Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: pu Hi folks, I have prepared an upload to fix #650430 / CVE-2011-4358. This bug affects mojarra 2.0.3-1 in stable. I'm attaching the debdiff with the backported patch that fix this issue and the updated package meant for squeeze. I plan to do an urgent upload to unstable before the weekend. A patch and a link to a PoC can be found in the body of #650430 report. Are you OK with uploading a fix for this to s-p-u? Cheers, -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (800, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.0.0-1-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- Miguel Landaeta, miguel at miguel.cc secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/ "Faith means not wanting to know what is true." -- Nietzsche
diff -Nru mojarra-2.0.3/debian/changelog mojarra-2.0.3/debian/changelog
--- mojarra-2.0.3/debian/changelog 2010-07-11 14:45:46.000000000 -0430
+++ mojarra-2.0.3/debian/changelog 2011-11-30 07:11:08.000000000 -0430
@@ -1,3 +1,10 @@
+mojarra (2.0.3-1squeeze1) stable; urgency=high
+
+ * Fixed critical bug by not allowing the value of UIViewParam to be an
+ EL Expression: CVE-2011-4358. (Closes: #650430).
+
+ -- Miguel Landaeta <miguel@miguel.cc> Tue, 29 Nov 2011 19:45:48 -0430
+
mojarra (2.0.3-1) unstable; urgency=low
* New upstream release.
diff -Nru mojarra-2.0.3/debian/patches/650430.diff mojarra-2.0.3/debian/patches/650430.diff
--- mojarra-2.0.3/debian/patches/650430.diff 1969-12-31 20:00:00.000000000 -0400
+++ mojarra-2.0.3/debian/patches/650430.diff 2011-11-30 07:11:08.000000000 -0430
@@ -0,0 +1,365 @@
+Description: Do not allow the value of UIViewParam to be an EL Expression
+Author: Ed Burns <ed.burns@sun.com>
+Origin: upstream, http://java.net/projects/mojarra/sources/svn/revision/9468
+Bug: http://java.net/jira/browse/JAVASERVERFACES-2247
+Bug-Debian: http://bugs.debian.org/650430
+Forwarded: http://java.net/projects/mojarra/sources/svn/revision/9468
+Reviewed-By: Ed Burns <ed.burns@sun.com>
+Last-Update: 2011-11-29
+
+--- mojarra-2.0.3.orig/jsf-api/build.xml
++++ mojarra-2.0.3/jsf-api/build.xml
+@@ -308,6 +308,9 @@
+ filtering="true"/>
+
+ <filter token="package" value="javax.faces.component"/>
++ <copy file="${tools.dir}/template-src/SharedUtils.java"
++ todir="${build.generate.dir}/javax/faces/component"
++ filtering="true"/>
+ <copy file="${tools.dir}/template-src/MessageFactory.java"
+ todir="${build.generate.dir}/javax/faces/component"
+ filtering="true"/>
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_zh_TW.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_zh_TW.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=\
+ severe.component.unable_to_process_expression=\u8655\u7406\u5c6c\u6027 {1} \u7684\u8868\u793a\u5f0f {0} \u6642\u767c\u751f\u7570\u5e38\u3002
+ severe.component.uiviewroot_error_invoking_phaselistener=\u547c\u53eb UIViewRoot PhaseListener {0} \u6642\u767c\u751f\u7570\u5e38\u3002
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=\u5c07\u4e0d\u53ef\u4e32\u5217\u5316\u7684\u5c6c\u6027\u503c\u8a2d\u70ba ViewMap\uff1a(\u6a5f\u78bc: {0}\uff0c\u503c\u985e\u5225: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+
+
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_fr.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_fr.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=E
+ severe.component.unable_to_process_expression=Exception lors du traitement de l''expression {0} de l''attribut {1}.
+ severe.component.uiviewroot_error_invoking_phaselistener=Exception invoquant UIViewRoot PhaseListener {0}.
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=D\u00e9finition d''une valeur d''attribut non-s\u00e9rialisable dans ViewMap\u00a0: (cl\u00e9\u00a0: {0}, classe de la valeur\u00a0: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+
+
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_zh_CN.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_zh_CN.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=\
+ severe.component.unable_to_process_expression=\u5904\u7406\u5c5e\u6027 {1} \u7684\u8868\u8fbe\u5f0f {0} \u65f6\u51fa\u73b0\u5f02\u5e38\u3002
+ severe.component.uiviewroot_error_invoking_phaselistener=\u8c03\u7528 UIViewRoot PhaseListener {0} \u65f6\u51fa\u73b0\u5f02\u5e38\u3002
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=\u5c06\u4e0d\u53ef\u5e8f\u5217\u5316\u5c5e\u6027\u503c\u8bbe\u7f6e\u4e3a ViewMap\uff1a\uff08\u5bc6\u94a5\uff1a{0}\uff0c\u503c\u7c7b\uff1a{1}\uff09
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+
+
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=A
+ severe.component.unable_to_process_expression=Exception while processing expression {0} for attribute {1}.
+ severe.component.uiviewroot_error_invoking_phaselistener=Exception invoking UIViewRoot PhaseListener {0}.
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=Setting non-serializable attribute value into ViewMap: (key: {0}, value class: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+
+
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_de.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_de.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=A
+ severe.component.unable_to_process_expression=Ausnahme beim Verarbeiten von Ausdruck {0} f\u00fcr Attribut {1}.
+ severe.component.uiviewroot_error_invoking_phaselistener=Ausnahme ruft UIViewRoot PhaseListener {0} auf.
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=Der nicht serialisierbare Attributswert wird in ViewMap eingestellt: (Schl\u00fcssel: {0}, Wertklasse: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+
+
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_es.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_es.properties
+@@ -54,6 +54,9 @@ error.component.abortprocessing_thrown=S
+ severe.component.unable_to_process_expression=Excepci\u00f3n al procesar la expresi\u00f3n {0} para el atributo {1}.
+ severe.component.uiviewroot_error_invoking_phaselistener=Excepci\u00f3n al invocar la escucha de fase UIViewRoot {0}.
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=Definiendo valor de atributo no serializable en ViewMap: (clave: {0}, clase de valor: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+
+
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_pt_BR.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_pt_BR.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=A
+ severe.component.unable_to_process_expression=Exce\u00e7\u00e3o criada durante o processamento da express\u00e3o {0} para o atributo {1}.
+ severe.component.uiviewroot_error_invoking_phaselistener=Exce\u00e7\u00e3o criada ao invocar\u00b7UIViewRoot PhaseListener {0}.
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=Definindo valor de atributo n\u00e3o serializ\u00e1vel em ViewMap (chave: {0}, classe do valor: {1}).
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+
+
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_ko.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_ko.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=I
+ severe.component.unable_to_process_expression={1} \uc18d\uc131\uc5d0 \ub300\ud55c \ud45c\ud604\uc2dd {0}\uc744(\ub97c) \ucc98\ub9ac\ud558\ub294 \uc911 \uc624\ub958\uac00 \ubc1c\uc0dd\ud588\uc2b5\ub2c8\ub2e4.
+ severe.component.uiviewroot_error_invoking_phaselistener=UIViewRoot PhaseListener {0}\uc744(\ub97c) \ud638\ucd9c\ud558\ub294 \uc911 \uc608\uc678\uac00 \ubc1c\uc0dd\ud588\uc2b5\ub2c8\ub2e4.
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=\uc77c\ub828\ud654\ud560 \uc218 \uc5c6\ub294 \uc18d\uc131 \uac12\uc744 ViewMap\uc5d0 \uc124\uc815\ud558\ub294 \uc911: (\ud0a4: {0}, \uac12 \ud074\ub798\uc2a4: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+
+
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_ja.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_ja.properties
+@@ -54,6 +54,9 @@ error.component.abortprocessing_thrown=I
+ severe.component.unable_to_process_expression=\u5c5e\u6027 {1} \u306e\u5f0f {0} \u306e\u51e6\u7406\u4e2d\u306b\u4f8b\u5916\u304c\u767a\u751f\u3057\u307e\u3057\u305f\u3002
+ severe.component.uiviewroot_error_invoking_phaselistener=UIViewRoot PhaseListener {0} \u306e\u547c\u3073\u51fa\u3057\u4e2d\u306b\u4f8b\u5916\u304c\u767a\u751f\u3057\u307e\u3057\u305f\u3002
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=\u30b7\u30ea\u30a2\u30e9\u30a4\u30ba\u3067\u304d\u306a\u3044\u5c5e\u6027\u5024\u3092 ViewMap \u306b\u8a2d\u5b9a\u3057\u3066\u3044\u307e\u3059: (\u30ad\u30fc: {0}\u3001\u5024\u30af\u30e9\u30b9: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+
+
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/component/UIViewParameter.java
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/component/UIViewParameter.java
+@@ -37,6 +37,8 @@
+ package javax.faces.component;
+
+ import java.io.IOException;
++import java.util.logging.Level;
++import java.util.logging.Logger;
+ import javax.el.ValueExpression;
+ import javax.faces.FactoryFinder;
+ import javax.faces.application.FacesMessage;
+@@ -71,6 +73,9 @@ import javax.faces.render.Renderer;
+ * @since 2.0
+ */
+ public class UIViewParameter extends UIInput {
++
++ private static Logger LOGGER = Logger.getLogger("javax.faces.component",
++ "javax.faces.LogStrings");
+
+
+ // ------------------------------------------------------ Manifest Constants
+@@ -342,7 +347,8 @@ public class UIViewParameter extends UII
+ }
+
+ Object currentValue = ve.getValue(context.getELContext());
+-
++ String result = null;
++
+ // If there is a converter attribute, use it to to ask application
+ // instance for a converter with this identifer.
+ Converter c = getConverter();
+@@ -355,23 +361,35 @@ public class UIViewParameter extends UII
+ }
+ // Do not look for "by-type" converters for Strings
+ if (currentValue instanceof String) {
+- return (String) currentValue;
++ result = (String) currentValue;
++ } else {
++ // if converter attribute set, try to acquire a converter
++ // using its class type.
++
++ Class converterType = currentValue.getClass();
++ c = context.getApplication().createConverter(converterType);
++
++ // if there is no default converter available for this identifier,
++ // assume the model type to be String.
++ if (c == null) {
++ result = currentValue.toString();
++ }
+ }
++ }
++ if (null == result && null != c) {
++ result = c.getAsString(context, this, currentValue);
++ }
+
+- // if converter attribute set, try to acquire a converter
+- // using its class type.
+-
+- Class converterType = currentValue.getClass();
+- c = context.getApplication().createConverter(converterType);
+-
+- // if there is no default converter available for this identifier,
+- // assume the model type to be String.
+- if (c == null) {
+- return currentValue.toString();
++ if (SharedUtils.isExpression(result)) {
++ if (LOGGER.isLoggable(Level.SEVERE)) {
++ LOGGER.log(Level.SEVERE,
++ "severe.uiviewparam_value_is_expression",
++ new Object[] { result });
+ }
++ result = null;
+ }
+
+- return c.getAsString(context, this, currentValue);
++ return result;
+ }
+
+ /**
+--- /dev/null
++++ mojarra-2.0.3/jsf-tools/template-src/SharedUtils.java
+@@ -0,0 +1,79 @@
++/*
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
++ *
++ * Copyright (c) 1997-2010 Oracle and/or its affiliates. All rights reserved.
++ *
++ * The contents of this file are subject to the terms of either the GNU
++ * General Public License Version 2 only ("GPL") or the Common Development
++ * and Distribution License("CDDL") (collectively, the "License"). You
++ * may not use this file except in compliance with the License. You can
++ * obtain a copy of the License at
++ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
++ * or packager/legal/LICENSE.txt. See the License for the specific
++ * language governing permissions and limitations under the License.
++ *
++ * When distributing the software, include this License Header Notice in each
++ * file and include the License file at packager/legal/LICENSE.txt.
++ *
++ * GPL Classpath Exception:
++ * Oracle designates this particular file as subject to the "Classpath"
++ * exception as provided by Oracle in the GPL Version 2 section of the License
++ * file that accompanied this code.
++ *
++ * Modifications:
++ * If applicable, add the following below the License Header, with the fields
++ * enclosed by brackets [] replaced by your own identifying information:
++ * "Portions Copyright [year] [name of copyright owner]"
++ *
++ * Contributor(s):
++ * If you wish your version of this file to be governed by only the CDDL or
++ * only the GPL Version 2, indicate your decision by adding "[Contributor]
++ * elects to include this software in this distribution under the [CDDL or GPL
++ * Version 2] license." If you don't indicate a single choice of license, a
++ * recipient has the option to distribute your version of this file under
++ * either the CDDL, the GPL Version 2 or to extend the choice of license to
++ * its licensees as provided above. However, if you add GPL Version 2 code
++ * and therefore, elected the GPL Version 2 license, then the option applies
++ * only if the new code is made subject to such option by the copyright
++ * holder.
++ */
++
++package @package@;
++
++class SharedUtils {
++
++ /*
++ * Determine whether String is a mixed value binding expression or not.
++ */
++ public static boolean isMixedExpression(String expression) {
++
++ if (null == expression) {
++ return false;
++ }
++
++ // if it doesn't start and end with delimiters
++ return (!(expression.startsWith("#{") && expression.endsWith("}")))
++ && isExpression(expression);
++
++ }
++
++
++ /*
++ * Determine whether String is a value binding expression or not.
++ */
++ public static boolean isExpression(String expression) {
++
++ if (null == expression) {
++ return false;
++ }
++ int start = expression.indexOf("#{");
++
++ //check to see if attribute has an expression
++ return (expression.indexOf("#{") != -1) &&
++ (start < expression.indexOf('}'));
++
++
++ }
++
++
++}
+--- /dev/null
++++ mojarra-2.0.3/template-src/SharedUtils.java
+@@ -0,0 +1,79 @@
++/*
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
++ *
++ * Copyright (c) 1997-2010 Oracle and/or its affiliates. All rights reserved.
++ *
++ * The contents of this file are subject to the terms of either the GNU
++ * General Public License Version 2 only ("GPL") or the Common Development
++ * and Distribution License("CDDL") (collectively, the "License"). You
++ * may not use this file except in compliance with the License. You can
++ * obtain a copy of the License at
++ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
++ * or packager/legal/LICENSE.txt. See the License for the specific
++ * language governing permissions and limitations under the License.
++ *
++ * When distributing the software, include this License Header Notice in each
++ * file and include the License file at packager/legal/LICENSE.txt.
++ *
++ * GPL Classpath Exception:
++ * Oracle designates this particular file as subject to the "Classpath"
++ * exception as provided by Oracle in the GPL Version 2 section of the License
++ * file that accompanied this code.
++ *
++ * Modifications:
++ * If applicable, add the following below the License Header, with the fields
++ * enclosed by brackets [] replaced by your own identifying information:
++ * "Portions Copyright [year] [name of copyright owner]"
++ *
++ * Contributor(s):
++ * If you wish your version of this file to be governed by only the CDDL or
++ * only the GPL Version 2, indicate your decision by adding "[Contributor]
++ * elects to include this software in this distribution under the [CDDL or GPL
++ * Version 2] license." If you don't indicate a single choice of license, a
++ * recipient has the option to distribute your version of this file under
++ * either the CDDL, the GPL Version 2 or to extend the choice of license to
++ * its licensees as provided above. However, if you add GPL Version 2 code
++ * and therefore, elected the GPL Version 2 license, then the option applies
++ * only if the new code is made subject to such option by the copyright
++ * holder.
++ */
++
++package @package@;
++
++class SharedUtils {
++
++ /*
++ * Determine whether String is a mixed value binding expression or not.
++ */
++ public static boolean isMixedExpression(String expression) {
++
++ if (null == expression) {
++ return false;
++ }
++
++ // if it doesn't start and end with delimiters
++ return (!(expression.startsWith("#{") && expression.endsWith("}")))
++ && isExpression(expression);
++
++ }
++
++
++ /*
++ * Determine whether String is a value binding expression or not.
++ */
++ public static boolean isExpression(String expression) {
++
++ if (null == expression) {
++ return false;
++ }
++ int start = expression.indexOf("#{");
++
++ //check to see if attribute has an expression
++ return (expression.indexOf("#{") != -1) &&
++ (start < expression.indexOf('}'));
++
++
++ }
++
++
++}
diff -Nru mojarra-2.0.3/debian/patches/series mojarra-2.0.3/debian/patches/series
--- mojarra-2.0.3/debian/patches/series 2010-07-11 14:45:46.000000000 -0430
+++ mojarra-2.0.3/debian/patches/series 2011-11-30 07:11:08.000000000 -0430
@@ -1 +1,2 @@
fix_debian_build.diff
+650430.diff
Attachment:
signature.asc
Description: Digital signature