Bug#927072: stretch-pu: package jabref/3.8.1+ds-3

[tony mancill <tmancill@debian.org>]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

This proposed update for jabref addresses CVE-2018-1000652 [1], which
will not be issued a DSA [2].  The debdiff is attached.

Thank you,
tony

[1] https://security-tracker.debian.org/tracker/CVE-2018-1000652
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921772#48

diff -Nru jabref-3.8.1+ds/debian/changelog jabref-3.8.1+ds/debian/changelog
--- jabref-3.8.1+ds/debian/changelog	2017-01-11 12:27:19.000000000 -0800
+++ jabref-3.8.1+ds/debian/changelog	2019-02-10 11:25:26.000000000 -0800
@@ -1,3 +1,12 @@
+jabref (3.8.1+ds-3+deb9u1) stretch; urgency=medium
+
+  [ gregor herrmann & tony mancill ]
+  * Add patch from upstream commit to fix CVE-2018-1000652: XML External
+    Entity attack.
+    Thanks to Moritz Muehlenhoff for the bug report. (Closes: #921772)
+
+ -- gregor herrmann <gregoa@debian.org>  Sun, 10 Feb 2019 20:25:26 +0100
+
 jabref (3.8.1+ds-3) unstable; urgency=medium
 
   * Remove postgresql entry from debian/maven.rules.
diff -Nru jabref-3.8.1+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch jabref-3.8.1+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch
--- jabref-3.8.1+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch	1969-12-31 16:00:00.000000000 -0800
+++ jabref-3.8.1+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch	2019-02-10 11:25:26.000000000 -0800
@@ -0,0 +1,81 @@
+From 89f855d76713b4cd25ac0830c719cd61c511851e Mon Sep 17 00:00:00 2001
+From: Nick <nick.s.weatherley@protonmail.com>
+Date: Mon, 30 Jul 2018 16:06:07 +0000
+Subject: [PATCH] Fix importer vulnerability (#4240)
+
+* Fix importer vulnerability
+Fixed issue #4229  where importer was vulnerable to XXE attacks by
+disabling DTDs along with adding warning to logger if features are
+unavailable. fixes #4229
+
+Bugs-Debian: https://bugs.debian.org/921772
+Bug: https://github.com/JabRef/jabref/issues/4229
+
+--- a/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java
++++ b/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java
+@@ -6,12 +6,15 @@
+ 
+ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
++import javax.xml.parsers.ParserConfigurationException;
+ 
+ import net.sf.jabref.logic.importer.Importer;
+ import net.sf.jabref.logic.importer.ParserResult;
+ import net.sf.jabref.logic.msbib.MSBibDatabase;
+ import net.sf.jabref.logic.util.FileExtensions;
+ 
++import org.apache.commons.logging.Log;
++import org.apache.commons.logging.LogFactory;
+ import org.w3c.dom.Document;
+ import org.xml.sax.InputSource;
+ 
+@@ -23,6 +26,10 @@
+  */
+ public class MsBibImporter extends Importer {
+ 
++    private static final Log LOGGER = LogFactory.getLog(MsBibImporter.class);
++    private static final String DISABLEDTD = "http://apache.org/xml/features/disallow-doctype-decl";;
++    private static final String DISABLEEXTERNALDTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";;
++
+     @Override
+     public boolean isRecognizedFormat(BufferedReader reader) throws IOException {
+         Objects.requireNonNull(reader);
+@@ -34,7 +41,7 @@
+          */
+         Document docin;
+         try {
+-            DocumentBuilder dbuild = DocumentBuilderFactory.newInstance().newDocumentBuilder();
++            DocumentBuilder dbuild = makeSafeDocBuilderFactory(DocumentBuilderFactory.newInstance()).newDocumentBuilder();
+             docin = dbuild.parse(new InputSource(reader));
+         } catch (Exception e) {
+             return false;
+@@ -65,4 +72,29 @@
+         return "Importer for the MS Office 2007 XML bibliography format.";
+     }
+ 
++    /**
++     * DocumentBuilderFactory makes a XXE safe Builder factory from dBuild. If not supported by current
++     * XML then returns original builder given and logs error.
++     * @param dBuild | DocumentBuilderFactory to be made XXE safe.
++     * @return If supported, XXE safe DocumentBuilderFactory. Else, returns original builder given
++     */
++    private DocumentBuilderFactory makeSafeDocBuilderFactory(DocumentBuilderFactory dBuild) {
++        String feature = null;
++
++        try {
++            feature = DISABLEDTD;
++            dBuild.setFeature(feature, true);
++
++            feature = DISABLEEXTERNALDTD;
++            dBuild.setFeature(feature, false);
++
++            dBuild.setXIncludeAware(false);
++            dBuild.setExpandEntityReferences(false);
++
++        } catch (ParserConfigurationException e) {
++            LOGGER.warn("Builder not fully configured. Feature:'" + feature + "' is probably not supported by current XML processor.", e);
++        }
++
++        return dBuild;
++    }
+ }
diff -Nru jabref-3.8.1+ds/debian/patches/series jabref-3.8.1+ds/debian/patches/series
--- jabref-3.8.1+ds/debian/patches/series	2017-01-11 12:27:19.000000000 -0800
+++ jabref-3.8.1+ds/debian/patches/series	2019-02-10 11:25:26.000000000 -0800
@@ -4,3 +4,4 @@
 030_xjc.patch
 050_unirest_json.patch
 070_restore_normal_colors.patch
+100_CVE-2018-1000652_XXE-vulnerability.patch

Attachment: signature.asc
Description: PGP signature