--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package xmlgraphics-commons/2.3-1
- From: Markus Koschany <apo@debian.org>
- Date: Wed, 04 Aug 2021 13:37:24 +0200
- Message-id: <162807704418.360171.1989121655745228800.reportbug@faye>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: apo@debian.org
[ Reason ]
I would like to fix CVE-2020-11988 in Buster (#984949). The security
team considers this one to be no-dsa.
[ Impact ]
xmlgraphics-commons would still be vulnerable.
[ Tests ]
Test case works as intended.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
Regards,
Markus
diff -Nru xmlgraphics-commons-2.3/debian/changelog xmlgraphics-commons-2.3/debian/changelog
--- xmlgraphics-commons-2.3/debian/changelog 2018-08-22 23:30:39.000000000 +0200
+++ xmlgraphics-commons-2.3/debian/changelog 2021-08-04 13:31:34.000000000 +0200
@@ -1,3 +1,15 @@
+xmlgraphics-commons (2.3-1+deb10u1) buster; urgency=medium
+
+ * Team upload.
+ * Fix CVE-2020-11988:
+ Apache XmlGraphics Commons is vulnerable to server-side request forgery,
+ caused by improper input validation by the XMPParser. By using a
+ specially-crafted argument, an attacker could exploit this vulnerability to
+ cause the underlying server to make arbitrary GET requests.
+ (Closes: #984949)
+
+ -- Markus Koschany <apo@debian.org> Wed, 04 Aug 2021 13:31:34 +0200
+
xmlgraphics-commons (2.3-1) unstable; urgency=medium
* Team upload.
diff -Nru xmlgraphics-commons-2.3/debian/patches/CVE-2020-11988.patch xmlgraphics-commons-2.3/debian/patches/CVE-2020-11988.patch
--- xmlgraphics-commons-2.3/debian/patches/CVE-2020-11988.patch 1970-01-01 01:00:00.000000000 +0100
+++ xmlgraphics-commons-2.3/debian/patches/CVE-2020-11988.patch 2021-08-04 13:31:34.000000000 +0200
@@ -0,0 +1,77 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 2 Aug 2021 07:47:01 +0200
+Subject: CVE-2020-11988
+
+Bug-Debian: https://bugs.debian.org/984949
+Origin: https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183
+---
+ .../java/org/apache/xmlgraphics/xmp/XMPParser.java | 3 +++
+ .../org/apache/xmlgraphics/xmp/XMPParserTestCase.java | 19 +++++++++++++++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
+index b7c0e5f..4c58a11 100644
+--- a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
++++ b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
+@@ -21,6 +21,7 @@ package org.apache.xmlgraphics.xmp;
+
+ import java.net.URL;
+
++import javax.xml.XMLConstants;
+ import javax.xml.transform.Source;
+ import javax.xml.transform.Transformer;
+ import javax.xml.transform.TransformerException;
+@@ -54,6 +55,8 @@ public final class XMPParser {
+ */
+ public static Metadata parseXMP(Source src) throws TransformerException {
+ TransformerFactory tFactory = TransformerFactory.newInstance();
++ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ Transformer transformer = tFactory.newTransformer();
+ XMPHandler handler = createXMPHandler();
+ SAXResult res = new SAXResult(handler);
+diff --git a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
+index 02c4cf6..5f2ef05 100644
+--- a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
++++ b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
+@@ -19,16 +19,21 @@
+
+ package org.apache.xmlgraphics.xmp;
+
++import java.io.StringReader;
+ import java.net.URL;
+ import java.util.Calendar;
+ import java.util.Date;
+ import java.util.TimeZone;
+
++import javax.xml.transform.TransformerException;
++import javax.xml.transform.stream.StreamSource;
++
+ import org.junit.Test;
+
+ import static org.junit.Assert.assertEquals;
+ import static org.junit.Assert.assertNotNull;
+ import static org.junit.Assert.assertNull;
++import static org.junit.Assert.assertTrue;
+
+ import org.apache.xmlgraphics.xmp.schemas.DublinCoreAdapter;
+ import org.apache.xmlgraphics.xmp.schemas.DublinCoreSchema;
+@@ -189,4 +194,18 @@ public class XMPParserTestCase {
+ assertNull(title); //Empty value treated same as not existant
+ }
+
++ @Test
++ public void testExternalDTD() {
++ String payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
++ + "<!DOCTYPE root [\n<!ENTITY % remote SYSTEM \"http://127.0.0.1:9999/eval.xml\">\n%remote;]>\n"
++ + "<root></root>";
++ StreamSource streamSource = new StreamSource(new StringReader(payload));
++ String msg = "";
++ try {
++ XMPParser.parseXMP(streamSource);
++ } catch (TransformerException e) {
++ msg = e.getMessage();
++ }
++ assertTrue(msg, msg.contains("access is not allowed"));
++ }
+ }
diff -Nru xmlgraphics-commons-2.3/debian/patches/series xmlgraphics-commons-2.3/debian/patches/series
--- xmlgraphics-commons-2.3/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ xmlgraphics-commons-2.3/debian/patches/series 2021-08-04 13:31:34.000000000 +0200
@@ -0,0 +1 @@
+CVE-2020-11988.patch
--- End Message ---