--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: buster-pu: package velocity/1.7-5+deb10u1
- From: "Chris Lamb" <lamby@debian.org>
- Date: Thu, 13 May 2021 11:16:04 +0100
- Message-id: <162090087856.2727355.17003072208861169135@tinycat.chris-lamb.co.uk>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: Andreas Beckmann <anbe@debian.org>
Dear stable release managers,
Please consider velocity (1.7-5+deb10u1) for buster:
velocity (1.7-5+deb10u1) buster; urgency=medium
.
* CVE-2020-13936: Prevent a potential arbitrary code execution vulnerability
that can be exploited by applications that allow untrusted users to
upload/modify Velocity templates. (Closes: #985220)
This fixes the lack of clean updates from stretch to buster. The full
debdiff is attached.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
diff --git a/debian/changelog b/debian/changelog
index 811e75f..f4df0ff 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+velocity (1.7-5+deb10u1) buster; urgency=medium
+
+ * CVE-2020-13936: Prevent a potential arbitrary code execution vulnerability
+ that can be exploited by applications that allow untrusted users to
+ upload/modify Velocity templates. (Closes: #985220)
+
+ -- Chris Lamb <lamby@debian.org> Thu, 13 May 2021 11:11:57 +0100
+
velocity (1.7-5) unstable; urgency=medium
* Team upload.
diff --git a/debian/patches/0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch b/debian/patches/0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch
new file mode 100644
index 0000000..cfc81e2
--- /dev/null
+++ b/debian/patches/0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch
@@ -0,0 +1,58 @@
+From: Chris Lamb <lamby@debian.org>
+Date: Thu, 13 May 2021 11:03:13 +0100
+Subject: CVE-2020-13936: Prevent a potential arbitrary code execution
+ vulnerability that can be exploited by applications that allow untrusted
+ users to upload/modify Velocity templates. (Closes: #985220)
+
+---
+ .../org/apache/velocity/runtime/defaults/velocity.properties | 7 +------
+ .../velocity/util/introspection/SecureIntrospectorImpl.java | 9 +++++++++
+ 2 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+index 750a59a..9415ca5 100644
+--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties
++++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+@@ -247,13 +247,9 @@ runtime.introspector.uberspect = org.apache.velocity.util.introspection.Uberspec
+
+ introspector.restrict.packages = java.lang.reflect
+
+-# The two most dangerous classes
++## ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
+
+ introspector.restrict.classes = java.lang.Class
+-introspector.restrict.classes = java.lang.ClassLoader
+-
+-# Restrict these for extra safety
+-
+ introspector.restrict.classes = java.lang.Compiler
+ introspector.restrict.classes = java.lang.InheritableThreadLocal
+ introspector.restrict.classes = java.lang.Package
+@@ -262,7 +258,6 @@ introspector.restrict.classes = java.lang.Runtime
+ introspector.restrict.classes = java.lang.RuntimePermission
+ introspector.restrict.classes = java.lang.SecurityManager
+ introspector.restrict.classes = java.lang.System
+-introspector.restrict.classes = java.lang.Thread
+ introspector.restrict.classes = java.lang.ThreadGroup
+ introspector.restrict.classes = java.lang.ThreadLocal
+
+diff --git a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
+index f317b1c..35ea9e9 100644
+--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
++++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
+@@ -121,6 +121,15 @@ public class SecureIntrospectorImpl extends Introspector implements SecureIntros
+ return true;
+ }
+
++ /**
++ * Always disallow ClassLoader, Thread and subclasses
++ */
++ if (ClassLoader.class.isAssignableFrom(clazz) ||
++ Thread.class.isAssignableFrom(clazz))
++ {
++ return false;
++ }
++
+ /**
+ * check the classname (minus any array info)
+ * whether it matches disallowed classes or packages
diff --git a/debian/patches/series b/debian/patches/series
index 1bd3c45..a609f6a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
0001-fix-example-scripts.patch
+0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch
--- End Message ---