--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package lucene-solr/3.6.2+dfsg-20+deb10u1
- From: Markus Koschany <apo@debian.org>
- Date: Sun, 16 Aug 2020 18:00:58 +0200
- Message-id: <159759365825.18434.16778746066696580289.reportbug@spike>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
I would like to fix CVE-2019-0193 for Buster in lucene-solr. This
issue was marked no-dsa by the security team. Please find attached the
debdiff.
Regards,
Markus
diff -Nru lucene-solr-3.6.2+dfsg/debian/changelog lucene-solr-3.6.2+dfsg/debian/changelog
--- lucene-solr-3.6.2+dfsg/debian/changelog 2019-09-04 22:30:29.000000000 +0200
+++ lucene-solr-3.6.2+dfsg/debian/changelog 2020-08-16 15:56:26.000000000 +0200
@@ -1,3 +1,19 @@
+lucene-solr (3.6.2+dfsg-20+deb10u2) buster; urgency=medium
+
+ * Team upload.
+ * Fix CVE-2019-0193:
+ The DataImportHandler, an optional but popular module to pull in data from
+ databases and other sources, has a feature in which the whole DIH
+ configuration can come from a request's "dataConfig" parameter. The debug
+ mode of the DIH admin screen uses this to allow convenient debugging /
+ development of a DIH config. Since a DIH config can contain scripts, this
+ parameter is a security risk. Starting from now on, use of this parameter
+ requires setting the Java System property "enable.dih.dataConfigParam" to
+ true. For example this can be achieved with solr-tomcat by adding
+ -Denable.dih.dataConfigParam=true to JAVA_OPTS in /etc/default/tomcat9.
+
+ -- Markus Koschany <apo@debian.org> Sun, 16 Aug 2020 15:56:26 +0200
+
lucene-solr (3.6.2+dfsg-20+deb10u1) buster; urgency=medium
* Team upload.
diff -Nru lucene-solr-3.6.2+dfsg/debian/patches/CVE-2019-0193.patch lucene-solr-3.6.2+dfsg/debian/patches/CVE-2019-0193.patch
--- lucene-solr-3.6.2+dfsg/debian/patches/CVE-2019-0193.patch 1970-01-01 01:00:00.000000000 +0100
+++ lucene-solr-3.6.2+dfsg/debian/patches/CVE-2019-0193.patch 2020-08-16 15:56:26.000000000 +0200
@@ -0,0 +1,70 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sat, 15 Aug 2020 18:41:28 +0200
+Subject: CVE-2019-0193
+
+Bug-Upstream: https://issues.apache.org/jira/browse/SOLR-13669
+Origin: https://github.com/apache/lucene-solr/commit/325824cd391c8e71f36f17d687f52344e50e9715
+---
+ .../apache/solr/handler/dataimport/DataImportHandler.java | 10 ++++++++++
+ .../dataimport/AbstractDataImportHandlerTestCase.java | 13 ++++++-------
+ 2 files changed, 16 insertions(+), 7 deletions(-)
+
+diff --git a/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImportHandler.java b/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImportHandler.java
+index 9e11c79..a4a39a0 100644
+--- a/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImportHandler.java
++++ b/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImportHandler.java
+@@ -83,6 +83,10 @@ public class DataImportHandler extends RequestHandlerBase implements
+
+ private Map<String , Object> coreScopeSession = new HashMap<String, Object>();
+
++ static final String ENABLE_DIH_DATA_CONFIG_PARAM = "enable.dih.dataConfigParam";
++
++ final boolean dataConfigParam_enabled = Boolean.getBoolean(ENABLE_DIH_DATA_CONFIG_PARAM);
++
+ @Override
+ @SuppressWarnings("unchecked")
+ public void init(NamedList args) {
+@@ -153,6 +157,12 @@ public class DataImportHandler extends RequestHandlerBase implements
+ return;
+ }
+
++ if (dataConfigParam_enabled == false) {
++ throw new SolrException(SolrException.ErrorCode.FORBIDDEN,
++ "Use of the dataConfig param (DIH debug mode) requires the system property " +
++ ENABLE_DIH_DATA_CONFIG_PARAM + " because it's a security risk.");
++ }
++
+ rsp.add("initArgs", initArgs);
+ String message = "";
+
+diff --git a/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/AbstractDataImportHandlerTestCase.java b/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/AbstractDataImportHandlerTestCase.java
+index 1b49028..1cce926 100644
+--- a/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/AbstractDataImportHandlerTestCase.java
++++ b/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/AbstractDataImportHandlerTestCase.java
+@@ -30,7 +30,7 @@ import org.apache.solr.update.processor.UpdateRequestProcessor;
+ import org.apache.solr.update.processor.UpdateRequestProcessorFactory;
+ import org.apache.solr.common.util.NamedList;
+ import org.junit.After;
+-import org.junit.Before;
++import org.junit.BeforeClass;
+
+ import java.io.FileOutputStream;
+ import java.io.IOException;
+@@ -57,12 +57,11 @@ public abstract class AbstractDataImportHandlerTestCase extends
+ public static void initCore(String config, String schema) throws Exception {
+ initCore(config, schema, getFile("dih/solr").getAbsolutePath());
+ }
+-
+- @Override
+- @Before
+- public void setUp() throws Exception {
+- super.setUp();
+- }
++
++ @BeforeClass
++ public static void baseBeforeClass() {
++ System.setProperty(DataImportHandler.ENABLE_DIH_DATA_CONFIG_PARAM, "true");
++ }
+
+ @Override
+ @After
diff -Nru lucene-solr-3.6.2+dfsg/debian/patches/series lucene-solr-3.6.2+dfsg/debian/patches/series
--- lucene-solr-3.6.2+dfsg/debian/patches/series 2019-09-04 22:30:29.000000000 +0200
+++ lucene-solr-3.6.2+dfsg/debian/patches/series 2020-08-16 15:56:26.000000000 +0200
@@ -17,3 +17,4 @@
ant-1.10.patch
CVE-2018-1308.patch
web.xml.patch
+CVE-2019-0193.patch
--- End Message ---