Bug#917560: stretch-pu: package c3p0/0.9.1.2-9

Fri, 28 Dec 2018 10:12:44 -0800 

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu

Dear release team,

I would like to fix CVE-2018-20433 (#917257) in c3p0. This issue was
marked no-dsa by the security team. Please find attached the debdiff.

Regards,

Markus

diff -Nru c3p0-0.9.1.2/debian/changelog c3p0-0.9.1.2/debian/changelog
--- c3p0-0.9.1.2/debian/changelog       2014-01-17 05:47:13.000000000 +0100
+++ c3p0-0.9.1.2/debian/changelog       2018-12-28 18:41:05.000000000 +0100
@@ -1,3 +1,13 @@
+c3p0 (0.9.1.2-9+deb9u1) stretch; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2018-20433.
+    A XML External Entity (XXE) vulnerability was discovered in c3p0 that may
+    be used to resolve information outside of the intended sphere of control.
+    (Closes: #917257)
+
+ -- Markus Koschany <a...@debian.org>  Fri, 28 Dec 2018 18:41:05 +0100
+
 c3p0 (0.9.1.2-9) unstable; urgency=medium
 
   * Team upload.
diff -Nru c3p0-0.9.1.2/debian/patches/CVE-2018-20433.patch 
c3p0-0.9.1.2/debian/patches/CVE-2018-20433.patch
--- c3p0-0.9.1.2/debian/patches/CVE-2018-20433.patch    1970-01-01 
01:00:00.000000000 +0100
+++ c3p0-0.9.1.2/debian/patches/CVE-2018-20433.patch    2018-12-28 
18:41:05.000000000 +0100
@@ -0,0 +1,22 @@
+From: Markus Koschany <a...@debian.org>
+Date: Tue, 25 Dec 2018 15:14:04 +0100
+Subject: CVE-2018-20433
+
+Bug-Debian: https://bugs.debian.org/917257
+Origin: 
https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
+---
+ src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java 
b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
+index 3878e89..4a75bd8 100644
+--- a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
++++ b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
+@@ -132,6 +132,7 @@ public final class C3P0ConfigXmlUtils
+     public static C3P0Config extractXmlConfigFromInputStream(InputStream is) 
throws Exception
+     {
+         DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
++      fact.setExpandEntityReferences(false);
+         DocumentBuilder db = fact.newDocumentBuilder();
+         Document doc = db.parse( is );
+ 
diff -Nru c3p0-0.9.1.2/debian/patches/series c3p0-0.9.1.2/debian/patches/series
--- c3p0-0.9.1.2/debian/patches/series  2014-01-17 05:47:13.000000000 +0100
+++ c3p0-0.9.1.2/debian/patches/series  2018-12-28 18:41:05.000000000 +0100
@@ -1,3 +1,4 @@
 build.patch
 testing.patch
 java-7-compat.patch
+CVE-2018-20433.patch

Reply via email to