jackrabbit CVE-2015-1833

To: debian-java@lists.debian.org, team@security.debian.org
Subject: jackrabbit CVE-2015-1833
From: Markus Koschany <apo@gambaru.de>
Date: Thu, 25 Jun 2015 19:31:27 +0200
Message-id: <[🔎] 558C3AEF.3040306@gambaru.de>
In-reply-to: <[🔎] 20150622055807.GA1661@dorf.mancill.com>
References: <[🔎] 55871096.6060206@gambaru.de> <[🔎] 20150622055807.GA1661@dorf.mancill.com>

Am 22.06.2015 um 07:58 schrieb tony:
> On Sun, Jun 21, 2015 at 09:29:26PM +0200, Markus Koschany wrote:
>> Hi all,
>>
>> I am looking for someone who is interested in uploading jackrabbit and
>> fixing #787316.
>>
>> Packaging the latest upstream release was sufficient. We only build the
>> jackrabbit-webdav module which is needed for wagon2 but of course only
>> this module is affected by the vulnerability. I intend to prepare fixes
>> for Jessie and Wheezy too but I am unsure about the severity of this
>> issue. Any ideas how I can test/verify the patches in the wagon2 context?
>>
>> https://anonscm.debian.org/cgit/pkg-java/jackrabbit.git
> 
> Hi Markus,
> 
> Thank you for the update.  I have uploaded it to unstable.  Please let
> me know if need follow-on updates for wagon2 or releated.

Hi tony, hello security team

I have prepared two debdiffs to fix CVE-2015-1833. The patch was
directly taken from upstream [1], only minor rebasing was necessary. The
patch is accompanied by a test case and I can confirm that the test runs
successfully. If you agree, I would ask tony for an upload to
jessie-security and wheezy-security.

[1] https://issues.apache.org/jira/browse/JCR-3883

I propose the following DSA text:

Package: jackrabbit

It was discovered that the Jackrabbit WebDAV bundle was susceptible to a
XXE/XEE attack. When processing a WebDAV request body containing XML,
the XML parser could be instructed to read content from network
resources accessible to the host, identified by URI schemes such as
"http(s)" or "file". Depending on the WebDAV request, this could not
only be used to trigger internal network requests, but might also be
used to insert said content into the request, potentially exposing it to
the attacker and others.

For the oldstable distribution (wheezy), this problem has been fixed
in version 2.3.6-1+deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 2.3.6-1+deb8u1.

For the testing distribution (stretch), this problem has been fixed
in version 2.10.1-1.

For the unstable distribution (sid), this problem has been fixed in
version 2.10.1-1.

We recommend that you upgrade your jackrabbit packages.

Regards,

Markus

diff -Nru jackrabbit-2.3.6/debian/changelog jackrabbit-2.3.6/debian/changelog
--- jackrabbit-2.3.6/debian/changelog	2012-01-22 00:05:33.000000000 +0100
+++ jackrabbit-2.3.6/debian/changelog	2015-06-25 18:47:43.000000000 +0200
@@ -1,3 +1,17 @@
+jackrabbit (2.3.6-1+deb8u1) jessie-security; urgency=medium
+
+  * Team upload.
+  * Add CVE-2015-1833.patch.
+    Fix XXE/XEE vulnerability of the Jackrabbit WebDAV bundle.
+    When processing a WebDAV request body containing XML, the XML parser can be
+    instructed to read content from network resources accessible to the host,
+    identified by URI schemes such as "http(s)" or "file". Depending on the
+    WebDAV request, this can not only be used to trigger internal network
+    requests, but might also be used to insert said content into the request,
+    potentially exposing it to the attacker and others. (Closes: #787316)
+
+ -- Markus Koschany <apo@gambaru.de>  Thu, 25 Jun 2015 18:47:39 +0200
+
 jackrabbit (2.3.6-1) unstable; urgency=low
 
   * Initial release (Closes: #589450).
diff -Nru jackrabbit-2.3.6/debian/patches/CVE-2015-1833.patch jackrabbit-2.3.6/debian/patches/CVE-2015-1833.patch
--- jackrabbit-2.3.6/debian/patches/CVE-2015-1833.patch	1970-01-01 01:00:00.000000000 +0100
+++ jackrabbit-2.3.6/debian/patches/CVE-2015-1833.patch	2015-06-25 18:47:43.000000000 +0200
@@ -0,0 +1,244 @@
+From: Markus Koschany <apo@gambaru.de>
+Date: Wed, 24 Jun 2015 03:16:44 +0200
+Subject: CVE-2015-1833
+
+---
+ .../webdav/xml/DavDocumentBuilderFactory.java      | 86 ++++++++++++++++++++++
+ .../org/apache/jackrabbit/webdav/xml/DomUtil.java  | 22 +-----
+ .../apache/jackrabbit/webdav/xml/ParserTest.java   | 78 ++++++++++++++++++++
+ .../org/apache/jackrabbit/webdav/xml/TestAll.java  |  1 +
+ 4 files changed, 168 insertions(+), 19 deletions(-)
+ create mode 100644 jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
+ create mode 100644 jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
+
+diff --git a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
+new file mode 100644
+index 0000000..60660a0
+--- /dev/null
++++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
+@@ -0,0 +1,86 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements.  See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License.  You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.jackrabbit.webdav.xml;
++
++import java.io.IOException;
++
++import javax.xml.XMLConstants;
++import javax.xml.parsers.DocumentBuilder;
++import javax.xml.parsers.DocumentBuilderFactory;
++import javax.xml.parsers.ParserConfigurationException;
++
++import org.slf4j.Logger;
++import org.slf4j.LoggerFactory;
++import org.xml.sax.EntityResolver;
++import org.xml.sax.InputSource;
++import org.xml.sax.helpers.DefaultHandler;
++
++/**
++ * Custom {@link DocumentBuilderFactory} extended for use in WebDAV.
++ */
++public class DavDocumentBuilderFactory {
++
++    private static final Logger LOG = LoggerFactory.getLogger(DomUtil.class);
++
++    private final DocumentBuilderFactory DEFAULT_FACTORY = createFactory();
++
++    private DocumentBuilderFactory BUILDER_FACTORY = DEFAULT_FACTORY;
++
++    private DocumentBuilderFactory createFactory() {
++        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++        factory.setNamespaceAware(true);
++        factory.setIgnoringComments(true);
++        factory.setIgnoringElementContentWhitespace(true);
++        factory.setCoalescing(true);
++        try {
++            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
++        } catch (ParserConfigurationException e) {
++            LOG.warn("Secure XML processing is not supported", e);
++        } catch (AbstractMethodError e) {
++            LOG.warn("Secure XML processing is not supported", e);
++        }
++        return factory;
++    }
++
++    public void setFactory(DocumentBuilderFactory documentBuilderFactory) {
++        LOG.debug("DocumentBuilderFactory changed to: " + documentBuilderFactory);
++        BUILDER_FACTORY = documentBuilderFactory != null ? documentBuilderFactory : DEFAULT_FACTORY;
++    }
++
++    /**
++     * An entity resolver that does not allow external entity resolution. See
++     * RFC 4918, Section 20.6
++     */
++    private static final EntityResolver DEFAULT_ENTITY_RESOLVER = new EntityResolver() {
++        public InputSource resolveEntity(String publicId, String systemId) throws IOException {
++            LOG.debug("Resolution of external entities in XML payload not supported - publicId: " + publicId + ", systemId: "
++                    + systemId);
++            throw new IOException("This parser does not support resolution of external entities (publicId: " + publicId
++                    + ", systemId: " + systemId + ")");
++        }
++    };
++
++    public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
++        DocumentBuilder db = BUILDER_FACTORY.newDocumentBuilder();
++        if (BUILDER_FACTORY == DEFAULT_FACTORY) {
++            // if this is the default factory: set the default entity resolver as well
++            db.setEntityResolver(DEFAULT_ENTITY_RESOLVER);
++        }
++        db.setErrorHandler(new DefaultHandler());
++        return db;
++    }
++}
+diff --git a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
+index 70508cc..ad77c97 100644
+--- a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
++++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
+@@ -56,26 +56,10 @@ public class DomUtil {
+     private static Logger log = LoggerFactory.getLogger(DomUtil.class);
+ 
+     /**
+-     * Constant for <code>DocumentBuilderFactory</code> which is used
++     * Constant for <code>DavDocumentBuilderFactory</code> which is used
+      * to create and parse DOM documents.
+      */
+-    private static DocumentBuilderFactory BUILDER_FACTORY = createFactory();
+-
+-    private static DocumentBuilderFactory createFactory() {
+-        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+-        factory.setNamespaceAware(true);
+-        factory.setIgnoringComments(true);
+-        factory.setIgnoringElementContentWhitespace(true);
+-        factory.setCoalescing(true);
+-        try {
+-            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+-        } catch (ParserConfigurationException e) {
+-            log.warn("Secure XML processing is not supported", e);
+-        } catch (AbstractMethodError e) {
+-            log.warn("Secure XML processing is not supported", e);
+-        }
+-        return factory;
+-    }
++    private static DavDocumentBuilderFactory BUILDER_FACTORY = new DavDocumentBuilderFactory();
+ 
+     /**
+      * Support the replacement of {@link #BUILDER_FACTORY}. This is useful
+@@ -88,7 +72,7 @@ public class DomUtil {
+      */
+     public static void setBuilderFactory(
+             DocumentBuilderFactory documentBuilderFactory) {
+-        BUILDER_FACTORY = documentBuilderFactory;
++        BUILDER_FACTORY.setFactory(documentBuilderFactory);
+     }
+ 
+     /**
+diff --git a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
+new file mode 100644
+index 0000000..19aaa1b
+--- /dev/null
++++ b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
+@@ -0,0 +1,78 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements.  See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the \"License\"); you may not use this file except in compliance with
++ * the License.  You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an \"AS IS\" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.jackrabbit.webdav.xml;
++
++import java.io.ByteArrayInputStream;
++import java.io.File;
++import java.io.FileOutputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
++import java.io.UnsupportedEncodingException;
++
++import junit.framework.TestCase;
++
++import org.w3c.dom.Document;
++import org.w3c.dom.Element;
++
++public class ParserTest extends TestCase {
++
++    // see <http://en.wikipedia.org/wiki/Billion_laughs#Details>
++    public void testBillionLaughs() throws UnsupportedEncodingException {
++
++        String testBody = "<?xml version=\"1.0\"?>" + "<!DOCTYPE lolz [" + " <!ENTITY lol \"lol\">" + " <!ELEMENT lolz (#PCDATA)>"
++                + " <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">"
++                + " <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">"
++                + " <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">"
++                + " <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">"
++                + " <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">"
++                + " <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">"
++                + " <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">"
++                + " <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">"
++                + " <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">" + "]>" + "<lolz>&lol9;</lolz>";
++        InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8"));
++
++        try {
++            DomUtil.parseDocument(is);
++            fail("parsing this document should cause an exception");
++        } catch (Exception expected) {
++        }
++    }
++
++    public void testExternalEntities() throws IOException {
++
++        String dname = "target";
++        String fname = "test.xml";
++
++        File f = new File(dname, fname);
++        OutputStream os = new FileOutputStream(f);
++        os.write("testdata".getBytes());
++        os.close();
++
++        String testBody = "<?xml version='1.0'?>\n<!DOCTYPE foo [" + " <!ENTITY test SYSTEM \"file:" + dname + "/" + fname + "\">"
++                + "]>\n<foo>&test;</foo>";
++        InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8"));
++
++        try {
++            Document d = DomUtil.parseDocument(is);
++            Element root = d.getDocumentElement();
++            String text = DomUtil.getText(root);
++            fail("parsing this document should cause an exception, but the following external content was included: " + text);
++        } catch (Exception expected) {
++        }
++    }
++}
+\ No newline at end of file
+diff --git a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
+index 1ca395a..f3ff354 100644
+--- a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
++++ b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
+@@ -33,6 +33,7 @@ public class TestAll extends TestCase {
+         TestSuite suite = new TestSuite("org.apache.jackrabbit.webdav.xml tests");
+ 
+         suite.addTestSuite(NamespaceTest.class);
++        suite.addTestSuite(ParserTest.class);
+ 
+         return suite;
+     }
diff -Nru jackrabbit-2.3.6/debian/patches/series jackrabbit-2.3.6/debian/patches/series
--- jackrabbit-2.3.6/debian/patches/series	2012-01-22 00:05:33.000000000 +0100
+++ jackrabbit-2.3.6/debian/patches/series	2015-06-25 18:47:43.000000000 +0200
@@ -1,2 +1,3 @@
 modules.diff
 servlet_api_25.diff
+CVE-2015-1833.patch

diff -Nru jackrabbit-2.3.6/debian/changelog jackrabbit-2.3.6/debian/changelog
--- jackrabbit-2.3.6/debian/changelog	2012-01-22 00:05:33.000000000 +0100
+++ jackrabbit-2.3.6/debian/changelog	2015-06-25 18:52:05.000000000 +0200
@@ -1,3 +1,17 @@
+jackrabbit (2.3.6-1+deb7u1) wheezy-security; urgency=medium
+
+  * Team upload.
+  * Add CVE-2015-1833.patch.
+    Fix XXE/XEE vulnerability of the Jackrabbit WebDAV bundle.
+    When processing a WebDAV request body containing XML, the XML parser can be
+    instructed to read content from network resources accessible to the host,
+    identified by URI schemes such as "http(s)" or "file". Depending on the
+    WebDAV request, this can not only be used to trigger internal network
+    requests, but might also be used to insert said content into the request,
+    potentially exposing it to the attacker and others. (Closes: #787316)
+
+ -- Markus Koschany <apo@gambaru.de>  Thu, 25 Jun 2015 18:52:02 +0200
+
 jackrabbit (2.3.6-1) unstable; urgency=low
 
   * Initial release (Closes: #589450).
diff -Nru jackrabbit-2.3.6/debian/patches/CVE-2015-1833.patch jackrabbit-2.3.6/debian/patches/CVE-2015-1833.patch
--- jackrabbit-2.3.6/debian/patches/CVE-2015-1833.patch	1970-01-01 01:00:00.000000000 +0100
+++ jackrabbit-2.3.6/debian/patches/CVE-2015-1833.patch	2015-06-25 18:52:05.000000000 +0200
@@ -0,0 +1,244 @@
+From: Markus Koschany <apo@gambaru.de>
+Date: Wed, 24 Jun 2015 03:16:44 +0200
+Subject: CVE-2015-1833
+
+---
+ .../webdav/xml/DavDocumentBuilderFactory.java      | 86 ++++++++++++++++++++++
+ .../org/apache/jackrabbit/webdav/xml/DomUtil.java  | 22 +-----
+ .../apache/jackrabbit/webdav/xml/ParserTest.java   | 78 ++++++++++++++++++++
+ .../org/apache/jackrabbit/webdav/xml/TestAll.java  |  1 +
+ 4 files changed, 168 insertions(+), 19 deletions(-)
+ create mode 100644 jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
+ create mode 100644 jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
+
+diff --git a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
+new file mode 100644
+index 0000000..60660a0
+--- /dev/null
++++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
+@@ -0,0 +1,86 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements.  See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License.  You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.jackrabbit.webdav.xml;
++
++import java.io.IOException;
++
++import javax.xml.XMLConstants;
++import javax.xml.parsers.DocumentBuilder;
++import javax.xml.parsers.DocumentBuilderFactory;
++import javax.xml.parsers.ParserConfigurationException;
++
++import org.slf4j.Logger;
++import org.slf4j.LoggerFactory;
++import org.xml.sax.EntityResolver;
++import org.xml.sax.InputSource;
++import org.xml.sax.helpers.DefaultHandler;
++
++/**
++ * Custom {@link DocumentBuilderFactory} extended for use in WebDAV.
++ */
++public class DavDocumentBuilderFactory {
++
++    private static final Logger LOG = LoggerFactory.getLogger(DomUtil.class);
++
++    private final DocumentBuilderFactory DEFAULT_FACTORY = createFactory();
++
++    private DocumentBuilderFactory BUILDER_FACTORY = DEFAULT_FACTORY;
++
++    private DocumentBuilderFactory createFactory() {
++        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++        factory.setNamespaceAware(true);
++        factory.setIgnoringComments(true);
++        factory.setIgnoringElementContentWhitespace(true);
++        factory.setCoalescing(true);
++        try {
++            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
++        } catch (ParserConfigurationException e) {
++            LOG.warn("Secure XML processing is not supported", e);
++        } catch (AbstractMethodError e) {
++            LOG.warn("Secure XML processing is not supported", e);
++        }
++        return factory;
++    }
++
++    public void setFactory(DocumentBuilderFactory documentBuilderFactory) {
++        LOG.debug("DocumentBuilderFactory changed to: " + documentBuilderFactory);
++        BUILDER_FACTORY = documentBuilderFactory != null ? documentBuilderFactory : DEFAULT_FACTORY;
++    }
++
++    /**
++     * An entity resolver that does not allow external entity resolution. See
++     * RFC 4918, Section 20.6
++     */
++    private static final EntityResolver DEFAULT_ENTITY_RESOLVER = new EntityResolver() {
++        public InputSource resolveEntity(String publicId, String systemId) throws IOException {
++            LOG.debug("Resolution of external entities in XML payload not supported - publicId: " + publicId + ", systemId: "
++                    + systemId);
++            throw new IOException("This parser does not support resolution of external entities (publicId: " + publicId
++                    + ", systemId: " + systemId + ")");
++        }
++    };
++
++    public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
++        DocumentBuilder db = BUILDER_FACTORY.newDocumentBuilder();
++        if (BUILDER_FACTORY == DEFAULT_FACTORY) {
++            // if this is the default factory: set the default entity resolver as well
++            db.setEntityResolver(DEFAULT_ENTITY_RESOLVER);
++        }
++        db.setErrorHandler(new DefaultHandler());
++        return db;
++    }
++}
+diff --git a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
+index 70508cc..ad77c97 100644
+--- a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
++++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
+@@ -56,26 +56,10 @@ public class DomUtil {
+     private static Logger log = LoggerFactory.getLogger(DomUtil.class);
+ 
+     /**
+-     * Constant for <code>DocumentBuilderFactory</code> which is used
++     * Constant for <code>DavDocumentBuilderFactory</code> which is used
+      * to create and parse DOM documents.
+      */
+-    private static DocumentBuilderFactory BUILDER_FACTORY = createFactory();
+-
+-    private static DocumentBuilderFactory createFactory() {
+-        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+-        factory.setNamespaceAware(true);
+-        factory.setIgnoringComments(true);
+-        factory.setIgnoringElementContentWhitespace(true);
+-        factory.setCoalescing(true);
+-        try {
+-            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+-        } catch (ParserConfigurationException e) {
+-            log.warn("Secure XML processing is not supported", e);
+-        } catch (AbstractMethodError e) {
+-            log.warn("Secure XML processing is not supported", e);
+-        }
+-        return factory;
+-    }
++    private static DavDocumentBuilderFactory BUILDER_FACTORY = new DavDocumentBuilderFactory();
+ 
+     /**
+      * Support the replacement of {@link #BUILDER_FACTORY}. This is useful
+@@ -88,7 +72,7 @@ public class DomUtil {
+      */
+     public static void setBuilderFactory(
+             DocumentBuilderFactory documentBuilderFactory) {
+-        BUILDER_FACTORY = documentBuilderFactory;
++        BUILDER_FACTORY.setFactory(documentBuilderFactory);
+     }
+ 
+     /**
+diff --git a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
+new file mode 100644
+index 0000000..19aaa1b
+--- /dev/null
++++ b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
+@@ -0,0 +1,78 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements.  See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the \"License\"); you may not use this file except in compliance with
++ * the License.  You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an \"AS IS\" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.jackrabbit.webdav.xml;
++
++import java.io.ByteArrayInputStream;
++import java.io.File;
++import java.io.FileOutputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
++import java.io.UnsupportedEncodingException;
++
++import junit.framework.TestCase;
++
++import org.w3c.dom.Document;
++import org.w3c.dom.Element;
++
++public class ParserTest extends TestCase {
++
++    // see <http://en.wikipedia.org/wiki/Billion_laughs#Details>
++    public void testBillionLaughs() throws UnsupportedEncodingException {
++
++        String testBody = "<?xml version=\"1.0\"?>" + "<!DOCTYPE lolz [" + " <!ENTITY lol \"lol\">" + " <!ELEMENT lolz (#PCDATA)>"
++                + " <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">"
++                + " <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">"
++                + " <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">"
++                + " <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">"
++                + " <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">"
++                + " <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">"
++                + " <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">"
++                + " <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">"
++                + " <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">" + "]>" + "<lolz>&lol9;</lolz>";
++        InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8"));
++
++        try {
++            DomUtil.parseDocument(is);
++            fail("parsing this document should cause an exception");
++        } catch (Exception expected) {
++        }
++    }
++
++    public void testExternalEntities() throws IOException {
++
++        String dname = "target";
++        String fname = "test.xml";
++
++        File f = new File(dname, fname);
++        OutputStream os = new FileOutputStream(f);
++        os.write("testdata".getBytes());
++        os.close();
++
++        String testBody = "<?xml version='1.0'?>\n<!DOCTYPE foo [" + " <!ENTITY test SYSTEM \"file:" + dname + "/" + fname + "\">"
++                + "]>\n<foo>&test;</foo>";
++        InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8"));
++
++        try {
++            Document d = DomUtil.parseDocument(is);
++            Element root = d.getDocumentElement();
++            String text = DomUtil.getText(root);
++            fail("parsing this document should cause an exception, but the following external content was included: " + text);
++        } catch (Exception expected) {
++        }
++    }
++}
+\ No newline at end of file
+diff --git a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
+index 1ca395a..f3ff354 100644
+--- a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
++++ b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
+@@ -33,6 +33,7 @@ public class TestAll extends TestCase {
+         TestSuite suite = new TestSuite("org.apache.jackrabbit.webdav.xml tests");
+ 
+         suite.addTestSuite(NamespaceTest.class);
++        suite.addTestSuite(ParserTest.class);
+ 
+         return suite;
+     }
diff -Nru jackrabbit-2.3.6/debian/patches/series jackrabbit-2.3.6/debian/patches/series
--- jackrabbit-2.3.6/debian/patches/series	2012-01-22 00:05:33.000000000 +0100
+++ jackrabbit-2.3.6/debian/patches/series	2015-06-25 18:52:05.000000000 +0200
@@ -1,2 +1,3 @@
 modules.diff
 servlet_api_25.diff
+CVE-2015-1833.patch

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: jackrabbit CVE-2015-1833
  - From: Moritz Mühlenhoff <jmm@inutil.org>

References:
- RFS: jackrabbit 2.10.1-1 [RC]
  - From: Markus Koschany <apo@gambaru.de>
- Re: RFS: jackrabbit 2.10.1-1 [RC]
  - From: tony <tony@mancill.com>

Prev by Date: Bug#789948: ITP: apache-directory-jdbm -- JDBM implementation for Apache Directory Server
Next by Date: Bug#790030: ITP: jersey1 -- RESTful Web Services in Java
Previous by thread: Re: RFS: jackrabbit 2.10.1-1 [RC]
Next by thread: Re: jackrabbit CVE-2015-1833
Index(es):
- Date
- Thread