Bug#988455: buster-pu: package velocity/1.7-5+deb10u1

To: submit@bugs.debian.org
Subject: Bug#988455: buster-pu: package velocity/1.7-5+deb10u1
From: "Chris Lamb" <lamby@debian.org>
Date: Thu, 13 May 2021 11:16:04 +0100
Message-id: <[🔎] 162090087856.2727355.17003072208861169135@tinycat.chris-lamb.co.uk>
Reply-to: "Chris Lamb" <lamby@debian.org>, 988455@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-CC: Andreas Beckmann <anbe@debian.org>

Dear stable release managers,

Please consider velocity (1.7-5+deb10u1) for buster:
  
  velocity (1.7-5+deb10u1) buster; urgency=medium
  .
    * CVE-2020-13936: Prevent a potential arbitrary code execution vulnerability
      that can be exploited by applications that allow untrusted users to
      upload/modify Velocity templates. (Closes: #985220)

This fixes the lack of clean updates from stretch to buster. The full
debdiff is attached.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

diff --git a/debian/changelog b/debian/changelog
index 811e75f..f4df0ff 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+velocity (1.7-5+deb10u1) buster; urgency=medium
+
+  * CVE-2020-13936: Prevent a potential arbitrary code execution vulnerability
+    that can be exploited by applications that allow untrusted users to
+    upload/modify Velocity templates. (Closes: #985220)
+
+ -- Chris Lamb <lamby@debian.org>  Thu, 13 May 2021 11:11:57 +0100
+
 velocity (1.7-5) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/patches/0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch b/debian/patches/0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch
new file mode 100644
index 0000000..cfc81e2
--- /dev/null
+++ b/debian/patches/0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch
@@ -0,0 +1,58 @@
+From: Chris Lamb <lamby@debian.org>
+Date: Thu, 13 May 2021 11:03:13 +0100
+Subject: CVE-2020-13936: Prevent a potential arbitrary code execution
+ vulnerability that can be exploited by applications that allow untrusted
+ users to upload/modify Velocity templates. (Closes: #985220)
+
+---
+ .../org/apache/velocity/runtime/defaults/velocity.properties     | 7 +------
+ .../velocity/util/introspection/SecureIntrospectorImpl.java      | 9 +++++++++
+ 2 files changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+index 750a59a..9415ca5 100644
+--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties
++++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+@@ -247,13 +247,9 @@ runtime.introspector.uberspect = org.apache.velocity.util.introspection.Uberspec
+ 
+ introspector.restrict.packages = java.lang.reflect
+ 
+-# The two most dangerous classes
++## ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
+ 
+ introspector.restrict.classes = java.lang.Class
+-introspector.restrict.classes = java.lang.ClassLoader
+-                
+-# Restrict these for extra safety
+-
+ introspector.restrict.classes = java.lang.Compiler
+ introspector.restrict.classes = java.lang.InheritableThreadLocal
+ introspector.restrict.classes = java.lang.Package
+@@ -262,7 +258,6 @@ introspector.restrict.classes = java.lang.Runtime
+ introspector.restrict.classes = java.lang.RuntimePermission
+ introspector.restrict.classes = java.lang.SecurityManager
+ introspector.restrict.classes = java.lang.System
+-introspector.restrict.classes = java.lang.Thread
+ introspector.restrict.classes = java.lang.ThreadGroup
+ introspector.restrict.classes = java.lang.ThreadLocal
+ 
+diff --git a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
+index f317b1c..35ea9e9 100644
+--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
++++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
+@@ -121,6 +121,15 @@ public class SecureIntrospectorImpl extends Introspector implements SecureIntros
+             return true;
+         }
+ 
++	/**
++       * Always disallow ClassLoader, Thread and subclasses
++       */
++        if (ClassLoader.class.isAssignableFrom(clazz) ||
++                Thread.class.isAssignableFrom(clazz))
++        {
++            return false;
++        }
++
+         /**
+          * check the classname (minus any array info)
+          * whether it matches disallowed classes or packages
diff --git a/debian/patches/series b/debian/patches/series
index 1bd3c45..a609f6a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 0001-fix-example-scripts.patch
+0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch

Reply to:

Follow-Ups:
- Bug#988455: buster-pu: package velocity/1.7-5+deb10u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#988455: buster-pu: package velocity/1.7-5+deb10u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#988455: velocity 1.7-5+deb10u1 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#988454: buster-pu: package ruby-websocket-extensions/0.1.2-1+deb10u1
Next by Date: Bug#988457: unblock: symfony/4.4.19+dfsg-2
Previous by thread: Processed: ruby-websocket-extensions 0.1.2-1+deb10u1 flagged for acceptance
Next by thread: Bug#988455: buster-pu: package velocity/1.7-5+deb10u1
Index(es):
- Date
- Thread