Your message dated Sat, 27 Apr 2019 11:14:32 +0100 with message-id <1556360072.2690.35.camel@adam-barratt.org.uk> and subject line Closing bugs for updates included in 9.9 has caused the Debian Bug report #927072, regarding stretch-pu: package jabref/3.8.1+ds-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 927072: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927072 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Cc: Gregor Herrmann <gregoa@debian.org>
- Subject: stretch-pu: package jabref/3.8.1+ds-3
- From: tony mancill <tmancill@debian.org>
- Date: Sun, 14 Apr 2019 10:47:45 -0700
- Message-id: <[🔎] 20190414174745.GA3606@lark>
Package: release.debian.org Severity: normal Tags: stretch User: release.debian.org@packages.debian.org Usertags: pu Hello, This proposed update for jabref addresses CVE-2018-1000652 [1], which will not be issued a DSA [2]. The debdiff is attached. Thank you, tony [1] https://security-tracker.debian.org/tracker/CVE-2018-1000652 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921772#48diff -Nru jabref-3.8.1+ds/debian/changelog jabref-3.8.1+ds/debian/changelog --- jabref-3.8.1+ds/debian/changelog 2017-01-11 12:27:19.000000000 -0800 +++ jabref-3.8.1+ds/debian/changelog 2019-02-10 11:25:26.000000000 -0800 @@ -1,3 +1,12 @@ +jabref (3.8.1+ds-3+deb9u1) stretch; urgency=medium + + [ gregor herrmann & tony mancill ] + * Add patch from upstream commit to fix CVE-2018-1000652: XML External + Entity attack. + Thanks to Moritz Muehlenhoff for the bug report. (Closes: #921772) + + -- gregor herrmann <gregoa@debian.org> Sun, 10 Feb 2019 20:25:26 +0100 + jabref (3.8.1+ds-3) unstable; urgency=medium * Remove postgresql entry from debian/maven.rules. diff -Nru jabref-3.8.1+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch jabref-3.8.1+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch --- jabref-3.8.1+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch 1969-12-31 16:00:00.000000000 -0800 +++ jabref-3.8.1+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch 2019-02-10 11:25:26.000000000 -0800 @@ -0,0 +1,81 @@ +From 89f855d76713b4cd25ac0830c719cd61c511851e Mon Sep 17 00:00:00 2001 +From: Nick <nick.s.weatherley@protonmail.com> +Date: Mon, 30 Jul 2018 16:06:07 +0000 +Subject: [PATCH] Fix importer vulnerability (#4240) + +* Fix importer vulnerability +Fixed issue #4229 where importer was vulnerable to XXE attacks by +disabling DTDs along with adding warning to logger if features are +unavailable. fixes #4229 + +Bugs-Debian: https://bugs.debian.org/921772 +Bug: https://github.com/JabRef/jabref/issues/4229 + +--- a/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java ++++ b/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java +@@ -6,12 +6,15 @@ + + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; ++import javax.xml.parsers.ParserConfigurationException; + + import net.sf.jabref.logic.importer.Importer; + import net.sf.jabref.logic.importer.ParserResult; + import net.sf.jabref.logic.msbib.MSBibDatabase; + import net.sf.jabref.logic.util.FileExtensions; + ++import org.apache.commons.logging.Log; ++import org.apache.commons.logging.LogFactory; + import org.w3c.dom.Document; + import org.xml.sax.InputSource; + +@@ -23,6 +26,10 @@ + */ + public class MsBibImporter extends Importer { + ++ private static final Log LOGGER = LogFactory.getLog(MsBibImporter.class); ++ private static final String DISABLEDTD = "http://apache.org/xml/features/disallow-doctype-decl"; ++ private static final String DISABLEEXTERNALDTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; ++ + @Override + public boolean isRecognizedFormat(BufferedReader reader) throws IOException { + Objects.requireNonNull(reader); +@@ -34,7 +41,7 @@ + */ + Document docin; + try { +- DocumentBuilder dbuild = DocumentBuilderFactory.newInstance().newDocumentBuilder(); ++ DocumentBuilder dbuild = makeSafeDocBuilderFactory(DocumentBuilderFactory.newInstance()).newDocumentBuilder(); + docin = dbuild.parse(new InputSource(reader)); + } catch (Exception e) { + return false; +@@ -65,4 +72,29 @@ + return "Importer for the MS Office 2007 XML bibliography format."; + } + ++ /** ++ * DocumentBuilderFactory makes a XXE safe Builder factory from dBuild. If not supported by current ++ * XML then returns original builder given and logs error. ++ * @param dBuild | DocumentBuilderFactory to be made XXE safe. ++ * @return If supported, XXE safe DocumentBuilderFactory. Else, returns original builder given ++ */ ++ private DocumentBuilderFactory makeSafeDocBuilderFactory(DocumentBuilderFactory dBuild) { ++ String feature = null; ++ ++ try { ++ feature = DISABLEDTD; ++ dBuild.setFeature(feature, true); ++ ++ feature = DISABLEEXTERNALDTD; ++ dBuild.setFeature(feature, false); ++ ++ dBuild.setXIncludeAware(false); ++ dBuild.setExpandEntityReferences(false); ++ ++ } catch (ParserConfigurationException e) { ++ LOGGER.warn("Builder not fully configured. Feature:'" + feature + "' is probably not supported by current XML processor.", e); ++ } ++ ++ return dBuild; ++ } + } diff -Nru jabref-3.8.1+ds/debian/patches/series jabref-3.8.1+ds/debian/patches/series --- jabref-3.8.1+ds/debian/patches/series 2017-01-11 12:27:19.000000000 -0800 +++ jabref-3.8.1+ds/debian/patches/series 2019-02-10 11:25:26.000000000 -0800 @@ -4,3 +4,4 @@ 030_xjc.patch 050_unirest_json.patch 070_restore_normal_colors.patch +100_CVE-2018-1000652_XXE-vulnerability.patchAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 890889-done@bugs.debian.org, 892070-done@bugs.debian.org, 910805-done@bugs.debian.org, 914187-done@bugs.debian.org, 914591-done@bugs.debian.org, 919043-done@bugs.debian.org, 919576-done@bugs.debian.org, 921748-done@bugs.debian.org, 921977-done@bugs.debian.org, 921983-done@bugs.debian.org, 922918-done@bugs.debian.org, 922987-done@bugs.debian.org, 922996-done@bugs.debian.org, 923202-done@bugs.debian.org, 923323-done@bugs.debian.org, 923342-done@bugs.debian.org, 923556-done@bugs.debian.org, 923897-done@bugs.debian.org, 924145-done@bugs.debian.org, 924150-done@bugs.debian.org, 924255-done@bugs.debian.org, 924261-done@bugs.debian.org, 924282-done@bugs.debian.org, 924377-done@bugs.debian.org, 924433-done@bugs.debian.org, 924463-done@bugs.debian.org, 924493-done@bugs.debian.org, 924642-done@bugs.debian.org, 924939-done@bugs.debian.org, 924945-done@bugs.debian.org, 925154-done@bugs.debian.org, 925161-done@bugs.debian.org, 925214-done@bugs.debian.org, 925228-done@bugs.debian.org, 925351-done@bugs.debian.org, 925401-done@bugs.debian.org, 925482-done@bugs.debian.org, 925506-done@bugs.debian.org, 925548-done@bugs.debian.org, 925569-done@bugs.debian.org, 926003-done@bugs.debian.org, 926050-done@bugs.debian.org, 926136-done@bugs.debian.org, 926190-done@bugs.debian.org, 926199-done@bugs.debian.org, 926397-done@bugs.debian.org, 926438-done@bugs.debian.org, 926506-done@bugs.debian.org, 926739-done@bugs.debian.org, 926870-done@bugs.debian.org, 926892-done@bugs.debian.org, 926894-done@bugs.debian.org, 926897-done@bugs.debian.org, 927067-done@bugs.debian.org, 927068-done@bugs.debian.org, 927072-done@bugs.debian.org, 927160-done@bugs.debian.org, 927191-done@bugs.debian.org, 927223-done@bugs.debian.org, 927378-done@bugs.debian.org, 927422-done@bugs.debian.org, 927424-done@bugs.debian.org, 922484-done@bugs.debian.org
- Subject: Closing bugs for updates included in 9.9
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 27 Apr 2019 11:14:32 +0100
- Message-id: <1556360072.2690.35.camel@adam-barratt.org.uk>
Version: 9.9 Hi, The update referenced by each of these bugs was included in this morning's stretch point release. Regards, Adam
--- End Message ---