Bug#954863: stretch-pu: package checkstyle/6.15-1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
I would like to fix CVE-2019-9658 and CVE-2019-10782 in checkstyle.
The security team marked this issue as no-dsa. Please find attached
the debdiff for Stretch.
Regards,
Markus
diff -Nru checkstyle-6.15/debian/changelog checkstyle-6.15/debian/changelog
--- checkstyle-6.15/debian/changelog 2016-02-04 21:52:02.000000000 +0100
+++ checkstyle-6.15/debian/changelog 2020-03-24 13:18:16.000000000 +0100
@@ -1,3 +1,14 @@
+checkstyle (6.15-1+deb9u1) stretch; urgency=medium
+
+ * Team upload.
+ * Fix CVE-2019-9658 and CVE-2019-10782:
+ Security researchers from Snyk discovered that the fix for CVE-2019-9658
+ was incomplete. Checkstyle, a development tool to help programmers write
+ Java code that adheres to a coding standard, was still vulnerable to XML
+ External Entity (XXE) injection. (Closes: #924598)
+
+ -- Markus Koschany <apo@debian.org> Tue, 24 Mar 2020 13:18:16 +0100
+
checkstyle (6.15-1) unstable; urgency=medium
* Team upload.
diff -Nru checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch
--- checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch 1970-01-01 01:00:00.000000000 +0100
+++ checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch 2020-03-24 13:18:16.000000000 +0100
@@ -0,0 +1,95 @@
+From: Markus Koschany <apo@debian.org>
+Date: Thu, 12 Mar 2020 13:06:45 +0100
+Subject: CVE-2019-9658 and CVE-2019-10782
+
+Bug-Debian: https://bugs.debian.org/924598
+
+Origin: https://github.com/checkstyle/checkstyle/commit/180b4fe37a2249d4489d584505f2b7b3ab162ec6
+Origin: https://github.com/checkstyle/checkstyle/pull/7495/commits/3af187f81ab33c9a8e471cc629ff10fe722a7a56
+---
+ .../tools/checkstyle/api/AbstractLoader.java | 45 ++++++++++++++++++++++
+ src/xdocs/config_reporting.xml | 11 ++++++
+ 2 files changed, 56 insertions(+)
+
+diff --git a/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java b/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java
+index 2e60e6d..6ea678b 100644
+--- a/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java
++++ b/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java
+@@ -80,6 +80,7 @@ public abstract class AbstractLoader
+ this.publicIdToResourceNameMap =
+ Maps.newHashMap(publicIdToResourceNameMap);
+ final SAXParserFactory factory = SAXParserFactory.newInstance();
++ LoadExternalDtdFeatureProvider.setFeaturesBySystemProperty(factory);
+ factory.setValidating(true);
+ factory.setNamespaceAware(true);
+ parser = factory.newSAXParser().getXMLReader();
+@@ -124,4 +125,48 @@ public abstract class AbstractLoader
+ public void fatalError(SAXParseException exception) throws SAXException {
+ throw exception;
+ }
++
++ /**
++ * Used for setting specific for secure java installations features to SAXParserFactory.
++ * Pulled out as a separate class in order to suppress Pitest mutations.
++ */
++ public static final class LoadExternalDtdFeatureProvider {
++
++ /** System property name to enable external DTD load. */
++ public static final String ENABLE_EXTERNAL_DTD_LOAD = "checkstyle.enableExternalDtdLoad";
++
++ /** Feature that enables loading external DTD when loading XML files. */
++ public static final String LOAD_EXTERNAL_DTD =
++ "http://apache.org/xml/features/nonvalidating/load-external-dtd";
++ /** Feature that enables including external general entities in XML files. */
++ public static final String EXTERNAL_GENERAL_ENTITIES =
++ "http://xml.org/sax/features/external-general-entities";
++ /** Feature that enables including external parameter entities in XML files. */
++ public static final String EXTERNAL_PARAMETER_ENTITIES =
++ "http://xml.org/sax/features/external-parameter-entities";
++
++ /** Stop instances being created. **/
++ private LoadExternalDtdFeatureProvider() {
++ }
++
++ /**
++ * Configures SAXParserFactory with features required
++ * to use external DTD file loading, this is not activated by default to not allow
++ * usage of schema files that checkstyle do not know
++ * it is even security problem to allow files from outside.
++ * @param factory factory to be configured with special features
++ * @throws SAXException if an error occurs
++ * @throws ParserConfigurationException if an error occurs
++ */
++ public static void setFeaturesBySystemProperty(SAXParserFactory factory)
++ throws SAXException, ParserConfigurationException {
++
++ final boolean enableExternalDtdLoad = Boolean.valueOf(
++ System.getProperty(ENABLE_EXTERNAL_DTD_LOAD, "false"));
++
++ factory.setFeature(LOAD_EXTERNAL_DTD, enableExternalDtdLoad);
++ factory.setFeature(EXTERNAL_GENERAL_ENTITIES, enableExternalDtdLoad);
++ factory.setFeature(EXTERNAL_PARAMETER_ENTITIES, enableExternalDtdLoad);
++ }
++ }
+ }
+diff --git a/src/xdocs/config_reporting.xml b/src/xdocs/config_reporting.xml
+index 410d7eb..acf99a7 100644
+--- a/src/xdocs/config_reporting.xml
++++ b/src/xdocs/config_reporting.xml
+@@ -68,5 +68,16 @@
+ to an empty string.
+ </p>
+ </section>
++
++ <section name="Enable External DTD load">
++ <p>
++ The property <code>checkstyle.enableExternalDtdLoad</code>
++ defines ability use custom DTD files inconfig and load them from some location.
++ The property type
++ is <a href="property_types.html#boolean">boolean</a> and defaults
++ to <code>false</code>.
++ </p>
++ </section>
++
+ </body>
+ </document>
diff -Nru checkstyle-6.15/debian/patches/series checkstyle-6.15/debian/patches/series
--- checkstyle-6.15/debian/patches/series 2016-02-04 21:37:44.000000000 +0100
+++ checkstyle-6.15/debian/patches/series 2020-03-24 13:18:16.000000000 +0100
@@ -2,3 +2,4 @@
02_ignore_tests_requiring_internet_connectivity.diff
03_remove_maven3_prereq.diff
04_adjust_application_name.diff
+CVE-2019-9658-and-CVE-2019-10782.patch
Reply to: