Bug#917560: stretch-pu: package c3p0/0.9.1.2-9
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
I would like to fix CVE-2018-20433 (#917257) in c3p0. This issue was
marked no-dsa by the security team. Please find attached the debdiff.
Regards,
Markus
diff -Nru c3p0-0.9.1.2/debian/changelog c3p0-0.9.1.2/debian/changelog
--- c3p0-0.9.1.2/debian/changelog 2014-01-17 05:47:13.000000000 +0100
+++ c3p0-0.9.1.2/debian/changelog 2018-12-28 18:41:05.000000000 +0100
@@ -1,3 +1,13 @@
+c3p0 (0.9.1.2-9+deb9u1) stretch; urgency=medium
+
+ * Team upload.
+ * Fix CVE-2018-20433.
+ A XML External Entity (XXE) vulnerability was discovered in c3p0 that may
+ be used to resolve information outside of the intended sphere of control.
+ (Closes: #917257)
+
+ -- Markus Koschany <apo@debian.org> Fri, 28 Dec 2018 18:41:05 +0100
+
c3p0 (0.9.1.2-9) unstable; urgency=medium
* Team upload.
diff -Nru c3p0-0.9.1.2/debian/patches/CVE-2018-20433.patch c3p0-0.9.1.2/debian/patches/CVE-2018-20433.patch
--- c3p0-0.9.1.2/debian/patches/CVE-2018-20433.patch 1970-01-01 01:00:00.000000000 +0100
+++ c3p0-0.9.1.2/debian/patches/CVE-2018-20433.patch 2018-12-28 18:41:05.000000000 +0100
@@ -0,0 +1,22 @@
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 25 Dec 2018 15:14:04 +0100
+Subject: CVE-2018-20433
+
+Bug-Debian: https://bugs.debian.org/917257
+Origin: https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
+---
+ src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
+index 3878e89..4a75bd8 100644
+--- a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
++++ b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
+@@ -132,6 +132,7 @@ public final class C3P0ConfigXmlUtils
+ public static C3P0Config extractXmlConfigFromInputStream(InputStream is) throws Exception
+ {
+ DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
++ fact.setExpandEntityReferences(false);
+ DocumentBuilder db = fact.newDocumentBuilder();
+ Document doc = db.parse( is );
+
diff -Nru c3p0-0.9.1.2/debian/patches/series c3p0-0.9.1.2/debian/patches/series
--- c3p0-0.9.1.2/debian/patches/series 2014-01-17 05:47:13.000000000 +0100
+++ c3p0-0.9.1.2/debian/patches/series 2018-12-28 18:41:05.000000000 +0100
@@ -1,3 +1,4 @@
build.patch
testing.patch
java-7-compat.patch
+CVE-2018-20433.patch
Reply to: