Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: pu Hi folks, I have prepared an upload to fix #650430 / CVE-2011-4358. This bug affects mojarra 2.0.3-1 in stable. I'm attaching the debdiff with the backported patch that fix this issue and the updated package meant for squeeze. I plan to do an urgent upload to unstable before the weekend. A patch and a link to a PoC can be found in the body of #650430 report. Are you OK with uploading a fix for this to s-p-u? Cheers, -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (800, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-1-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Miguel Landaeta, miguel at miguel.cc secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/ "Faith means not wanting to know what is true." -- Nietzsche
diff -Nru mojarra-2.0.3/debian/changelog mojarra-2.0.3/debian/changelog --- mojarra-2.0.3/debian/changelog 2010-07-11 14:45:46.000000000 -0430 +++ mojarra-2.0.3/debian/changelog 2011-11-30 07:11:08.000000000 -0430 @@ -1,3 +1,10 @@ +mojarra (2.0.3-1squeeze1) stable; urgency=high + + * Fixed critical bug by not allowing the value of UIViewParam to be an + EL Expression: CVE-2011-4358. (Closes: #650430). + + -- Miguel Landaeta <miguel@miguel.cc> Tue, 29 Nov 2011 19:45:48 -0430 + mojarra (2.0.3-1) unstable; urgency=low * New upstream release. diff -Nru mojarra-2.0.3/debian/patches/650430.diff mojarra-2.0.3/debian/patches/650430.diff --- mojarra-2.0.3/debian/patches/650430.diff 1969-12-31 20:00:00.000000000 -0400 +++ mojarra-2.0.3/debian/patches/650430.diff 2011-11-30 07:11:08.000000000 -0430 @@ -0,0 +1,365 @@ +Description: Do not allow the value of UIViewParam to be an EL Expression +Author: Ed Burns <ed.burns@sun.com> +Origin: upstream, http://java.net/projects/mojarra/sources/svn/revision/9468 +Bug: http://java.net/jira/browse/JAVASERVERFACES-2247 +Bug-Debian: http://bugs.debian.org/650430 +Forwarded: http://java.net/projects/mojarra/sources/svn/revision/9468 +Reviewed-By: Ed Burns <ed.burns@sun.com> +Last-Update: 2011-11-29 + +--- mojarra-2.0.3.orig/jsf-api/build.xml ++++ mojarra-2.0.3/jsf-api/build.xml +@@ -308,6 +308,9 @@ + filtering="true"/> + + <filter token="package" value="javax.faces.component"/> ++ <copy file="${tools.dir}/template-src/SharedUtils.java" ++ todir="${build.generate.dir}/javax/faces/component" ++ filtering="true"/> + <copy file="${tools.dir}/template-src/MessageFactory.java" + todir="${build.generate.dir}/javax/faces/component" + filtering="true"/> +--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_zh_TW.properties ++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_zh_TW.properties +@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=\ + severe.component.unable_to_process_expression=\u8655\u7406\u5c6c\u6027 {1} \u7684\u8868\u793a\u5f0f {0} \u6642\u767c\u751f\u7570\u5e38\u3002 + severe.component.uiviewroot_error_invoking_phaselistener=\u547c\u53eb UIViewRoot PhaseListener {0} \u6642\u767c\u751f\u7570\u5e38\u3002 + warning.component.uiviewroot_non_serializable_attribute_viewmap=\u5c07\u4e0d\u53ef\u4e32\u5217\u5316\u7684\u5c6c\u6027\u503c\u8a2d\u70ba ViewMap\uff1a(\u6a5f\u78bc: {0}\uff0c\u503c\u985e\u5225: {1}) ++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}. ++ + # PACKAGE javax.faces.context -------------------------------------------------- + + +--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_fr.properties ++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_fr.properties +@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=E + severe.component.unable_to_process_expression=Exception lors du traitement de l''expression {0} de l''attribut {1}. + severe.component.uiviewroot_error_invoking_phaselistener=Exception invoquant UIViewRoot PhaseListener {0}. + warning.component.uiviewroot_non_serializable_attribute_viewmap=D\u00e9finition d''une valeur d''attribut non-s\u00e9rialisable dans ViewMap\u00a0: (cl\u00e9\u00a0: {0}, classe de la valeur\u00a0: {1}) ++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}. ++ + # PACKAGE javax.faces.context -------------------------------------------------- + + +--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_zh_CN.properties ++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_zh_CN.properties +@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=\ + severe.component.unable_to_process_expression=\u5904\u7406\u5c5e\u6027 {1} \u7684\u8868\u8fbe\u5f0f {0} \u65f6\u51fa\u73b0\u5f02\u5e38\u3002 + severe.component.uiviewroot_error_invoking_phaselistener=\u8c03\u7528 UIViewRoot PhaseListener {0} \u65f6\u51fa\u73b0\u5f02\u5e38\u3002 + warning.component.uiviewroot_non_serializable_attribute_viewmap=\u5c06\u4e0d\u53ef\u5e8f\u5217\u5316\u5c5e\u6027\u503c\u8bbe\u7f6e\u4e3a ViewMap\uff1a\uff08\u5bc6\u94a5\uff1a{0}\uff0c\u503c\u7c7b\uff1a{1}\uff09 ++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}. ++ + # PACKAGE javax.faces.context -------------------------------------------------- + + +--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings.properties ++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings.properties +@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=A + severe.component.unable_to_process_expression=Exception while processing expression {0} for attribute {1}. + severe.component.uiviewroot_error_invoking_phaselistener=Exception invoking UIViewRoot PhaseListener {0}. + warning.component.uiviewroot_non_serializable_attribute_viewmap=Setting non-serializable attribute value into ViewMap: (key: {0}, value class: {1}) ++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}. ++ + # PACKAGE javax.faces.context -------------------------------------------------- + + +--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_de.properties ++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_de.properties +@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=A + severe.component.unable_to_process_expression=Ausnahme beim Verarbeiten von Ausdruck {0} f\u00fcr Attribut {1}. + severe.component.uiviewroot_error_invoking_phaselistener=Ausnahme ruft UIViewRoot PhaseListener {0} auf. + warning.component.uiviewroot_non_serializable_attribute_viewmap=Der nicht serialisierbare Attributswert wird in ViewMap eingestellt: (Schl\u00fcssel: {0}, Wertklasse: {1}) ++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}. ++ + # PACKAGE javax.faces.context -------------------------------------------------- + + +--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_es.properties ++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_es.properties +@@ -54,6 +54,9 @@ error.component.abortprocessing_thrown=S + severe.component.unable_to_process_expression=Excepci\u00f3n al procesar la expresi\u00f3n {0} para el atributo {1}. + severe.component.uiviewroot_error_invoking_phaselistener=Excepci\u00f3n al invocar la escucha de fase UIViewRoot {0}. + warning.component.uiviewroot_non_serializable_attribute_viewmap=Definiendo valor de atributo no serializable en ViewMap: (clave: {0}, clase de valor: {1}) ++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}. ++ ++ + # PACKAGE javax.faces.context -------------------------------------------------- + + +--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_pt_BR.properties ++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_pt_BR.properties +@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=A + severe.component.unable_to_process_expression=Exce\u00e7\u00e3o criada durante o processamento da express\u00e3o {0} para o atributo {1}. + severe.component.uiviewroot_error_invoking_phaselistener=Exce\u00e7\u00e3o criada ao invocar\u00b7UIViewRoot PhaseListener {0}. + warning.component.uiviewroot_non_serializable_attribute_viewmap=Definindo valor de atributo n\u00e3o serializ\u00e1vel em ViewMap (chave: {0}, classe do valor: {1}). ++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}. ++ + # PACKAGE javax.faces.context -------------------------------------------------- + + +--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_ko.properties ++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_ko.properties +@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=I + severe.component.unable_to_process_expression={1} \uc18d\uc131\uc5d0 \ub300\ud55c \ud45c\ud604\uc2dd {0}\uc744(\ub97c) \ucc98\ub9ac\ud558\ub294 \uc911 \uc624\ub958\uac00 \ubc1c\uc0dd\ud588\uc2b5\ub2c8\ub2e4. + severe.component.uiviewroot_error_invoking_phaselistener=UIViewRoot PhaseListener {0}\uc744(\ub97c) \ud638\ucd9c\ud558\ub294 \uc911 \uc608\uc678\uac00 \ubc1c\uc0dd\ud588\uc2b5\ub2c8\ub2e4. + warning.component.uiviewroot_non_serializable_attribute_viewmap=\uc77c\ub828\ud654\ud560 \uc218 \uc5c6\ub294 \uc18d\uc131 \uac12\uc744 ViewMap\uc5d0 \uc124\uc815\ud558\ub294 \uc911: (\ud0a4: {0}, \uac12 \ud074\ub798\uc2a4: {1}) ++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}. ++ + # PACKAGE javax.faces.context -------------------------------------------------- + + +--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_ja.properties ++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_ja.properties +@@ -54,6 +54,9 @@ error.component.abortprocessing_thrown=I + severe.component.unable_to_process_expression=\u5c5e\u6027 {1} \u306e\u5f0f {0} \u306e\u51e6\u7406\u4e2d\u306b\u4f8b\u5916\u304c\u767a\u751f\u3057\u307e\u3057\u305f\u3002 + severe.component.uiviewroot_error_invoking_phaselistener=UIViewRoot PhaseListener {0} \u306e\u547c\u3073\u51fa\u3057\u4e2d\u306b\u4f8b\u5916\u304c\u767a\u751f\u3057\u307e\u3057\u305f\u3002 + warning.component.uiviewroot_non_serializable_attribute_viewmap=\u30b7\u30ea\u30a2\u30e9\u30a4\u30ba\u3067\u304d\u306a\u3044\u5c5e\u6027\u5024\u3092 ViewMap \u306b\u8a2d\u5b9a\u3057\u3066\u3044\u307e\u3059: (\u30ad\u30fc: {0}\u3001\u5024\u30af\u30e9\u30b9: {1}) ++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}. ++ ++ + # PACKAGE javax.faces.context -------------------------------------------------- + + +--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/component/UIViewParameter.java ++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/component/UIViewParameter.java +@@ -37,6 +37,8 @@ + package javax.faces.component; + + import java.io.IOException; ++import java.util.logging.Level; ++import java.util.logging.Logger; + import javax.el.ValueExpression; + import javax.faces.FactoryFinder; + import javax.faces.application.FacesMessage; +@@ -71,6 +73,9 @@ import javax.faces.render.Renderer; + * @since 2.0 + */ + public class UIViewParameter extends UIInput { ++ ++ private static Logger LOGGER = Logger.getLogger("javax.faces.component", ++ "javax.faces.LogStrings"); + + + // ------------------------------------------------------ Manifest Constants +@@ -342,7 +347,8 @@ public class UIViewParameter extends UII + } + + Object currentValue = ve.getValue(context.getELContext()); +- ++ String result = null; ++ + // If there is a converter attribute, use it to to ask application + // instance for a converter with this identifer. + Converter c = getConverter(); +@@ -355,23 +361,35 @@ public class UIViewParameter extends UII + } + // Do not look for "by-type" converters for Strings + if (currentValue instanceof String) { +- return (String) currentValue; ++ result = (String) currentValue; ++ } else { ++ // if converter attribute set, try to acquire a converter ++ // using its class type. ++ ++ Class converterType = currentValue.getClass(); ++ c = context.getApplication().createConverter(converterType); ++ ++ // if there is no default converter available for this identifier, ++ // assume the model type to be String. ++ if (c == null) { ++ result = currentValue.toString(); ++ } + } ++ } ++ if (null == result && null != c) { ++ result = c.getAsString(context, this, currentValue); ++ } + +- // if converter attribute set, try to acquire a converter +- // using its class type. +- +- Class converterType = currentValue.getClass(); +- c = context.getApplication().createConverter(converterType); +- +- // if there is no default converter available for this identifier, +- // assume the model type to be String. +- if (c == null) { +- return currentValue.toString(); ++ if (SharedUtils.isExpression(result)) { ++ if (LOGGER.isLoggable(Level.SEVERE)) { ++ LOGGER.log(Level.SEVERE, ++ "severe.uiviewparam_value_is_expression", ++ new Object[] { result }); + } ++ result = null; + } + +- return c.getAsString(context, this, currentValue); ++ return result; + } + + /** +--- /dev/null ++++ mojarra-2.0.3/jsf-tools/template-src/SharedUtils.java +@@ -0,0 +1,79 @@ ++/* ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. ++ * ++ * Copyright (c) 1997-2010 Oracle and/or its affiliates. All rights reserved. ++ * ++ * The contents of this file are subject to the terms of either the GNU ++ * General Public License Version 2 only ("GPL") or the Common Development ++ * and Distribution License("CDDL") (collectively, the "License"). You ++ * may not use this file except in compliance with the License. You can ++ * obtain a copy of the License at ++ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html ++ * or packager/legal/LICENSE.txt. See the License for the specific ++ * language governing permissions and limitations under the License. ++ * ++ * When distributing the software, include this License Header Notice in each ++ * file and include the License file at packager/legal/LICENSE.txt. ++ * ++ * GPL Classpath Exception: ++ * Oracle designates this particular file as subject to the "Classpath" ++ * exception as provided by Oracle in the GPL Version 2 section of the License ++ * file that accompanied this code. ++ * ++ * Modifications: ++ * If applicable, add the following below the License Header, with the fields ++ * enclosed by brackets [] replaced by your own identifying information: ++ * "Portions Copyright [year] [name of copyright owner]" ++ * ++ * Contributor(s): ++ * If you wish your version of this file to be governed by only the CDDL or ++ * only the GPL Version 2, indicate your decision by adding "[Contributor] ++ * elects to include this software in this distribution under the [CDDL or GPL ++ * Version 2] license." If you don't indicate a single choice of license, a ++ * recipient has the option to distribute your version of this file under ++ * either the CDDL, the GPL Version 2 or to extend the choice of license to ++ * its licensees as provided above. However, if you add GPL Version 2 code ++ * and therefore, elected the GPL Version 2 license, then the option applies ++ * only if the new code is made subject to such option by the copyright ++ * holder. ++ */ ++ ++package @package@; ++ ++class SharedUtils { ++ ++ /* ++ * Determine whether String is a mixed value binding expression or not. ++ */ ++ public static boolean isMixedExpression(String expression) { ++ ++ if (null == expression) { ++ return false; ++ } ++ ++ // if it doesn't start and end with delimiters ++ return (!(expression.startsWith("#{") && expression.endsWith("}"))) ++ && isExpression(expression); ++ ++ } ++ ++ ++ /* ++ * Determine whether String is a value binding expression or not. ++ */ ++ public static boolean isExpression(String expression) { ++ ++ if (null == expression) { ++ return false; ++ } ++ int start = expression.indexOf("#{"); ++ ++ //check to see if attribute has an expression ++ return (expression.indexOf("#{") != -1) && ++ (start < expression.indexOf('}')); ++ ++ ++ } ++ ++ ++} +--- /dev/null ++++ mojarra-2.0.3/template-src/SharedUtils.java +@@ -0,0 +1,79 @@ ++/* ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. ++ * ++ * Copyright (c) 1997-2010 Oracle and/or its affiliates. All rights reserved. ++ * ++ * The contents of this file are subject to the terms of either the GNU ++ * General Public License Version 2 only ("GPL") or the Common Development ++ * and Distribution License("CDDL") (collectively, the "License"). You ++ * may not use this file except in compliance with the License. You can ++ * obtain a copy of the License at ++ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html ++ * or packager/legal/LICENSE.txt. See the License for the specific ++ * language governing permissions and limitations under the License. ++ * ++ * When distributing the software, include this License Header Notice in each ++ * file and include the License file at packager/legal/LICENSE.txt. ++ * ++ * GPL Classpath Exception: ++ * Oracle designates this particular file as subject to the "Classpath" ++ * exception as provided by Oracle in the GPL Version 2 section of the License ++ * file that accompanied this code. ++ * ++ * Modifications: ++ * If applicable, add the following below the License Header, with the fields ++ * enclosed by brackets [] replaced by your own identifying information: ++ * "Portions Copyright [year] [name of copyright owner]" ++ * ++ * Contributor(s): ++ * If you wish your version of this file to be governed by only the CDDL or ++ * only the GPL Version 2, indicate your decision by adding "[Contributor] ++ * elects to include this software in this distribution under the [CDDL or GPL ++ * Version 2] license." If you don't indicate a single choice of license, a ++ * recipient has the option to distribute your version of this file under ++ * either the CDDL, the GPL Version 2 or to extend the choice of license to ++ * its licensees as provided above. However, if you add GPL Version 2 code ++ * and therefore, elected the GPL Version 2 license, then the option applies ++ * only if the new code is made subject to such option by the copyright ++ * holder. ++ */ ++ ++package @package@; ++ ++class SharedUtils { ++ ++ /* ++ * Determine whether String is a mixed value binding expression or not. ++ */ ++ public static boolean isMixedExpression(String expression) { ++ ++ if (null == expression) { ++ return false; ++ } ++ ++ // if it doesn't start and end with delimiters ++ return (!(expression.startsWith("#{") && expression.endsWith("}"))) ++ && isExpression(expression); ++ ++ } ++ ++ ++ /* ++ * Determine whether String is a value binding expression or not. ++ */ ++ public static boolean isExpression(String expression) { ++ ++ if (null == expression) { ++ return false; ++ } ++ int start = expression.indexOf("#{"); ++ ++ //check to see if attribute has an expression ++ return (expression.indexOf("#{") != -1) && ++ (start < expression.indexOf('}')); ++ ++ ++ } ++ ++ ++} diff -Nru mojarra-2.0.3/debian/patches/series mojarra-2.0.3/debian/patches/series --- mojarra-2.0.3/debian/patches/series 2010-07-11 14:45:46.000000000 -0430 +++ mojarra-2.0.3/debian/patches/series 2011-11-30 07:11:08.000000000 -0430 @@ -1 +1,2 @@ fix_debian_build.diff +650430.diff
Attachment:
signature.asc
Description: Digital signature