Bug#991885: marked as done (unblock: xmlgraphics-commons/2.4-1)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 6 Aug 2021 08:51:50 +0200
with message-id <0acf990a-bfee-8caa-d1ab-d83fa2be4912@debian.org>
and subject line Re: Bug#991885: unblock: xmlgraphics-commons/2.4-1
has caused the Debian Bug report #991885,
regarding unblock: xmlgraphics-commons/2.4-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
991885: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991885
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: xmlgraphics-commons/2.4-1
• From: Markus Koschany <apo@debian.org>
• Date: Wed, 04 Aug 2021 14:47:02 +0200
• Message-id: <[🔎] 162808122232.378819.4410357638287010332.reportbug@faye>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: apo@debian.org

Please unblock package xmlgraphics-commons

[ Reason ]

I know we are past the deadline now but I hope you can make an
exception because the fix is straightforward. I would like to fix
CVE-2020-11988 in Bullseye.

[ Impact ]

xmlgraphics-commons would still be vulnerable and users had to wait
for the next point update.

[ Tests ]

Test case works as intended.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock xmlgraphics-commons/2.4-1

diff -Nru xmlgraphics-commons-2.4/debian/changelog xmlgraphics-commons-2.4/debian/changelog
--- xmlgraphics-commons-2.4/debian/changelog	2020-02-14 22:20:36.000000000 +0100
+++ xmlgraphics-commons-2.4/debian/changelog	2021-08-02 07:48:42.000000000 +0200
@@ -1,3 +1,15 @@
+xmlgraphics-commons (2.4-2) unstable; urgency=high
+
+  * Team upload.
+  * Fix CVE-2020-11988:
+    Apache XmlGraphics Commons is vulnerable to server-side request forgery,
+    caused by improper input validation by the XMPParser. By using a
+    specially-crafted argument, an attacker could exploit this vulnerability to
+    cause the underlying server to make arbitrary GET requests.
+    (Closes: #984949)
+
+ -- Markus Koschany <apo@debian.org>  Mon, 02 Aug 2021 07:48:42 +0200
+
 xmlgraphics-commons (2.4-1) unstable; urgency=medium
 
   * New upstream version 2.4
diff -Nru xmlgraphics-commons-2.4/debian/patches/CVE-2020-11988.patch xmlgraphics-commons-2.4/debian/patches/CVE-2020-11988.patch
--- xmlgraphics-commons-2.4/debian/patches/CVE-2020-11988.patch	1970-01-01 01:00:00.000000000 +0100
+++ xmlgraphics-commons-2.4/debian/patches/CVE-2020-11988.patch	2021-08-02 07:48:42.000000000 +0200
@@ -0,0 +1,77 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 2 Aug 2021 07:47:01 +0200
+Subject: CVE-2020-11988
+
+Bug-Debian: https://bugs.debian.org/984949
+Origin: https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183
+---
+ .../java/org/apache/xmlgraphics/xmp/XMPParser.java    |  3 +++
+ .../org/apache/xmlgraphics/xmp/XMPParserTestCase.java | 19 +++++++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
+index b7c0e5f..4c58a11 100644
+--- a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
++++ b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
+@@ -21,6 +21,7 @@ package org.apache.xmlgraphics.xmp;
+ 
+ import java.net.URL;
+ 
++import javax.xml.XMLConstants;
+ import javax.xml.transform.Source;
+ import javax.xml.transform.Transformer;
+ import javax.xml.transform.TransformerException;
+@@ -54,6 +55,8 @@ public final class XMPParser {
+      */
+     public static Metadata parseXMP(Source src) throws TransformerException {
+         TransformerFactory tFactory = TransformerFactory.newInstance();
++        tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++        tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+         Transformer transformer = tFactory.newTransformer();
+         XMPHandler handler = createXMPHandler();
+         SAXResult res = new SAXResult(handler);
+diff --git a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
+index 02c4cf6..5f2ef05 100644
+--- a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
++++ b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
+@@ -19,16 +19,21 @@
+ 
+ package org.apache.xmlgraphics.xmp;
+ 
++import java.io.StringReader;
+ import java.net.URL;
+ import java.util.Calendar;
+ import java.util.Date;
+ import java.util.TimeZone;
+ 
++import javax.xml.transform.TransformerException;
++import javax.xml.transform.stream.StreamSource;
++
+ import org.junit.Test;
+ 
+ import static org.junit.Assert.assertEquals;
+ import static org.junit.Assert.assertNotNull;
+ import static org.junit.Assert.assertNull;
++import static org.junit.Assert.assertTrue;
+ 
+ import org.apache.xmlgraphics.xmp.schemas.DublinCoreAdapter;
+ import org.apache.xmlgraphics.xmp.schemas.DublinCoreSchema;
+@@ -189,4 +194,18 @@ public class XMPParserTestCase {
+         assertNull(title); //Empty value treated same as not existant
+     }
+ 
++    @Test
++    public void testExternalDTD() {
++        String payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
++                + "<!DOCTYPE root [\n<!ENTITY % remote SYSTEM \"http://127.0.0.1:9999/eval.xml\";>\n%remote;]>\n"
++                + "<root></root>";
++        StreamSource streamSource = new StreamSource(new StringReader(payload));
++        String msg = "";
++        try {
++            XMPParser.parseXMP(streamSource);
++        } catch (TransformerException e) {
++            msg = e.getMessage();
++        }
++        assertTrue(msg, msg.contains("access is not allowed"));
++    }
+ }
diff -Nru xmlgraphics-commons-2.4/debian/patches/series xmlgraphics-commons-2.4/debian/patches/series
--- xmlgraphics-commons-2.4/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ xmlgraphics-commons-2.4/debian/patches/series	2021-08-02 07:48:42.000000000 +0200
@@ -0,0 +1 @@
+CVE-2020-11988.patch

--- End Message ---

--- Begin Message ---

• To: Markus Koschany <apo@debian.org>, 991885-done@bugs.debian.org
• Subject: Re: Bug#991885: unblock: xmlgraphics-commons/2.4-1
• From: Paul Gevers <elbrus@debian.org>
• Date: Fri, 6 Aug 2021 08:51:50 +0200
• Message-id: <0acf990a-bfee-8caa-d1ab-d83fa2be4912@debian.org>
• In-reply-to: <[🔎] 162808122232.378819.4410357638287010332.reportbug@faye>
• References: <[🔎] 162808122232.378819.4410357638287010332.reportbug@faye>

Hi Markus,

On 04-08-2021 14:47, Markus Koschany wrote:
> Please unblock package xmlgraphics-commons

The issue is marked as minor issue by the security team and not fixed in
buster. Plain saying, the fix came too late (you had since March).

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---