[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#954863: marked as done (stretch-pu: package checkstyle/6.15-1)

Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id <b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.camel@adam-barratt.org.uk>
and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #954863,
regarding stretch-pu: package checkstyle/6.15-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
954863: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954863
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

I would like to fix CVE-2019-9658 and CVE-2019-10782 in checkstyle.
The security team marked this issue as no-dsa. Please find attached
the debdiff for Stretch.

Regards,

Markus

diff -Nru checkstyle-6.15/debian/changelog checkstyle-6.15/debian/changelog
--- checkstyle-6.15/debian/changelog	2016-02-04 21:52:02.000000000 +0100
+++ checkstyle-6.15/debian/changelog	2020-03-24 13:18:16.000000000 +0100
@@ -1,3 +1,14 @@
+checkstyle (6.15-1+deb9u1) stretch; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2019-9658 and CVE-2019-10782:
+    Security researchers from Snyk discovered that the fix for CVE-2019-9658
+    was incomplete. Checkstyle, a development tool to help programmers write
+    Java code that adheres to a coding standard, was still vulnerable to XML
+    External Entity (XXE) injection. (Closes: #924598)
+
+ -- Markus Koschany <apo@debian.org>  Tue, 24 Mar 2020 13:18:16 +0100
+
 checkstyle (6.15-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch
--- checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch	1970-01-01 01:00:00.000000000 +0100
+++ checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch	2020-03-24 13:18:16.000000000 +0100
@@ -0,0 +1,95 @@
+From: Markus Koschany <apo@debian.org>
+Date: Thu, 12 Mar 2020 13:06:45 +0100
+Subject: CVE-2019-9658 and CVE-2019-10782
+
+Bug-Debian: https://bugs.debian.org/924598
+
+Origin: https://github.com/checkstyle/checkstyle/commit/180b4fe37a2249d4489d584505f2b7b3ab162ec6
+Origin: https://github.com/checkstyle/checkstyle/pull/7495/commits/3af187f81ab33c9a8e471cc629ff10fe722a7a56
+---
+ .../tools/checkstyle/api/AbstractLoader.java       | 45 ++++++++++++++++++++++
+ src/xdocs/config_reporting.xml                     | 11 ++++++
+ 2 files changed, 56 insertions(+)
+
+diff --git a/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java b/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java
+index 2e60e6d..6ea678b 100644
+--- a/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java
++++ b/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java
+@@ -80,6 +80,7 @@ public abstract class AbstractLoader
+         this.publicIdToResourceNameMap =
+             Maps.newHashMap(publicIdToResourceNameMap);
+         final SAXParserFactory factory = SAXParserFactory.newInstance();
++        LoadExternalDtdFeatureProvider.setFeaturesBySystemProperty(factory);
+         factory.setValidating(true);
+         factory.setNamespaceAware(true);
+         parser = factory.newSAXParser().getXMLReader();
+@@ -124,4 +125,48 @@ public abstract class AbstractLoader
+     public void fatalError(SAXParseException exception) throws SAXException {
+         throw exception;
+     }
++
++    /**
++     * Used for setting specific for secure java installations features to SAXParserFactory.
++     * Pulled out as a separate class in order to suppress Pitest mutations.
++     */
++    public static final class LoadExternalDtdFeatureProvider {
++
++        /** System property name to enable external DTD load. */
++        public static final String ENABLE_EXTERNAL_DTD_LOAD = "checkstyle.enableExternalDtdLoad";
++
++        /** Feature that enables loading external DTD when loading XML files. */
++        public static final String LOAD_EXTERNAL_DTD =
++                "http://apache.org/xml/features/nonvalidating/load-external-dtd";;
++        /** Feature that enables including external general entities in XML files. */
++        public static final String EXTERNAL_GENERAL_ENTITIES =
++                "http://xml.org/sax/features/external-general-entities";;
++        /** Feature that enables including external parameter entities in XML files. */
++        public static final String EXTERNAL_PARAMETER_ENTITIES =
++                "http://xml.org/sax/features/external-parameter-entities";;
++
++        /** Stop instances being created. **/
++        private LoadExternalDtdFeatureProvider() {
++        }
++
++        /**
++         * Configures SAXParserFactory with features required
++         * to use external DTD file loading, this is not activated by default to not allow
++         * usage of schema files that checkstyle do not know
++         * it is even security problem to allow files from outside.
++         * @param factory factory to be configured with special features
++         * @throws SAXException if an error occurs
++         * @throws ParserConfigurationException if an error occurs
++         */
++        public static void setFeaturesBySystemProperty(SAXParserFactory factory)
++                throws SAXException, ParserConfigurationException {
++
++            final boolean enableExternalDtdLoad = Boolean.valueOf(
++                System.getProperty(ENABLE_EXTERNAL_DTD_LOAD, "false"));
++
++            factory.setFeature(LOAD_EXTERNAL_DTD, enableExternalDtdLoad);
++            factory.setFeature(EXTERNAL_GENERAL_ENTITIES, enableExternalDtdLoad);
++            factory.setFeature(EXTERNAL_PARAMETER_ENTITIES, enableExternalDtdLoad);
++        }
++    }
+ }
+diff --git a/src/xdocs/config_reporting.xml b/src/xdocs/config_reporting.xml
+index 410d7eb..acf99a7 100644
+--- a/src/xdocs/config_reporting.xml
++++ b/src/xdocs/config_reporting.xml
+@@ -68,5 +68,16 @@
+         to an empty string.
+       </p>
+     </section>
++
++    <section name="Enable External DTD load">
++      <p>
++        The property <code>checkstyle.enableExternalDtdLoad</code>
++        defines ability use custom DTD files inconfig and load them from some location.
++        The property type
++        is <a href="property_types.html#boolean">boolean</a> and defaults
++        to <code>false</code>.
++      </p>
++    </section>
++
+   </body>
+ </document>
diff -Nru checkstyle-6.15/debian/patches/series checkstyle-6.15/debian/patches/series
--- checkstyle-6.15/debian/patches/series	2016-02-04 21:37:44.000000000 +0100
+++ checkstyle-6.15/debian/patches/series	2020-03-24 13:18:16.000000000 +0100
@@ -2,3 +2,4 @@
 02_ignore_tests_requiring_internet_connectivity.diff
 03_remove_maven3_prereq.diff
 04_adjust_application_name.diff
+CVE-2019-9658-and-CVE-2019-10782.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam

--- End Message ---
Reply to: