Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: a...@debian.org
Please unblock package xmlgraphics-commons [ Reason ] I know we are past the deadline now but I hope you can make an exception because the fix is straightforward. I would like to fix CVE-2020-11988 in Bullseye. [ Impact ] xmlgraphics-commons would still be vulnerable and users had to wait for the next point update. [ Tests ] Test case works as intended. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock xmlgraphics-commons/2.4-1
diff -Nru xmlgraphics-commons-2.4/debian/changelog xmlgraphics-commons-2.4/debian/changelog --- xmlgraphics-commons-2.4/debian/changelog 2020-02-14 22:20:36.000000000 +0100 +++ xmlgraphics-commons-2.4/debian/changelog 2021-08-02 07:48:42.000000000 +0200 @@ -1,3 +1,15 @@ +xmlgraphics-commons (2.4-2) unstable; urgency=high + + * Team upload. + * Fix CVE-2020-11988: + Apache XmlGraphics Commons is vulnerable to server-side request forgery, + caused by improper input validation by the XMPParser. By using a + specially-crafted argument, an attacker could exploit this vulnerability to + cause the underlying server to make arbitrary GET requests. + (Closes: #984949) + + -- Markus Koschany <a...@debian.org> Mon, 02 Aug 2021 07:48:42 +0200 + xmlgraphics-commons (2.4-1) unstable; urgency=medium * New upstream version 2.4 diff -Nru xmlgraphics-commons-2.4/debian/patches/CVE-2020-11988.patch xmlgraphics-commons-2.4/debian/patches/CVE-2020-11988.patch --- xmlgraphics-commons-2.4/debian/patches/CVE-2020-11988.patch 1970-01-01 01:00:00.000000000 +0100 +++ xmlgraphics-commons-2.4/debian/patches/CVE-2020-11988.patch 2021-08-02 07:48:42.000000000 +0200 @@ -0,0 +1,77 @@ +From: Markus Koschany <a...@debian.org> +Date: Mon, 2 Aug 2021 07:47:01 +0200 +Subject: CVE-2020-11988 + +Bug-Debian: https://bugs.debian.org/984949 +Origin: https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183 +--- + .../java/org/apache/xmlgraphics/xmp/XMPParser.java | 3 +++ + .../org/apache/xmlgraphics/xmp/XMPParserTestCase.java | 19 +++++++++++++++++++ + 2 files changed, 22 insertions(+) + +diff --git a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java +index b7c0e5f..4c58a11 100644 +--- a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java ++++ b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java +@@ -21,6 +21,7 @@ package org.apache.xmlgraphics.xmp; + + import java.net.URL; + ++import javax.xml.XMLConstants; + import javax.xml.transform.Source; + import javax.xml.transform.Transformer; + import javax.xml.transform.TransformerException; +@@ -54,6 +55,8 @@ public final class XMPParser { + */ + public static Metadata parseXMP(Source src) throws TransformerException { + TransformerFactory tFactory = TransformerFactory.newInstance(); ++ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = tFactory.newTransformer(); + XMPHandler handler = createXMPHandler(); + SAXResult res = new SAXResult(handler); +diff --git a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java +index 02c4cf6..5f2ef05 100644 +--- a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java ++++ b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java +@@ -19,16 +19,21 @@ + + package org.apache.xmlgraphics.xmp; + ++import java.io.StringReader; + import java.net.URL; + import java.util.Calendar; + import java.util.Date; + import java.util.TimeZone; + ++import javax.xml.transform.TransformerException; ++import javax.xml.transform.stream.StreamSource; ++ + import org.junit.Test; + + import static org.junit.Assert.assertEquals; + import static org.junit.Assert.assertNotNull; + import static org.junit.Assert.assertNull; ++import static org.junit.Assert.assertTrue; + + import org.apache.xmlgraphics.xmp.schemas.DublinCoreAdapter; + import org.apache.xmlgraphics.xmp.schemas.DublinCoreSchema; +@@ -189,4 +194,18 @@ public class XMPParserTestCase { + assertNull(title); //Empty value treated same as not existant + } + ++ @Test ++ public void testExternalDTD() { ++ String payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" ++ + "<!DOCTYPE root [\n<!ENTITY % remote SYSTEM \"http://127.0.0.1:9999/eval.xml\";>\n%remote;]>\n" ++ + "<root></root>"; ++ StreamSource streamSource = new StreamSource(new StringReader(payload)); ++ String msg = ""; ++ try { ++ XMPParser.parseXMP(streamSource); ++ } catch (TransformerException e) { ++ msg = e.getMessage(); ++ } ++ assertTrue(msg, msg.contains("access is not allowed")); ++ } + } diff -Nru xmlgraphics-commons-2.4/debian/patches/series xmlgraphics-commons-2.4/debian/patches/series --- xmlgraphics-commons-2.4/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ xmlgraphics-commons-2.4/debian/patches/series 2021-08-02 07:48:42.000000000 +0200 @@ -0,0 +1 @@ +CVE-2020-11988.patch
