Bug#917560: stretch-pu: package c3p0/0.9.1.2-9

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#917560: stretch-pu: package c3p0/0.9.1.2-9
From: Markus Koschany <apo@debian.org>
Date: Fri, 28 Dec 2018 19:09:02 +0100
Message-id: <[🔎] 154602054272.23612.15816845123192907378.reportbug@spike>
Reply-to: Markus Koschany <apo@debian.org>, 917560@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

I would like to fix CVE-2018-20433 (#917257) in c3p0. This issue was
marked no-dsa by the security team. Please find attached the debdiff.

Regards,

Markus

diff -Nru c3p0-0.9.1.2/debian/changelog c3p0-0.9.1.2/debian/changelog
--- c3p0-0.9.1.2/debian/changelog	2014-01-17 05:47:13.000000000 +0100
+++ c3p0-0.9.1.2/debian/changelog	2018-12-28 18:41:05.000000000 +0100
@@ -1,3 +1,13 @@
+c3p0 (0.9.1.2-9+deb9u1) stretch; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2018-20433.
+    A XML External Entity (XXE) vulnerability was discovered in c3p0 that may
+    be used to resolve information outside of the intended sphere of control.
+    (Closes: #917257)
+
+ -- Markus Koschany <apo@debian.org>  Fri, 28 Dec 2018 18:41:05 +0100
+
 c3p0 (0.9.1.2-9) unstable; urgency=medium
 
   * Team upload.
diff -Nru c3p0-0.9.1.2/debian/patches/CVE-2018-20433.patch c3p0-0.9.1.2/debian/patches/CVE-2018-20433.patch
--- c3p0-0.9.1.2/debian/patches/CVE-2018-20433.patch	1970-01-01 01:00:00.000000000 +0100
+++ c3p0-0.9.1.2/debian/patches/CVE-2018-20433.patch	2018-12-28 18:41:05.000000000 +0100
@@ -0,0 +1,22 @@
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 25 Dec 2018 15:14:04 +0100
+Subject: CVE-2018-20433
+
+Bug-Debian: https://bugs.debian.org/917257
+Origin: https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
+---
+ src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
+index 3878e89..4a75bd8 100644
+--- a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
++++ b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
+@@ -132,6 +132,7 @@ public final class C3P0ConfigXmlUtils
+     public static C3P0Config extractXmlConfigFromInputStream(InputStream is) throws Exception
+     {
+         DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
++	fact.setExpandEntityReferences(false);
+         DocumentBuilder db = fact.newDocumentBuilder();
+         Document doc = db.parse( is );
+ 
diff -Nru c3p0-0.9.1.2/debian/patches/series c3p0-0.9.1.2/debian/patches/series
--- c3p0-0.9.1.2/debian/patches/series	2014-01-17 05:47:13.000000000 +0100
+++ c3p0-0.9.1.2/debian/patches/series	2018-12-28 18:41:05.000000000 +0100
@@ -1,3 +1,4 @@
 build.patch
 testing.patch
 java-7-compat.patch
+CVE-2018-20433.patch

Reply to:

Prev by Date: Bug#917538: bugs.debian.org: Please add release tags for "bookworm" ("bookworm", "bookwork-ignore", etc.)
Next by Date: Consuming excuses.yaml?
Previous by thread: Bug#917538: bugs.debian.org: Please add release tags for "bookworm" ("bookworm", "bookwork-ignore", etc.)
Next by thread: Consuming excuses.yaml?
Index(es):
- Date
- Thread