[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1109761: marked as done (unblock: jackrabbit/2.20.11-1.1)

Your message dated Wed, 23 Jul 2025 19:00:33 +0000
with message-id <E1ueehd-00CfMW-2j@respighi.debian.org>
and subject line unblock jackrabbit
has caused the Debian Bug report #1109761,
regarding unblock: jackrabbit/2.20.11-1.1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1109761: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109761
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: jackrabbit@packages.debian.org
Control: affects -1 + src:jackrabbit
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package jackrabbit

[ Reason ]
#1109335

[ Impact ]
Vulnerable for CVE-2025-53689.

[ Tests ]
None.

[ Risks ]
Upstream patch applies cleanly, so there is not a high chance the
program will be affected in a bad way.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
I have fixed this via NMU.

unblock jackrabbit/2.20.11-1.1

diff -Nru jackrabbit-2.20.11/debian/changelog jackrabbit-2.20.11/debian/changelog
--- jackrabbit-2.20.11/debian/changelog	2023-07-29 15:08:48.000000000 +0200
+++ jackrabbit-2.20.11/debian/changelog	2025-07-23 10:05:30.000000000 +0200
@@ -1,3 +1,10 @@
+jackrabbit (2.20.11-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix CVE-2025-53689 via upstream patch. (Closes: #1109335)
+
+ -- Bastian Germann <bage@debian.org>  Wed, 23 Jul 2025 10:05:30 +0200
+
 jackrabbit (2.20.11-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru jackrabbit-2.20.11/debian/patches/CVE-2025-53689.patch jackrabbit-2.20.11/debian/patches/CVE-2025-53689.patch
--- jackrabbit-2.20.11/debian/patches/CVE-2025-53689.patch	1970-01-01 01:00:00.000000000 +0100
+++ jackrabbit-2.20.11/debian/patches/CVE-2025-53689.patch	2025-07-23 10:05:30.000000000 +0200
@@ -0,0 +1,147 @@
+Origin: upstream, 8ea2349234b181bf790cad58bfd91fd2763e64a9
+From: Julian Reschke <reschke@apache.org>
+Date: Thu, 10 Jul 2025 18:04:34 +0200
+Subject: JCR-5165: various parsing improvements/consistency (#263)
+
+---
+ .../jackrabbit/core/util/DOMWalker.java       | 40 ++++++++++++++++++-
+ .../privilege/PrivilegeXmlHandler.java        | 30 ++++++++++++++
+ 2 files changed, 68 insertions(+), 2 deletions(-)
+
+diff --git a/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/util/DOMWalker.java b/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/util/DOMWalker.java
+index 9689f7cba7d..aa6b64467e1 100644
+--- a/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/util/DOMWalker.java
++++ b/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/util/DOMWalker.java
+@@ -23,11 +23,15 @@
+ import org.w3c.dom.NamedNodeMap;
+ import org.w3c.dom.Node;
+ import org.w3c.dom.NodeList;
++import org.xml.sax.EntityResolver;
++import org.xml.sax.InputSource;
+ 
++import javax.xml.XMLConstants;
+ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
+ import java.io.IOException;
+ import java.io.InputStream;
++import java.io.StringReader;
+ import java.util.Properties;
+ 
+ /**
+@@ -37,8 +41,36 @@
+ public final class DOMWalker {
+ 
+     /** Static factory for creating stream to DOM transformers. */
+-    private static final DocumentBuilderFactory factory =
+-        DocumentBuilderFactory.newInstance();
++    private static final DocumentBuilderFactory factory = createFactory();
++
++    private static DocumentBuilderFactory createFactory() {
++        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++        factory.setIgnoringComments(false);
++        factory.setIgnoringElementContentWhitespace(true);
++        factory.setXIncludeAware(false);
++
++        // Prevent XXE attacks by disabling external entity processing
++        factory.setExpandEntityReferences(false);
++
++        String feature = null;
++
++        try {
++            feature = XMLConstants.FEATURE_SECURE_PROCESSING;
++            factory.setFeature(feature, true);
++            feature = "http://apache.org/xml/features/disallow-doctype-decl";;
++            factory.setFeature(feature, true);
++            feature = "http://apache.org/xml/features/nonvalidating/load-external-dtd";;
++            factory.setFeature(feature, false);
++            feature = "http://xml.org/sax/features/external-general-entities";;
++            factory.setFeature(feature, false);
++            feature = "http://xml.org/sax/features/external-parameter-entities";;
++            factory.setFeature(feature, false);
++        } catch (Exception ex) {
++            // abort if secure processing is not supported
++            throw new IllegalStateException("Secure processing feature '" + feature + "' not supported by the DocumentBuilderFactory: " + factory.getClass().getName(), ex);
++        }
++        return factory;
++    }
+ 
+     /** The DOM document being traversed by this walker. */
+     private final Document document;
+@@ -57,6 +89,10 @@ public final class DOMWalker {
+     public DOMWalker(InputStream xml) throws IOException {
+         try {
+             DocumentBuilder builder = factory.newDocumentBuilder();
++            // defense in depth: entity resolver that will break any document on purpose
++            EntityResolver stopMe = (publicId, systemId) -> new InputSource(
++                    new StringReader("<preventing read of: " + publicId + " " + systemId + ">"));
++            builder.setEntityResolver(stopMe);
+             document = builder.parse(xml);
+             current = document.getDocumentElement();
+         } catch (IOException e) {
+diff --git a/jackrabbit-spi-commons/src/main/java/org/apache/jackrabbit/spi/commons/privilege/PrivilegeXmlHandler.java b/jackrabbit-spi-commons/src/main/java/org/apache/jackrabbit/spi/commons/privilege/PrivilegeXmlHandler.java
+index ffa24fe2001..bc241491296 100644
+--- a/jackrabbit-spi-commons/src/main/java/org/apache/jackrabbit/spi/commons/privilege/PrivilegeXmlHandler.java
++++ b/jackrabbit-spi-commons/src/main/java/org/apache/jackrabbit/spi/commons/privilege/PrivilegeXmlHandler.java
+@@ -27,10 +27,12 @@
+ import org.w3c.dom.NamedNodeMap;
+ import org.w3c.dom.Node;
+ import org.w3c.dom.NodeList;
++import org.xml.sax.EntityResolver;
+ import org.xml.sax.InputSource;
+ import org.xml.sax.SAXException;
+ import org.xml.sax.helpers.DefaultHandler;
+ 
++import javax.xml.XMLConstants;
+ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
+ import javax.xml.parsers.ParserConfigurationException;
+@@ -44,7 +46,9 @@
+ import java.io.InputStream;
+ import java.io.OutputStream;
+ import java.io.Reader;
++import java.io.StringReader;
+ import java.io.Writer;
++import java.rmi.server.ExportException;
+ import java.util.ArrayList;
+ import java.util.HashMap;
+ import java.util.HashSet;
+@@ -112,6 +116,28 @@ private static DocumentBuilderFactory createFactory() {
+         factory.setNamespaceAware(true);
+         factory.setIgnoringComments(false);
+         factory.setIgnoringElementContentWhitespace(true);
++        factory.setXIncludeAware(false);
++
++        // Prevent XXE attacks by disabling external entity processing
++        factory.setExpandEntityReferences(false);
++
++        String feature = null;
++
++        try {
++            feature = XMLConstants.FEATURE_SECURE_PROCESSING;
++            factory.setFeature(feature, true);
++            feature = "http://apache.org/xml/features/disallow-doctype-decl";;
++            factory.setFeature(feature, true);
++            feature = "http://apache.org/xml/features/nonvalidating/load-external-dtd";;
++            factory.setFeature(feature, false);
++            feature = "http://xml.org/sax/features/external-general-entities";;
++            factory.setFeature(feature, false);
++            feature = "http://xml.org/sax/features/external-parameter-entities";;
++            factory.setFeature(feature, false);
++        } catch (Exception ex) {
++            // abort if secure processing is not supported
++            throw new IllegalStateException("Secure processing feature '" + feature + "' not supported by the DocumentBuilderFactory: " + factory.getClass().getName(), ex);
++        }
+         return factory;
+     }
+ 
+@@ -279,6 +305,10 @@ private PrivilegeDefinition parseDefinition(Node n, Map<String, String> namespac
+      */
+     private static DocumentBuilder createDocumentBuilder() throws ParserConfigurationException {
+         DocumentBuilder builder = DOCUMENT_BUILDER_FACTORY.newDocumentBuilder();
++        // defense in depth: entity resolver that will break any document on purpose
++        EntityResolver stopMe = (publicId, systemId) -> new InputSource(
++                new StringReader("<preventing read of: " + publicId + " " + systemId + ">"));
++        builder.setEntityResolver(stopMe);
+         builder.setErrorHandler(new DefaultHandler());
+         return builder;
+     }
diff -Nru jackrabbit-2.20.11/debian/patches/series jackrabbit-2.20.11/debian/patches/series
--- jackrabbit-2.20.11/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ jackrabbit-2.20.11/debian/patches/series	2025-07-23 10:05:30.000000000 +0200
@@ -0,0 +1 @@
+CVE-2025-53689.patch

--- End Message ---
--- Begin Message --- 
Unblocked jackrabbit.

--- End Message ---
Reply to: