[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#971869: marked as done (buster-pu: package freecol/0.11.6+dfsg2-2+deb10u1)

Your message dated Sat, 05 Dec 2020 11:02:00 +0000
with message-id <b70f86aac27195271a9b5212c7acc936da6ff100.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates in 10.7 point release
has caused the Debian Bug report #971869,
regarding buster-pu: package freecol/0.11.6+dfsg2-2+deb10u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
971869: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971869
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: apo@debian.org

Low severity bugfix for freecol, which doesn't warrant a DSA.

The (identical) patch has been in unstable for half a year, also
doublechecked by playing for half an hour :-)

Cheers,
        Moritz

diff -Nru freecol-0.11.6+dfsg2/debian/changelog freecol-0.11.6+dfsg2/debian/changelog
--- freecol-0.11.6+dfsg2/debian/changelog	2018-08-31 19:22:57.000000000 +0200
+++ freecol-0.11.6+dfsg2/debian/changelog	2020-10-07 22:20:46.000000000 +0200
@@ -1,3 +1,9 @@
+freecol (0.11.6+dfsg2-2+deb10u1) buster; urgency=medium
+
+  * CVE-2018-1000825 (Closes: #917023)
+
+ -- Moritz Mühlenhoff <jmm@debian.org>  Wed, 07 Oct 2020 22:20:46 +0200
+
 freecol (0.11.6+dfsg2-2) unstable; urgency=medium
 
   * Declare compliance with Debian Policy 4.2.1.
diff -Nru freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch
--- freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch	1970-01-01 01:00:00.000000000 +0100
+++ freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch	2020-10-07 22:20:40.000000000 +0200
@@ -0,0 +1,142 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 24 Feb 2020 12:33:58 +0100
+Subject: CVE-2018-1000825
+
+Bug-Debian: https://bugs.debian.org/917023
+Origin: https://github.com/FreeCol/freecol/commit/8963506897e3270a75b062f28486934bcb79b1e3
+---
+ src/net/sf/freecol/common/io/FreeColXMLReader.java   | 19 +++++++++++++++++--
+ src/net/sf/freecol/common/model/FreeColObject.java   |  3 +++
+ src/net/sf/freecol/common/networking/Connection.java |  3 +++
+ src/net/sf/freecol/common/networking/DOMMessage.java |  3 +++
+ src/net/sf/freecol/tools/GenerateDocumentation.java  |  3 +++
+ 5 files changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/src/net/sf/freecol/common/io/FreeColXMLReader.java b/src/net/sf/freecol/common/io/FreeColXMLReader.java
+index dd78a40..abbaba6 100644
+--- a/src/net/sf/freecol/common/io/FreeColXMLReader.java
++++ b/src/net/sf/freecol/common/io/FreeColXMLReader.java
+@@ -88,7 +88,7 @@ public class FreeColXMLReader extends StreamReaderDelegate
+         super();
+ 
+         try {
+-            XMLInputFactory xif = XMLInputFactory.newInstance();
++            XMLInputFactory xif = newXMLInputFactory();
+             setParent(xif.createXMLStreamReader(inputStream, "UTF-8"));
+         } catch (XMLStreamException e) {
+             throw new IOException(e);
+@@ -109,7 +109,7 @@ public class FreeColXMLReader extends StreamReaderDelegate
+         super();
+ 
+         try {
+-            XMLInputFactory xif = XMLInputFactory.newInstance();
++            XMLInputFactory xif = newXMLInputFactory();
+             setParent(xif.createXMLStreamReader(reader));
+         } catch (XMLStreamException e) {
+             throw new IOException(e);
+@@ -118,6 +118,21 @@ public class FreeColXMLReader extends StreamReaderDelegate
+         this.readScope = ReadScope.NORMAL;
+     }
+ 
++    /**
++     * Create a new XMLInputFactory.
++     *
++     * Respond to CVE 2018-1000825.
++     *
++     * @return A new <code>XMLInputFactory</code>.
++     */
++    private static XMLInputFactory newXMLInputFactory() {
++        XMLInputFactory xif = XMLInputFactory.newInstance();
++        // This disables DTDs entirely for that factory
++        xif.setProperty(XMLInputFactory.SUPPORT_DTD, false); 
++        // disable external entities
++        xif.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
++        return xif;
++    }
+ 
+     /**
+      * Should reads from this stream intern their objects into the
+diff --git a/src/net/sf/freecol/common/model/FreeColObject.java b/src/net/sf/freecol/common/model/FreeColObject.java
+index 01c9887..d8f3754 100644
+--- a/src/net/sf/freecol/common/model/FreeColObject.java
++++ b/src/net/sf/freecol/common/model/FreeColObject.java
+@@ -49,6 +49,7 @@ import javax.xml.transform.TransformerException;
+ import javax.xml.transform.TransformerFactory;
+ import javax.xml.transform.dom.DOMSource;
+ import javax.xml.transform.stream.StreamResult;
++import javax.xml.XMLConstants;
+ 
+ import net.sf.freecol.common.ObjectWithId;
+ import net.sf.freecol.common.io.FreeColXMLReader;
+@@ -895,6 +896,8 @@ public abstract class FreeColObject
+     public void readFromXMLElement(Element element) {
+         try {
+             TransformerFactory factory = TransformerFactory.newInstance();
++            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+             Transformer xmlTransformer = factory.newTransformer();
+             StringWriter stringWriter = new StringWriter();
+             xmlTransformer.transform(new DOMSource(element),
+diff --git a/src/net/sf/freecol/common/networking/Connection.java b/src/net/sf/freecol/common/networking/Connection.java
+index f88d2ed..48954bd 100644
+--- a/src/net/sf/freecol/common/networking/Connection.java
++++ b/src/net/sf/freecol/common/networking/Connection.java
+@@ -40,6 +40,7 @@ import javax.xml.transform.TransformerException;
+ import javax.xml.transform.TransformerFactory;
+ import javax.xml.transform.dom.DOMSource;
+ import javax.xml.transform.stream.StreamResult;
++import javax.xml.XMLConstants;
+ 
+ import net.sf.freecol.common.FreeColException;
+ import net.sf.freecol.common.debug.FreeColDebugger;
+@@ -101,6 +102,8 @@ public class Connection implements Closeable {
+         Transformer myTransformer = null;
+         try {
+             TransformerFactory factory = TransformerFactory.newInstance();
++            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+             myTransformer = factory.newTransformer();
+             myTransformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION,
+                                             "yes");
+diff --git a/src/net/sf/freecol/common/networking/DOMMessage.java b/src/net/sf/freecol/common/networking/DOMMessage.java
+index 7181a7d..8fe7295 100644
+--- a/src/net/sf/freecol/common/networking/DOMMessage.java
++++ b/src/net/sf/freecol/common/networking/DOMMessage.java
+@@ -37,6 +37,7 @@ import javax.xml.transform.TransformerException;
+ import javax.xml.transform.TransformerFactory;
+ import javax.xml.transform.dom.DOMSource;
+ import javax.xml.transform.stream.StreamResult;
++import javax.xml.XMLConstants;
+ 
+ import net.sf.freecol.common.io.FreeColXMLWriter;
+ import net.sf.freecol.common.debug.FreeColDebugger;
+@@ -448,6 +449,8 @@ public class DOMMessage {
+     public static String elementToString(Element element) {
+         try {
+             TransformerFactory factory = TransformerFactory.newInstance();
++            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++            factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+             Transformer xt = factory.newTransformer();
+             StringWriter sw = new StringWriter();
+             xt.transform(new DOMSource(element), new StreamResult(sw));
+diff --git a/src/net/sf/freecol/tools/GenerateDocumentation.java b/src/net/sf/freecol/tools/GenerateDocumentation.java
+index aac0f55..a52cf5b 100644
+--- a/src/net/sf/freecol/tools/GenerateDocumentation.java
++++ b/src/net/sf/freecol/tools/GenerateDocumentation.java
+@@ -35,6 +35,7 @@ import javax.xml.transform.Source;
+ import javax.xml.transform.Transformer;
+ import javax.xml.transform.TransformerException;
+ import javax.xml.transform.TransformerFactory;
++import javax.xml.XMLConstants;
+ 
+ import net.sf.freecol.common.i18n.Messages;
+ import net.sf.freecol.common.model.StringTemplate;
+@@ -192,6 +193,8 @@ public class GenerateDocumentation {
+                 Messages.loadMessageBundle(Messages.getLocale(languageCode));
+                 try {
+                     TransformerFactory factory = TransformerFactory.newInstance();
++                    factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++                    factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+                     Source xsl = new StreamSource(new File("doc", XSL));
+                     Transformer stylesheet;
+                     try {
diff -Nru freecol-0.11.6+dfsg2/debian/patches/series freecol-0.11.6+dfsg2/debian/patches/series
--- freecol-0.11.6+dfsg2/debian/patches/series	2018-08-31 19:22:57.000000000 +0200
+++ freecol-0.11.6+dfsg2/debian/patches/series	2020-10-07 22:20:40.000000000 +0200
@@ -1,2 +1,3 @@
 commons-cli-1.3.patch
 valid-appdata.patch
+CVE-2018-1000825.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.7

Hi,

Each of the updates referenced by these bugs was included in this
morning's buster 10.7 point release.

Regards,

Adam

--- End Message ---
Reply to: