[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#650542: marked as done (pu: package mojarra/2.0.3-1)

Your message dated Wed, 30 Nov 2011 21:12:47 +0000
with message-id <1322687568.20974.9.camel@hathi.jungle.funky-badger.org>
and subject line Re: Bug#650542: pu: package mojarra/2.0.3-1
has caused the Debian Bug report #650542,
regarding pu: package mojarra/2.0.3-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
650542: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=650542
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi folks,

I have prepared an upload to fix #650430 / CVE-2011-4358.

This bug affects mojarra 2.0.3-1 in stable.

I'm attaching the debdiff with the backported patch that fix
this issue and the updated package meant for squeeze.

I plan to do an urgent upload to unstable before the weekend.

A patch and a link to a PoC can be found in the body of #650430 report.

Are you OK with uploading a fix for this to s-p-u?

Cheers,

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (800, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.0.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-- 
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x7D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche

diff -Nru mojarra-2.0.3/debian/changelog mojarra-2.0.3/debian/changelog
--- mojarra-2.0.3/debian/changelog	2010-07-11 14:45:46.000000000 -0430
+++ mojarra-2.0.3/debian/changelog	2011-11-30 07:11:08.000000000 -0430
@@ -1,3 +1,10 @@
+mojarra (2.0.3-1squeeze1) stable; urgency=high
+
+  * Fixed critical bug by not allowing the value of UIViewParam to be an
+    EL Expression: CVE-2011-4358. (Closes: #650430).
+
+ -- Miguel Landaeta <miguel@miguel.cc>  Tue, 29 Nov 2011 19:45:48 -0430
+
 mojarra (2.0.3-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru mojarra-2.0.3/debian/patches/650430.diff mojarra-2.0.3/debian/patches/650430.diff
--- mojarra-2.0.3/debian/patches/650430.diff	1969-12-31 20:00:00.000000000 -0400
+++ mojarra-2.0.3/debian/patches/650430.diff	2011-11-30 07:11:08.000000000 -0430
@@ -0,0 +1,365 @@
+Description: Do not allow the value of UIViewParam to be an EL Expression
+Author: Ed Burns <ed.burns@sun.com>
+Origin: upstream, http://java.net/projects/mojarra/sources/svn/revision/9468
+Bug: http://java.net/jira/browse/JAVASERVERFACES-2247
+Bug-Debian: http://bugs.debian.org/650430
+Forwarded: http://java.net/projects/mojarra/sources/svn/revision/9468
+Reviewed-By: Ed Burns <ed.burns@sun.com>
+Last-Update: 2011-11-29
+
+--- mojarra-2.0.3.orig/jsf-api/build.xml
++++ mojarra-2.0.3/jsf-api/build.xml
+@@ -308,6 +308,9 @@
+               filtering="true"/>
+ 
+         <filter token="package" value="javax.faces.component"/>
++        <copy file="${tools.dir}/template-src/SharedUtils.java"
++              todir="${build.generate.dir}/javax/faces/component"
++              filtering="true"/>
+         <copy file="${tools.dir}/template-src/MessageFactory.java"
+               todir="${build.generate.dir}/javax/faces/component"
+               filtering="true"/>
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_zh_TW.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_zh_TW.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=\
+ severe.component.unable_to_process_expression=\u8655\u7406\u5c6c\u6027 {1} \u7684\u8868\u793a\u5f0f {0} \u6642\u767c\u751f\u7570\u5e38\u3002 
+ severe.component.uiviewroot_error_invoking_phaselistener=\u547c\u53eb UIViewRoot PhaseListener {0} \u6642\u767c\u751f\u7570\u5e38\u3002
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=\u5c07\u4e0d\u53ef\u4e32\u5217\u5316\u7684\u5c6c\u6027\u503c\u8a2d\u70ba ViewMap\uff1a(\u6a5f\u78bc: {0}\uff0c\u503c\u985e\u5225: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+ 
+ 
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_fr.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_fr.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=E
+ severe.component.unable_to_process_expression=Exception lors du traitement de l''expression {0} de l''attribut {1}.
+ severe.component.uiviewroot_error_invoking_phaselistener=Exception invoquant UIViewRoot PhaseListener {0}.
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=D\u00e9finition d''une valeur d''attribut non-s\u00e9rialisable dans ViewMap\u00a0: (cl\u00e9\u00a0: {0}, classe de la valeur\u00a0: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+ 
+ 
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_zh_CN.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_zh_CN.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=\
+ severe.component.unable_to_process_expression=\u5904\u7406\u5c5e\u6027 {1} \u7684\u8868\u8fbe\u5f0f {0} \u65f6\u51fa\u73b0\u5f02\u5e38\u3002
+ severe.component.uiviewroot_error_invoking_phaselistener=\u8c03\u7528 UIViewRoot PhaseListener {0} \u65f6\u51fa\u73b0\u5f02\u5e38\u3002
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=\u5c06\u4e0d\u53ef\u5e8f\u5217\u5316\u5c5e\u6027\u503c\u8bbe\u7f6e\u4e3a ViewMap\uff1a\uff08\u5bc6\u94a5\uff1a{0}\uff0c\u503c\u7c7b\uff1a{1}\uff09
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+ 
+ 
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=A
+ severe.component.unable_to_process_expression=Exception while processing expression {0} for attribute {1}.
+ severe.component.uiviewroot_error_invoking_phaselistener=Exception invoking UIViewRoot PhaseListener {0}.
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=Setting non-serializable attribute value into ViewMap: (key: {0}, value class: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+ 
+ 
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_de.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_de.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=A
+ severe.component.unable_to_process_expression=Ausnahme beim Verarbeiten von Ausdruck {0} f\u00fcr Attribut {1}.
+ severe.component.uiviewroot_error_invoking_phaselistener=Ausnahme ruft UIViewRoot PhaseListener {0} auf.
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=Der nicht serialisierbare Attributswert wird in ViewMap eingestellt: (Schl\u00fcssel: {0}, Wertklasse: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+ 
+ 
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_es.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_es.properties
+@@ -54,6 +54,9 @@ error.component.abortprocessing_thrown=S
+ severe.component.unable_to_process_expression=Excepci\u00f3n al procesar la expresi\u00f3n {0} para el atributo {1}.
+ severe.component.uiviewroot_error_invoking_phaselistener=Excepci\u00f3n al invocar la escucha de fase UIViewRoot {0}.
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=Definiendo valor de atributo no serializable en ViewMap: (clave: {0}, clase de valor: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+ 
+ 
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_pt_BR.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_pt_BR.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=A
+ severe.component.unable_to_process_expression=Exce\u00e7\u00e3o criada durante o processamento da express\u00e3o {0} para o atributo {1}.
+ severe.component.uiviewroot_error_invoking_phaselistener=Exce\u00e7\u00e3o criada ao invocar\u00b7UIViewRoot PhaseListener {0}.
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=Definindo valor de atributo n\u00e3o serializ\u00e1vel em ViewMap (chave: {0}, classe do valor: {1}).
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+ 
+ 
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_ko.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_ko.properties
+@@ -54,6 +54,8 @@ error.component.abortprocessing_thrown=I
+ severe.component.unable_to_process_expression={1} \uc18d\uc131\uc5d0 \ub300\ud55c \ud45c\ud604\uc2dd {0}\uc744(\ub97c) \ucc98\ub9ac\ud558\ub294 \uc911 \uc624\ub958\uac00 \ubc1c\uc0dd\ud588\uc2b5\ub2c8\ub2e4.
+ severe.component.uiviewroot_error_invoking_phaselistener=UIViewRoot PhaseListener {0}\uc744(\ub97c) \ud638\ucd9c\ud558\ub294 \uc911 \uc608\uc678\uac00 \ubc1c\uc0dd\ud588\uc2b5\ub2c8\ub2e4.
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=\uc77c\ub828\ud654\ud560 \uc218 \uc5c6\ub294 \uc18d\uc131 \uac12\uc744 ViewMap\uc5d0 \uc124\uc815\ud558\ub294 \uc911: (\ud0a4: {0}, \uac12 \ud074\ub798\uc2a4: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+ 
+ 
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/LogStrings_ja.properties
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/LogStrings_ja.properties
+@@ -54,6 +54,9 @@ error.component.abortprocessing_thrown=I
+ severe.component.unable_to_process_expression=\u5c5e\u6027 {1} \u306e\u5f0f {0} \u306e\u51e6\u7406\u4e2d\u306b\u4f8b\u5916\u304c\u767a\u751f\u3057\u307e\u3057\u305f\u3002
+ severe.component.uiviewroot_error_invoking_phaselistener=UIViewRoot PhaseListener {0} \u306e\u547c\u3073\u51fa\u3057\u4e2d\u306b\u4f8b\u5916\u304c\u767a\u751f\u3057\u307e\u3057\u305f\u3002
+ warning.component.uiviewroot_non_serializable_attribute_viewmap=\u30b7\u30ea\u30a2\u30e9\u30a4\u30ba\u3067\u304d\u306a\u3044\u5c5e\u6027\u5024\u3092 ViewMap \u306b\u8a2d\u5b9a\u3057\u3066\u3044\u307e\u3059: (\u30ad\u30fc: {0}\u3001\u5024\u30af\u30e9\u30b9: {1})
++severe.uiviewparam_value_is_expression=The value of a UIParameter must not be an expression literal. Ignoring expression value {0}.
++
++
+ # PACKAGE javax.faces.context --------------------------------------------------
+ 
+ 
+--- mojarra-2.0.3.orig/jsf-api/src/main/java/javax/faces/component/UIViewParameter.java
++++ mojarra-2.0.3/jsf-api/src/main/java/javax/faces/component/UIViewParameter.java
+@@ -37,6 +37,8 @@
+ package javax.faces.component;
+ 
+ import java.io.IOException;
++import java.util.logging.Level;
++import java.util.logging.Logger;
+ import javax.el.ValueExpression;
+ import javax.faces.FactoryFinder;
+ import javax.faces.application.FacesMessage;
+@@ -71,6 +73,9 @@ import javax.faces.render.Renderer;
+  * @since 2.0
+  */
+ public class UIViewParameter extends UIInput {
++    
++    private static Logger LOGGER = Logger.getLogger("javax.faces.component",
++            "javax.faces.LogStrings");
+ 
+     
+     // ------------------------------------------------------ Manifest Constants
+@@ -342,7 +347,8 @@ public class UIViewParameter extends UII
+         }
+ 
+         Object currentValue = ve.getValue(context.getELContext());
+-
++        String result = null;
++        
+         // If there is a converter attribute, use it to to ask application
+         // instance for a converter with this identifer.
+         Converter c = getConverter();
+@@ -355,23 +361,35 @@ public class UIViewParameter extends UII
+             }
+             // Do not look for "by-type" converters for Strings
+             if (currentValue instanceof String) {
+-                return (String) currentValue;
++                result = (String) currentValue;
++            } else {
++                // if converter attribute set, try to acquire a converter
++                // using its class type.
++                
++                Class converterType = currentValue.getClass();
++                c = context.getApplication().createConverter(converterType);
++                
++                // if there is no default converter available for this identifier,
++                // assume the model type to be String.
++                if (c == null) {
++                    result = currentValue.toString();
++                }
+             }
++        }
++        if (null == result && null != c) {
++            result = c.getAsString(context, this, currentValue);
++        }
+ 
+-            // if converter attribute set, try to acquire a converter
+-            // using its class type.
+-
+-            Class converterType = currentValue.getClass();
+-            c = context.getApplication().createConverter(converterType);
+-
+-            // if there is no default converter available for this identifier,
+-            // assume the model type to be String.
+-            if (c == null) {
+-                return currentValue.toString();
++        if (SharedUtils.isExpression(result)) {
++            if (LOGGER.isLoggable(Level.SEVERE)) {
++                LOGGER.log(Level.SEVERE,
++                        "severe.uiviewparam_value_is_expression",
++                        new Object[] { result });
+             }
++            result = null;
+         }
+ 
+-        return c.getAsString(context, this, currentValue);
++        return result;
+     }
+ 
+     /**
+--- /dev/null
++++ mojarra-2.0.3/jsf-tools/template-src/SharedUtils.java
+@@ -0,0 +1,79 @@
++/*
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
++ *
++ * Copyright (c) 1997-2010 Oracle and/or its affiliates. All rights reserved.
++ *
++ * The contents of this file are subject to the terms of either the GNU
++ * General Public License Version 2 only ("GPL") or the Common Development
++ * and Distribution License("CDDL") (collectively, the "License").  You
++ * may not use this file except in compliance with the License.  You can
++ * obtain a copy of the License at
++ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
++ * or packager/legal/LICENSE.txt.  See the License for the specific
++ * language governing permissions and limitations under the License.
++ *
++ * When distributing the software, include this License Header Notice in each
++ * file and include the License file at packager/legal/LICENSE.txt.
++ *
++ * GPL Classpath Exception:
++ * Oracle designates this particular file as subject to the "Classpath"
++ * exception as provided by Oracle in the GPL Version 2 section of the License
++ * file that accompanied this code.
++ *
++ * Modifications:
++ * If applicable, add the following below the License Header, with the fields
++ * enclosed by brackets [] replaced by your own identifying information:
++ * "Portions Copyright [year] [name of copyright owner]"
++ *
++ * Contributor(s):
++ * If you wish your version of this file to be governed by only the CDDL or
++ * only the GPL Version 2, indicate your decision by adding "[Contributor]
++ * elects to include this software in this distribution under the [CDDL or GPL
++ * Version 2] license."  If you don't indicate a single choice of license, a
++ * recipient has the option to distribute your version of this file under
++ * either the CDDL, the GPL Version 2 or to extend the choice of license to
++ * its licensees as provided above.  However, if you add GPL Version 2 code
++ * and therefore, elected the GPL Version 2 license, then the option applies
++ * only if the new code is made subject to such option by the copyright
++ * holder.
++ */
++
++package @package@;
++
++class SharedUtils {
++
++    /*
++    * Determine whether String is a mixed value binding expression or not.
++    */
++    public static boolean isMixedExpression(String expression) {
++
++        if (null == expression) {
++            return false;
++        }
++
++        // if it doesn't start and end with delimiters
++        return (!(expression.startsWith("#{") && expression.endsWith("}")))
++                  && isExpression(expression);
++
++    }
++
++
++    /*
++    * Determine whether String is a value binding expression or not.
++    */
++    public static boolean isExpression(String expression) {
++
++        if (null == expression) {
++            return false;
++        }
++        int start = expression.indexOf("#{");
++
++        //check to see if attribute has an expression
++        return (expression.indexOf("#{") != -1) &&
++               (start < expression.indexOf('}'));
++
++
++    }
++
++
++}
+--- /dev/null
++++ mojarra-2.0.3/template-src/SharedUtils.java
+@@ -0,0 +1,79 @@
++/*
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
++ *
++ * Copyright (c) 1997-2010 Oracle and/or its affiliates. All rights reserved.
++ *
++ * The contents of this file are subject to the terms of either the GNU
++ * General Public License Version 2 only ("GPL") or the Common Development
++ * and Distribution License("CDDL") (collectively, the "License").  You
++ * may not use this file except in compliance with the License.  You can
++ * obtain a copy of the License at
++ * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
++ * or packager/legal/LICENSE.txt.  See the License for the specific
++ * language governing permissions and limitations under the License.
++ *
++ * When distributing the software, include this License Header Notice in each
++ * file and include the License file at packager/legal/LICENSE.txt.
++ *
++ * GPL Classpath Exception:
++ * Oracle designates this particular file as subject to the "Classpath"
++ * exception as provided by Oracle in the GPL Version 2 section of the License
++ * file that accompanied this code.
++ *
++ * Modifications:
++ * If applicable, add the following below the License Header, with the fields
++ * enclosed by brackets [] replaced by your own identifying information:
++ * "Portions Copyright [year] [name of copyright owner]"
++ *
++ * Contributor(s):
++ * If you wish your version of this file to be governed by only the CDDL or
++ * only the GPL Version 2, indicate your decision by adding "[Contributor]
++ * elects to include this software in this distribution under the [CDDL or GPL
++ * Version 2] license."  If you don't indicate a single choice of license, a
++ * recipient has the option to distribute your version of this file under
++ * either the CDDL, the GPL Version 2 or to extend the choice of license to
++ * its licensees as provided above.  However, if you add GPL Version 2 code
++ * and therefore, elected the GPL Version 2 license, then the option applies
++ * only if the new code is made subject to such option by the copyright
++ * holder.
++ */
++
++package @package@;
++
++class SharedUtils {
++
++    /*
++    * Determine whether String is a mixed value binding expression or not.
++    */
++    public static boolean isMixedExpression(String expression) {
++
++        if (null == expression) {
++            return false;
++        }
++
++        // if it doesn't start and end with delimiters
++        return (!(expression.startsWith("#{") && expression.endsWith("}")))
++                  && isExpression(expression);
++
++    }
++
++
++    /*
++    * Determine whether String is a value binding expression or not.
++    */
++    public static boolean isExpression(String expression) {
++
++        if (null == expression) {
++            return false;
++        }
++        int start = expression.indexOf("#{");
++
++        //check to see if attribute has an expression
++        return (expression.indexOf("#{") != -1) &&
++               (start < expression.indexOf('}'));
++
++
++    }
++
++
++}
diff -Nru mojarra-2.0.3/debian/patches/series mojarra-2.0.3/debian/patches/series
--- mojarra-2.0.3/debian/patches/series	2010-07-11 14:45:46.000000000 -0430
+++ mojarra-2.0.3/debian/patches/series	2011-11-30 07:11:08.000000000 -0430
@@ -1 +1,2 @@
 fix_debian_build.diff
+650430.diff

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
On Wed, 2011-11-30 at 21:59 +0100, Moritz Mühlenhoff wrote:
> On Wed, Nov 30, 2011 at 08:15:31PM +0000, Adam D. Barratt wrote:
> > On Wed, 2011-11-30 at 14:22 -0430, Miguel Landaeta wrote:
> > > I have prepared an upload to fix #650430 / CVE-2011-4358.
> > > 
> > > This bug affects mojarra 2.0.3-1 in stable.
[...]
> > Have the security team confirmed that they don't wish to handle this via
> > a DSA?  I couldn't see any thing in the bug report or the security
> > tracker which mentions not doing so.
> 
> No, this should be fixed through stable-security. 

Thanks for the quick follow-up, Moritz.  In that case, let's close the
p-u bug.

Regards,

Adam

--- End Message ---
Reply to: