Your message dated Fri, 6 Aug 2021 08:51:50 +0200 with message-id <0acf990a-bfee-8caa-d1ab-d83fa2be4912@debian.org> and subject line Re: Bug#991885: unblock: xmlgraphics-commons/2.4-1 has caused the Debian Bug report #991885, regarding unblock: xmlgraphics-commons/2.4-1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 991885: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991885 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: xmlgraphics-commons/2.4-1
- From: Markus Koschany <apo@debian.org>
- Date: Wed, 04 Aug 2021 14:47:02 +0200
- Message-id: <[🔎] 162808122232.378819.4410357638287010332.reportbug@faye>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: apo@debian.org Please unblock package xmlgraphics-commons [ Reason ] I know we are past the deadline now but I hope you can make an exception because the fix is straightforward. I would like to fix CVE-2020-11988 in Bullseye. [ Impact ] xmlgraphics-commons would still be vulnerable and users had to wait for the next point update. [ Tests ] Test case works as intended. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock xmlgraphics-commons/2.4-1diff -Nru xmlgraphics-commons-2.4/debian/changelog xmlgraphics-commons-2.4/debian/changelog --- xmlgraphics-commons-2.4/debian/changelog 2020-02-14 22:20:36.000000000 +0100 +++ xmlgraphics-commons-2.4/debian/changelog 2021-08-02 07:48:42.000000000 +0200 @@ -1,3 +1,15 @@ +xmlgraphics-commons (2.4-2) unstable; urgency=high + + * Team upload. + * Fix CVE-2020-11988: + Apache XmlGraphics Commons is vulnerable to server-side request forgery, + caused by improper input validation by the XMPParser. By using a + specially-crafted argument, an attacker could exploit this vulnerability to + cause the underlying server to make arbitrary GET requests. + (Closes: #984949) + + -- Markus Koschany <apo@debian.org> Mon, 02 Aug 2021 07:48:42 +0200 + xmlgraphics-commons (2.4-1) unstable; urgency=medium * New upstream version 2.4 diff -Nru xmlgraphics-commons-2.4/debian/patches/CVE-2020-11988.patch xmlgraphics-commons-2.4/debian/patches/CVE-2020-11988.patch --- xmlgraphics-commons-2.4/debian/patches/CVE-2020-11988.patch 1970-01-01 01:00:00.000000000 +0100 +++ xmlgraphics-commons-2.4/debian/patches/CVE-2020-11988.patch 2021-08-02 07:48:42.000000000 +0200 @@ -0,0 +1,77 @@ +From: Markus Koschany <apo@debian.org> +Date: Mon, 2 Aug 2021 07:47:01 +0200 +Subject: CVE-2020-11988 + +Bug-Debian: https://bugs.debian.org/984949 +Origin: https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183 +--- + .../java/org/apache/xmlgraphics/xmp/XMPParser.java | 3 +++ + .../org/apache/xmlgraphics/xmp/XMPParserTestCase.java | 19 +++++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java +index b7c0e5f..4c58a11 100644 +--- a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java ++++ b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java +@@ -21,6 +21,7 @@ package org.apache.xmlgraphics.xmp; + + import java.net.URL; + ++import javax.xml.XMLConstants; + import javax.xml.transform.Source; + import javax.xml.transform.Transformer; + import javax.xml.transform.TransformerException; +@@ -54,6 +55,8 @@ public final class XMPParser { + */ + public static Metadata parseXMP(Source src) throws TransformerException { + TransformerFactory tFactory = TransformerFactory.newInstance(); ++ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = tFactory.newTransformer(); + XMPHandler handler = createXMPHandler(); + SAXResult res = new SAXResult(handler); +diff --git a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java +index 02c4cf6..5f2ef05 100644 +--- a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java ++++ b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java +@@ -19,16 +19,21 @@ + + package org.apache.xmlgraphics.xmp; + ++import java.io.StringReader; + import java.net.URL; + import java.util.Calendar; + import java.util.Date; + import java.util.TimeZone; + ++import javax.xml.transform.TransformerException; ++import javax.xml.transform.stream.StreamSource; ++ + import org.junit.Test; + + import static org.junit.Assert.assertEquals; + import static org.junit.Assert.assertNotNull; + import static org.junit.Assert.assertNull; ++import static org.junit.Assert.assertTrue; + + import org.apache.xmlgraphics.xmp.schemas.DublinCoreAdapter; + import org.apache.xmlgraphics.xmp.schemas.DublinCoreSchema; +@@ -189,4 +194,18 @@ public class XMPParserTestCase { + assertNull(title); //Empty value treated same as not existant + } + ++ @Test ++ public void testExternalDTD() { ++ String payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" ++ + "<!DOCTYPE root [\n<!ENTITY % remote SYSTEM \"http://127.0.0.1:9999/eval.xml\">\n%remote;]>\n" ++ + "<root></root>"; ++ StreamSource streamSource = new StreamSource(new StringReader(payload)); ++ String msg = ""; ++ try { ++ XMPParser.parseXMP(streamSource); ++ } catch (TransformerException e) { ++ msg = e.getMessage(); ++ } ++ assertTrue(msg, msg.contains("access is not allowed")); ++ } + } diff -Nru xmlgraphics-commons-2.4/debian/patches/series xmlgraphics-commons-2.4/debian/patches/series --- xmlgraphics-commons-2.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ xmlgraphics-commons-2.4/debian/patches/series 2021-08-02 07:48:42.000000000 +0200 @@ -0,0 +1 @@ +CVE-2020-11988.patch
--- End Message ---
--- Begin Message ---
- To: Markus Koschany <apo@debian.org>, 991885-done@bugs.debian.org
- Subject: Re: Bug#991885: unblock: xmlgraphics-commons/2.4-1
- From: Paul Gevers <elbrus@debian.org>
- Date: Fri, 6 Aug 2021 08:51:50 +0200
- Message-id: <0acf990a-bfee-8caa-d1ab-d83fa2be4912@debian.org>
- In-reply-to: <[🔎] 162808122232.378819.4410357638287010332.reportbug@faye>
- References: <[🔎] 162808122232.378819.4410357638287010332.reportbug@faye>
Hi Markus, On 04-08-2021 14:47, Markus Koschany wrote: > Please unblock package xmlgraphics-commons The issue is marked as minor issue by the security team and not fixed in buster. Plain saying, the fix came too late (you had since March). PaulAttachment: OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---