Bug#991881: buster-pu: package xmlgraphics-commons/2.3-1

[Markus Koschany <apo@debian.org>]

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: apo@debian.org


[ Reason ]

I would like to fix CVE-2020-11988 in Buster (#984949). The security
team considers this one to be no-dsa.

[ Impact ]

xmlgraphics-commons would still be vulnerable.

[ Tests ]

Test case works as intended.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

Regards,

Markus

diff -Nru xmlgraphics-commons-2.3/debian/changelog xmlgraphics-commons-2.3/debian/changelog
--- xmlgraphics-commons-2.3/debian/changelog	2018-08-22 23:30:39.000000000 +0200
+++ xmlgraphics-commons-2.3/debian/changelog	2021-08-04 13:31:34.000000000 +0200
@@ -1,3 +1,15 @@
+xmlgraphics-commons (2.3-1+deb10u1) buster; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2020-11988:
+    Apache XmlGraphics Commons is vulnerable to server-side request forgery,
+    caused by improper input validation by the XMPParser. By using a
+    specially-crafted argument, an attacker could exploit this vulnerability to
+    cause the underlying server to make arbitrary GET requests.
+    (Closes: #984949)
+
+ -- Markus Koschany <apo@debian.org>  Wed, 04 Aug 2021 13:31:34 +0200
+
 xmlgraphics-commons (2.3-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru xmlgraphics-commons-2.3/debian/patches/CVE-2020-11988.patch xmlgraphics-commons-2.3/debian/patches/CVE-2020-11988.patch
--- xmlgraphics-commons-2.3/debian/patches/CVE-2020-11988.patch	1970-01-01 01:00:00.000000000 +0100
+++ xmlgraphics-commons-2.3/debian/patches/CVE-2020-11988.patch	2021-08-04 13:31:34.000000000 +0200
@@ -0,0 +1,77 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 2 Aug 2021 07:47:01 +0200
+Subject: CVE-2020-11988
+
+Bug-Debian: https://bugs.debian.org/984949
+Origin: https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183
+---
+ .../java/org/apache/xmlgraphics/xmp/XMPParser.java    |  3 +++
+ .../org/apache/xmlgraphics/xmp/XMPParserTestCase.java | 19 +++++++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
+index b7c0e5f..4c58a11 100644
+--- a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
++++ b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
+@@ -21,6 +21,7 @@ package org.apache.xmlgraphics.xmp;
+ 
+ import java.net.URL;
+ 
++import javax.xml.XMLConstants;
+ import javax.xml.transform.Source;
+ import javax.xml.transform.Transformer;
+ import javax.xml.transform.TransformerException;
+@@ -54,6 +55,8 @@ public final class XMPParser {
+      */
+     public static Metadata parseXMP(Source src) throws TransformerException {
+         TransformerFactory tFactory = TransformerFactory.newInstance();
++        tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++        tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+         Transformer transformer = tFactory.newTransformer();
+         XMPHandler handler = createXMPHandler();
+         SAXResult res = new SAXResult(handler);
+diff --git a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
+index 02c4cf6..5f2ef05 100644
+--- a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
++++ b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
+@@ -19,16 +19,21 @@
+ 
+ package org.apache.xmlgraphics.xmp;
+ 
++import java.io.StringReader;
+ import java.net.URL;
+ import java.util.Calendar;
+ import java.util.Date;
+ import java.util.TimeZone;
+ 
++import javax.xml.transform.TransformerException;
++import javax.xml.transform.stream.StreamSource;
++
+ import org.junit.Test;
+ 
+ import static org.junit.Assert.assertEquals;
+ import static org.junit.Assert.assertNotNull;
+ import static org.junit.Assert.assertNull;
++import static org.junit.Assert.assertTrue;
+ 
+ import org.apache.xmlgraphics.xmp.schemas.DublinCoreAdapter;
+ import org.apache.xmlgraphics.xmp.schemas.DublinCoreSchema;
+@@ -189,4 +194,18 @@ public class XMPParserTestCase {
+         assertNull(title); //Empty value treated same as not existant
+     }
+ 
++    @Test
++    public void testExternalDTD() {
++        String payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
++                + "<!DOCTYPE root [\n<!ENTITY % remote SYSTEM \"http://127.0.0.1:9999/eval.xml\";>\n%remote;]>\n"
++                + "<root></root>";
++        StreamSource streamSource = new StreamSource(new StringReader(payload));
++        String msg = "";
++        try {
++            XMPParser.parseXMP(streamSource);
++        } catch (TransformerException e) {
++            msg = e.getMessage();
++        }
++        assertTrue(msg, msg.contains("access is not allowed"));
++    }
+ }
diff -Nru xmlgraphics-commons-2.3/debian/patches/series xmlgraphics-commons-2.3/debian/patches/series
--- xmlgraphics-commons-2.3/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ xmlgraphics-commons-2.3/debian/patches/series	2021-08-04 13:31:34.000000000 +0200
@@ -0,0 +1 @@
+CVE-2020-11988.patch