debian/patches/CVE-2014-0054.patch	1969-12-31 21:00:00.000000000 -0300
+++ libspring-java-3.0.6.RELEASE/debian/patches/CVE-2014-0054.patch	2014-03-24 18:10:42.000000000 -0300
@@ -0,0 +1,319 @@
+From: Miguel Landaeta <nomadium@debian.org>
+Date: Mon, 24 Mar 2014 16:57:19 -0300
+Subject: CVE-2014-0054
+
+Bug: http://bugs.debian.org/741604
+
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
+index 871075f..fea0519 100644
+--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
+@@ -120,6 +120,11 @@ public class CastorMarshaller extends AbstractMarshaller implements Initializing
+ 		this.encoding = encoding;
+ 	}
+ 
++	@Override
++	protected String getDefaultEncoding() {
++		return this.encoding;
++	}
++
+ 	/**
+ 	 * Set the locations of the Castor XML Mapping files.
+ 	 */
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
+index 1b3412d..37d7937 100644
+--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
+@@ -317,6 +317,13 @@ public class Jaxb2Marshaller
+ 		this.processExternalEntities = processExternalEntities;
+ 	}
+ 
++	/**
++	 * @return the configured value for whether XML external entities are allowed.
++	 */
++	public boolean isProcessExternalEntities() {
++		return this.processExternalEntities;
++	}
++
+ 	public void setBeanClassLoader(ClassLoader classLoader) {
+ 		this.beanClassLoader = classLoader;
+ 	}
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java
+index 5d6a053..0de00b2 100644
+--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java
++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2002-2010 the original author or authors.
++ * Copyright 2002-2014 the original author or authors.
+  *
+  * Licensed under the Apache License, Version 2.0 (the "License");
+  * you may not use this file except in compliance with the License.
+@@ -28,6 +28,7 @@ import javax.xml.stream.XMLEventWriter;
+ import javax.xml.stream.XMLStreamException;
+ import javax.xml.stream.XMLStreamReader;
+ import javax.xml.stream.XMLStreamWriter;
++import javax.xml.transform.OutputKeys;
+ import javax.xml.transform.Result;
+ import javax.xml.transform.Source;
+ import javax.xml.transform.Transformer;
+@@ -133,6 +134,11 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
+ 		this.encoding = encoding;
+ 	}
+ 
++	@Override
++	protected String getDefaultEncoding() {
++		return this.encoding;
++	}
++
+ 	/**
+ 	 * Set the document standalone flag for marshalling. By default, this flag is not present.
+ 	 */
+@@ -301,7 +307,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
+ 		}
+ 		catch (TransformerException ex) {
+ 			throw new MarshallingFailureException(
+-					"Could not transform to [" + ClassUtils.getShortName(result.getClass()) + "]");
++					"Could not transform to [" + ClassUtils.getShortName(result.getClass()) + "]", ex);
+ 		}
+ 
+ 	}
+@@ -367,7 +373,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
+ 	@Override
+ 	protected Object unmarshalDomNode(Node node) throws XmlMappingException {
+ 		try {
+-			return transformAndUnmarshal(new DOMSource(node));
++			return transformAndUnmarshal(new DOMSource(node), null);
+ 		}
+ 		catch (IOException ex) {
+ 			throw new UnmarshallingFailureException("JiBX unmarshalling exception", ex);
+@@ -377,12 +383,15 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
+ 	@Override
+ 	protected Object unmarshalSaxReader(XMLReader xmlReader, InputSource inputSource)
+ 			throws XmlMappingException, IOException {
+-		return transformAndUnmarshal(new SAXSource(xmlReader, inputSource));
++		return transformAndUnmarshal(new SAXSource(xmlReader, inputSource), inputSource.getEncoding());
+ 	}
+ 
+-	private Object transformAndUnmarshal(Source source) throws IOException {
++	private Object transformAndUnmarshal(Source source, String encoding) throws IOException {
+ 		try {
+ 			Transformer transformer = transformerFactory.newTransformer();
++			if (encoding != null) {
++				transformer.setOutputProperty(OutputKeys.ENCODING, encoding);
++			}
+ 			ByteArrayOutputStream os = new ByteArrayOutputStream();
+ 			transformer.transform(source, new StreamResult(os));
+ 			ByteArrayInputStream is = new ByteArrayInputStream(os.toByteArray());
+@@ -390,7 +399,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
+ 		}
+ 		catch (TransformerException ex) {
+ 			throw new MarshallingFailureException(
+-					"Could not transform from [" + ClassUtils.getShortName(source.getClass()) + "]");
++					"Could not transform from [" + ClassUtils.getShortName(source.getClass()) + "]", ex);
+ 		}
+ 	}
+ 
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
+index cee37bb..09bc006 100644
+--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2002-2010 the original author or authors.
++ * Copyright 2002-2014 the original author or authors.
+  *
+  * Licensed under the Apache License, Version 2.0 (the "License");
+  * you may not use this file except in compliance with the License.
+@@ -73,6 +73,34 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
+ 
+ 	private final Object documentBuilderFactoryMonitor = new Object();
+ 
++	private boolean processExternalEntities = false;
++
++
++	/**
++	 * Indicates whether external XML entities are processed when unmarshalling.
++	 * <p>Default is {@code false}, meaning that external entities are not resolved.
++	 * Note that processing of external entities will only be enabled/disabled when the
++	 * {@code Source} passed to {@link #unmarshal(Source)} is a {@link SAXSource} or
++	 * {@link StreamSource}. It has no effect for {@link DOMSource} or {@link StAXSource}
++	 * instances.
++	 */
++	public void setProcessExternalEntities(boolean processExternalEntities) {
++		this.processExternalEntities = processExternalEntities;
++	}
++
++	/**
++	 * @return the configured value for whether XML external entities are allowed.
++	 */
++	public boolean isProcessExternalEntities() {
++		return this.processExternalEntities;
++	}
++
++	/**
++	 * @return the default encoding to use for marshalling or unmarshalling from
++	 * 	a byte stream, or {@code null}.
++	 */
++	abstract protected String getDefaultEncoding();
++
+ 
+ 	/**
+ 	 * Marshals the object graph with the given root into the provided <code>javax.xml.transform.Result</code>.
+@@ -131,7 +159,7 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
+ 			return unmarshalSaxSource((SAXSource) source);
+ 		}
+ 		else if (source instanceof StreamSource) {
+-			return unmarshalStreamSource((StreamSource) source);
++			return unmarshalStreamSourceNoExternalEntitities((StreamSource) source);
+ 		}
+ 		else {
+ 			throw new IllegalArgumentException("Unknown Source type: " + source.getClass());
+@@ -173,7 +201,9 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
+ 	 * @throws SAXException if thrown by JAXP methods
+ 	 */
+ 	protected XMLReader createXmlReader() throws SAXException {
+-		return XMLReaderFactory.createXMLReader();
++		XMLReader xmlReader = XMLReaderFactory.createXMLReader();
++		xmlReader.setFeature("http://xml.org/sax/features/external-general-entities";, isProcessExternalEntities());
++		return xmlReader;
+ 	}
+ 
+ 
+@@ -356,8 +386,42 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
+ 	}
+ 
+ 	/**
++	 * Template method for handling {@code StreamSource}s with protection against
++	 * the XML External Entity (XXE) processing vulnerability taking into account
++	 * the value of the {@link #setProcessExternalEntities(boolean)} property.
++	 * <p>
++	 * The default implementation wraps the StreamSource as a SAXSource and delegates
++	 * to {@link #unmarshalSaxSource(javax.xml.transform.sax.SAXSource)}.
++	 *
++	 * @param streamSource the {@code StreamSource}
++	 * @return the object graph
++	 * @throws IOException if an I/O exception occurs
++	 * @throws XmlMappingException if the given source cannot be mapped to an object
++	 *
++	 * @see <a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">XML_External_Entity_(XXE)_Processing</a>
++	 */
++	protected Object unmarshalStreamSourceNoExternalEntitities(StreamSource streamSource) throws XmlMappingException, IOException {
++		InputSource inputSource;
++		if (streamSource.getInputStream() != null) {
++			inputSource = new InputSource(streamSource.getInputStream());
++			inputSource.setEncoding(getDefaultEncoding());
++		}
++		else if (streamSource.getReader() != null) {
++			inputSource = new InputSource(streamSource.getReader());
++		}
++		else {
++			inputSource = new InputSource(streamSource.getSystemId());
++		}
++		return unmarshalSaxSource(new SAXSource(inputSource));
++	}
++
++	/**
+ 	 * Template method for handling <code>StreamSource</code>s.
+ 	 * <p>This implementation defers to <code>unmarshalInputStream</code> or <code>unmarshalReader</code>.
++	 * <p>As of 3.2.8 and 4.0.2 this method is no longer invoked from
++	 * {@link #unmarshal(javax.xml.transform.Source)}. The method invoked instead is
++	 * {@link #unmarshalStreamSourceNoExternalEntitities(javax.xml.transform.stream.StreamSource)}.
++	 *
+ 	 * @param streamSource the <code>StreamSource</code>
+ 	 * @return the object graph
+ 	 * @throws IOException if an I/O exception occurs
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java
+index eb5a6e6..9f06b35 100644
+--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java
++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2002-2009 the original author or authors.
++ * Copyright 2002-2014 the original author or authors.
+  *
+  * Licensed under the Apache License, Version 2.0 (the "License");
+  * you may not use this file except in compliance with the License.
+@@ -116,6 +116,10 @@ public class XmlBeansMarshaller extends AbstractMarshaller {
+ 		return this.validating;
+ 	}
+ 
++	@Override
++	protected String getDefaultEncoding() {
++		return null;
++	}
+ 
+ 	/**
+ 	 * This implementation returns true if the given class is an implementation of {@link XmlObject}.
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
+index d6521ff..efa9403 100644
+--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
+@@ -26,11 +26,9 @@ import java.io.Writer;
+ import java.util.LinkedHashMap;
+ import java.util.List;
+ import java.util.Map;
+-import javax.xml.stream.XMLEventReader;
+-import javax.xml.stream.XMLEventWriter;
+-import javax.xml.stream.XMLStreamException;
+-import javax.xml.stream.XMLStreamReader;
+-import javax.xml.stream.XMLStreamWriter;
++import javax.xml.stream.*;
++import javax.xml.transform.stax.StAXSource;
++import javax.xml.transform.stream.StreamSource;
+ 
+ import com.thoughtworks.xstream.XStream;
+ import com.thoughtworks.xstream.converters.ConversionException;
+@@ -349,6 +347,11 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin
+ 		this.encoding = encoding;
+ 	}
+ 
++	@Override
++	protected String getDefaultEncoding() {
++		return this.encoding;
++	}
++
+ 	/**
+ 	 * Set the classes supported by this marshaller.
+ 	 * <p>If this property is empty (the default), all classes are supported.
+@@ -470,6 +473,13 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin
+ 	// Unmarshalling
+ 
+ 	@Override
++	protected Object unmarshalStreamSourceNoExternalEntitities(StreamSource streamSource)
++			throws XmlMappingException, IOException {
++
++		return super.unmarshalStreamSource(streamSource);
++	}
++
++	@Override
+ 	protected Object unmarshalDomNode(Node node) throws XmlMappingException {
+ 		HierarchicalStreamReader streamReader;
+ 		if (node instanceof Document) {
+diff --git a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
+index 15b7d8e..3126ca4 100644
+--- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
++++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
+@@ -85,6 +85,13 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe
+         this.processExternalEntities = processExternalEntities;
+     }
+ 
++    /**
++     * @return the configured value for whether XML external entities are allowed.
++     */
++    public boolean isProcessExternalEntities() {
++        return this.processExternalEntities;
++    }
++
+     @Override
+ 	public boolean supports(Class<?> clazz) {
+ 		return DOMSource.class.equals(clazz) || SAXSource.class.equals(clazz)
+@@ -146,7 +153,7 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe
+     private Source readStAXSource(InputStream body) {
+         try {
+             XMLInputFactory inputFactory = XMLInputFactory.newFactory();
+-            inputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", processExternalEntities);
++            inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, this.processExternalEntities);
+             XMLStreamReader streamReader = inputFactory.createXMLStreamReader(body);
+             return StaxUtils.createStaxSource(streamReader);
+         }
diff -Nru libspring-java-3.0.6.RELEASE/debian/patches/CVE-2014-1904.patch libspring-java-3.0.6.RELEASE/debian/patches/CVE-2014-1904.patch
--- libspring-java-3.0.6.RELEASE/debian/patches/CVE-2014-1904.patch	1969-12-31 21:00:00.000000000 -0300
+++ libspring-java-3.0.6.RELEASE/debian/patches/CVE-2014-1904.patch	2014-03-24 18:10:42.000000000 -0300
@@ -0,0 +1,46 @@
+From: Miguel Landaeta <nomadium@debian.org>
+Date: Mon, 24 Mar 2014 17:07:58 -0300
+Subject: CVE-2014-1904
+
+Bug: http://bugs.debian.org/741604
+
+diff --git a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java
+index 2e9cc84..b416084 100644
+--- a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java
++++ b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2002-2010 the original author or authors.
++ * Copyright 2002-2014 the original author or authors.
+  *
+  * Licensed under the Apache License, Version 2.0 (the "License");
+  * you may not use this file except in compliance with the License.
+@@ -21,11 +21,14 @@ import javax.servlet.http.HttpServletResponse;
+ import javax.servlet.jsp.JspException;
+ import javax.servlet.jsp.PageContext;
+ 
++import java.io.UnsupportedEncodingException;
++
+ import org.springframework.beans.PropertyAccessor;
+ import org.springframework.core.Conventions;
+ import org.springframework.util.ObjectUtils;
+ import org.springframework.util.StringUtils;
+ import org.springframework.web.util.HtmlUtils;
++import org.springframework.web.util.UriUtils;
+ 
+ /**
+  * Databinding-aware JSP tag for rendering an HTML '<code>form</code>' whose
+@@ -397,6 +400,13 @@ public class FormTag extends AbstractHtmlElementTag {
+ 		}
+ 		else {
+ 			String requestUri = getRequestContext().getRequestUri();
++			String encoding = pageContext.getResponse().getCharacterEncoding();
++			try {
++				requestUri = UriUtils.encodePath(requestUri, encoding);
++			}
++			catch (UnsupportedEncodingException e) {
++				throw new JspException(e);
++			}
+ 			ServletResponse response = this.pageContext.getResponse();
+ 			if (response instanceof HttpServletResponse) {
+ 				requestUri = ((HttpServletResponse) response).encodeURL(requestUri);
diff -Nru libspring-java-3.0.6.RELEASE/debian/patches/series libspring-java-3.0.6.RELEASE/debian/patches/series
--- libspring-java-3.0.6.RELEASE/debian/patches/series	2014-02-07 20:43:48.000000000 -0300
+++ libspring-java-3.0.6.RELEASE/debian/patches/series	2014-03-24 18:11:40.000000000 -0300
@@ -10,3 +10,5 @@
 Add-processExternalEntities-to-JAXB2Marshaller.patch
 CVE-2013-6429.patch
 CVE-2013-6430.patch
+CVE-2014-0054.patch
+CVE-2014-1904.patch

Attachment: signature.asc
Description: Digital signature

Reply to: