--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: bookworm-pu: package openrefine/3.6.2-2
- From: Markus Koschany <apo@debian.org>
- Date: Thu, 07 Sep 2023 21:45:21 +0200
- Message-id: <169411592162.99508.11127625463358370128.reportbug@faye>
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: apo@debian.org
[ Reason ]
Fixing CVE-2023-37476 in Bookworm.
[ Tests ]
The patch checks if file paths inside Zip/Tar archives are valid and do not
try to escape their root directory. The code looks reasonable to me.
[ Risks ]
The code is trivial.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
diff -Nru openrefine-3.6.2/debian/changelog openrefine-3.6.2/debian/changelog
--- openrefine-3.6.2/debian/changelog 2023-04-05 20:20:17.000000000 +0200
+++ openrefine-3.6.2/debian/changelog 2023-09-07 21:22:17.000000000 +0200
@@ -1,3 +1,13 @@
+openrefine (3.6.2-2+deb12u1) bookworm; urgency=medium
+
+ * Fix CVE-2023-37476:
+ OpenRefine is a free, open source tool for data processing. A carefully
+ crafted malicious OpenRefine project tar file can be used to trigger
+ arbitrary code execution in the context of the OpenRefine process if a user
+ can be convinced to import it. (Closes: #1041422)
+
+ -- Markus Koschany <apo@debian.org> Thu, 07 Sep 2023 21:22:17 +0200
+
openrefine (3.6.2-2) unstable; urgency=medium
* Depend on libjoda-time-java and liboro-java.
diff -Nru openrefine-3.6.2/debian/patches/CVE-2023-37476.patch openrefine-3.6.2/debian/patches/CVE-2023-37476.patch
--- openrefine-3.6.2/debian/patches/CVE-2023-37476.patch 1970-01-01 01:00:00.000000000 +0100
+++ openrefine-3.6.2/debian/patches/CVE-2023-37476.patch 2023-09-07 21:22:17.000000000 +0200
@@ -0,0 +1,24 @@
+From: Markus Koschany <apo@debian.org>
+Date: Thu, 17 Aug 2023 21:33:50 +0200
+Subject: CVE-2023-37476
+
+Bug-Debian: https://bugs.debian.org/1041422
+Origin: https://github.com/OpenRefine/OpenRefine/commit/c40c84d8170c4d61c6a0926531b552a50caa5651
+---
+ main/src/com/google/refine/io/FileProjectManager.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/main/src/com/google/refine/io/FileProjectManager.java b/main/src/com/google/refine/io/FileProjectManager.java
+index 09197f7..c913199 100644
+--- a/main/src/com/google/refine/io/FileProjectManager.java
++++ b/main/src/com/google/refine/io/FileProjectManager.java
+@@ -167,6 +167,9 @@ public class FileProjectManager extends ProjectManager {
+
+ while ((tarEntry = tin.getNextTarEntry()) != null) {
+ File destEntry = new File(destDir, tarEntry.getName());
++ if (!destEntry.toPath().normalize().startsWith(destDir.toPath().normalize())) {
++ throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed.");
++ }
+ File parent = destEntry.getParentFile();
+
+ if (!parent.exists()) {
diff -Nru openrefine-3.6.2/debian/patches/series openrefine-3.6.2/debian/patches/series
--- openrefine-3.6.2/debian/patches/series 2023-04-05 20:20:17.000000000 +0200
+++ openrefine-3.6.2/debian/patches/series 2023-09-07 21:22:17.000000000 +0200
@@ -4,3 +4,4 @@
log4j-api.patch
no-java-files.patch
gdata-extension.patch
+CVE-2023-37476.patch
--- End Message ---