--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package commons-configuration2/2.2-1+deb10u1
- From: Moritz Muehlenhoff <jmm@debian.org>
- Date: Sat, 25 Jul 2020 15:10:01 +0200
- Message-id: <159568260107.239459.16513784231224723202.reportbug@hullmann.westfalen.local>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Fixes a minor security issue, debdiff below.
Cheers,
Moritz
diff -Nru commons-configuration2-2.2/debian/changelog commons-configuration2-2.2/debian/changelog
--- commons-configuration2-2.2/debian/changelog 2017-12-29 23:12:51.000000000 +0100
+++ commons-configuration2-2.2/debian/changelog 2020-07-13 18:19:38.000000000 +0200
@@ -1,3 +1,9 @@
+commons-configuration2 (2.2-1+deb10u1) buster; urgency=medium
+
+ * CVE-2020-1953 (Closes: #954713)
+
+ -- Moritz Mühlenhoff <jmm@debian.org> Mon, 13 Jul 2020 19:18:37 +0200
+
commons-configuration2 (2.2-1) unstable; urgency=medium
* New upstream release
diff -Nru commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch
--- commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch 1970-01-01 01:00:00.000000000 +0100
+++ commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch 2020-07-13 18:06:19.000000000 +0200
@@ -0,0 +1,179 @@
+Backport to 2.2 of the following upstream commit:
+
+From add7375cf37fd316d4838c6c56b054fc293b4641 Mon Sep 17 00:00:00 2001
+From: oheger <oliver.heger@oliver-heger.de>
+Date: Wed, 4 Mar 2020 21:33:22 +0100
+Subject: [PATCH] Prevent object creation when loading YAML files.
+
+When creating a new Yaml instance from SnakeYaml to read in a
+configuration file the instance is now configured that no objects are
+created automatically.
+
+--- commons-configuration2-2.2.orig/src/main/java/org/apache/commons/configuration2/YAMLConfiguration.java
++++ commons-configuration2-2.2/src/main/java/org/apache/commons/configuration2/YAMLConfiguration.java
+@@ -18,11 +18,14 @@
+ package org.apache.commons.configuration2;
+
+ import org.apache.commons.configuration2.ex.ConfigurationException;
++import org.apache.commons.configuration2.ex.ConfigurationRuntimeException;
+ import org.apache.commons.configuration2.io.InputStreamSupport;
+ import org.apache.commons.configuration2.tree.ImmutableNode;
+ import org.yaml.snakeyaml.DumperOptions;
+ import org.yaml.snakeyaml.LoaderOptions;
+ import org.yaml.snakeyaml.Yaml;
++import org.yaml.snakeyaml.constructor.Constructor;
++import org.yaml.snakeyaml.representer.Representer;
+
+ import java.io.IOException;
+ import java.io.InputStream;
+@@ -65,7 +68,7 @@ public class YAMLConfiguration extends A
+ {
+ try
+ {
+- Yaml yaml = new Yaml();
++ Yaml yaml = createYamlForReading(new LoaderOptions());
+ Map<String, Object> map = (Map) yaml.load(in);
+ load(map);
+ }
+@@ -80,7 +83,7 @@ public class YAMLConfiguration extends A
+ {
+ try
+ {
+- Yaml yaml = new Yaml(options);
++ Yaml yaml = createYamlForReading(options);
+ Map<String, Object> map = (Map) yaml.load(in);
+ load(map);
+ }
+@@ -117,7 +120,7 @@ public class YAMLConfiguration extends A
+ {
+ try
+ {
+- Yaml yaml = new Yaml();
++ Yaml yaml = createYamlForReading(new LoaderOptions());
+ Map<String, Object> map = (Map) yaml.load(in);
+ load(map);
+ }
+@@ -132,7 +135,7 @@ public class YAMLConfiguration extends A
+ {
+ try
+ {
+- Yaml yaml = new Yaml(options);
++ Yaml yaml = createYamlForReading(options);
+ Map<String, Object> map = (Map) yaml.load(in);
+ load(map);
+ }
+@@ -142,4 +145,34 @@ public class YAMLConfiguration extends A
+ }
+ }
+
++ /**
++ * Creates a {@code Yaml} object for reading a Yaml file. The object is
++ * configured with some default settings.
++ *
++ * @param options options for loading the file
++ * @return the {@code Yaml} instance for loading a file
++ */
++ private static Yaml createYamlForReading(LoaderOptions options)
++ {
++ return new Yaml(createClassLoadingDisablingConstructor(), new Representer(), new DumperOptions(), options);
++ }
++
++ /**
++ * Returns a {@code Constructor} object for the YAML parser that prevents
++ * all classes from being loaded. This effectively disables the dynamic
++ * creation of Java objects that are declared in YAML files to be loaded.
++ *
++ * @return the {@code Constructor} preventing object creation
++ */
++ private static Constructor createClassLoadingDisablingConstructor()
++ {
++ return new Constructor()
++ {
++ @Override
++ protected Class<?> getClassForName(String name)
++ {
++ throw new ConfigurationRuntimeException("Class loading is disabled.");
++ }
++ };
++ }
+ }
+--- commons-configuration2-2.2.orig/src/test/java/org/apache/commons/configuration2/TestYAMLConfiguration.java
++++ commons-configuration2-2.2/src/test/java/org/apache/commons/configuration2/TestYAMLConfiguration.java
+@@ -20,26 +20,36 @@ package org.apache.commons.configuration
+ import org.apache.commons.configuration2.ex.ConfigurationException;
+ import org.junit.Before;
+ import org.junit.Rule;
++import org.junit.Rule;
+ import org.junit.Test;
+ import org.junit.rules.TemporaryFolder;
+ import org.yaml.snakeyaml.Yaml;
+
+ import java.io.File;
+ import java.io.FileReader;
++import java.io.ByteArrayInputStream;
++import java.io.File;
+ import java.io.IOException;
++import java.io.StringReader;
+ import java.io.StringWriter;
++import java.nio.charset.StandardCharsets;
+ import java.util.Arrays;
+ import java.util.List;
+ import java.util.Map;
+
+ import static org.junit.Assert.assertEquals;
++import static org.junit.Assert.assertFalse;
+ import static org.junit.Assert.assertTrue;
++import static org.junit.Assert.fail;
+
+ /**
+ * Unit test for {@link YAMLConfiguration}
+ */
+ public class TestYAMLConfiguration
+ {
++ @Rule
++ public TemporaryFolder temporaryFolder = new TemporaryFolder();
++
+ /** The files that we test with. */
+ private String testYaml =
+ ConfigurationAssert.getTestFile("test.yaml").getAbsolutePath();
+@@ -137,4 +147,40 @@ public class TestYAMLConfiguration
+ yamlConfiguration = new YAMLConfiguration(c);
+ assertEquals("bar", yamlConfiguration.getString("foo"));
+ }
++
++ @Test
++ public void testObjectCreationFromReader()
++ {
++ final File createdFile = new File(temporaryFolder.getRoot(), "data.txt");
++ final String yaml = "!!java.io.FileOutputStream [" + createdFile.getAbsolutePath() + "]";
++
++ try
++ {
++ yamlConfiguration.read(new StringReader(yaml));
++ fail("Loading configuration did not cause an exception!");
++ }
++ catch (ConfigurationException e)
++ {
++ //expected
++ }
++ assertFalse("Java object was created", createdFile.exists());
++ }
++
++ @Test
++ public void testObjectCreationFromStream()
++ {
++ final File createdFile = new File(temporaryFolder.getRoot(), "data.txt");
++ final String yaml = "!!java.io.FileOutputStream [" + createdFile.getAbsolutePath() + "]";
++
++ try
++ {
++ yamlConfiguration.read(new ByteArrayInputStream(yaml.getBytes(StandardCharsets.UTF_8)));
++ fail("Loading configuration did not cause an exception!");
++ }
++ catch (ConfigurationException e)
++ {
++ //expected
++ }
++ assertFalse("Java object was created", createdFile.exists());
++ }
+ }
diff -Nru commons-configuration2-2.2/debian/patches/series commons-configuration2-2.2/debian/patches/series
--- commons-configuration2-2.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ commons-configuration2-2.2/debian/patches/series 2020-07-13 18:05:49.000000000 +0200
@@ -0,0 +1 @@
+CVE-2020-1953.patch
--- End Message ---