Package: release.debian.org
Severity: normal
X-Debbugs-Cc: jackrab...@packages.debian.org
Control: affects -1 + src:jackrabbit
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package jackrabbit
[ Reason ]
#1109335
[ Impact ]
Vulnerable for CVE-2025-53689.
[ Tests ]
None.
[ Risks ]
Upstream patch applies cleanly, so there is not a high chance the
program will be affected in a bad way.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
I have fixed this via NMU.
unblock jackrabbit/2.20.11-1.1
diff -Nru jackrabbit-2.20.11/debian/changelog
jackrabbit-2.20.11/debian/changelog
--- jackrabbit-2.20.11/debian/changelog 2023-07-29 15:08:48.000000000 +0200
+++ jackrabbit-2.20.11/debian/changelog 2025-07-23 10:05:30.000000000 +0200
@@ -1,3 +1,10 @@
+jackrabbit (2.20.11-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix CVE-2025-53689 via upstream patch. (Closes: #1109335)
+
+ -- Bastian Germann <b...@debian.org> Wed, 23 Jul 2025 10:05:30 +0200
+
jackrabbit (2.20.11-1) unstable; urgency=medium
* Team upload.
diff -Nru jackrabbit-2.20.11/debian/patches/CVE-2025-53689.patch
jackrabbit-2.20.11/debian/patches/CVE-2025-53689.patch
--- jackrabbit-2.20.11/debian/patches/CVE-2025-53689.patch 1970-01-01
01:00:00.000000000 +0100
+++ jackrabbit-2.20.11/debian/patches/CVE-2025-53689.patch 2025-07-23
10:05:30.000000000 +0200
@@ -0,0 +1,147 @@
+Origin: upstream, 8ea2349234b181bf790cad58bfd91fd2763e64a9
+From: Julian Reschke <resc...@apache.org>
+Date: Thu, 10 Jul 2025 18:04:34 +0200
+Subject: JCR-5165: various parsing improvements/consistency (#263)
+
+---
+ .../jackrabbit/core/util/DOMWalker.java | 40 ++++++++++++++++++-
+ .../privilege/PrivilegeXmlHandler.java | 30 ++++++++++++++
+ 2 files changed, 68 insertions(+), 2 deletions(-)
+
+diff --git
a/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/util/DOMWalker.java
b/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/util/DOMWalker.java
+index 9689f7cba7d..aa6b64467e1 100644
+---
a/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/util/DOMWalker.java
++++
b/jackrabbit-core/src/main/java/org/apache/jackrabbit/core/util/DOMWalker.java
+@@ -23,11 +23,15 @@
+ import org.w3c.dom.NamedNodeMap;
+ import org.w3c.dom.Node;
+ import org.w3c.dom.NodeList;
++import org.xml.sax.EntityResolver;
++import org.xml.sax.InputSource;
+
++import javax.xml.XMLConstants;
+ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
+ import java.io.IOException;
+ import java.io.InputStream;
++import java.io.StringReader;
+ import java.util.Properties;
+
+ /**
+@@ -37,8 +41,36 @@
+ public final class DOMWalker {
+
+ /** Static factory for creating stream to DOM transformers. */
+- private static final DocumentBuilderFactory factory =
+- DocumentBuilderFactory.newInstance();
++ private static final DocumentBuilderFactory factory = createFactory();
++
++ private static DocumentBuilderFactory createFactory() {
++ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++ factory.setIgnoringComments(false);
++ factory.setIgnoringElementContentWhitespace(true);
++ factory.setXIncludeAware(false);
++
++ // Prevent XXE attacks by disabling external entity processing
++ factory.setExpandEntityReferences(false);
++
++ String feature = null;
++
++ try {
++ feature = XMLConstants.FEATURE_SECURE_PROCESSING;
++ factory.setFeature(feature, true);
++ feature = "http://apache.org/xml/features/disallow-doctype-decl";;
++ factory.setFeature(feature, true);
++ feature =
"http://apache.org/xml/features/nonvalidating/load-external-dtd";;
++ factory.setFeature(feature, false);
++ feature = "http://xml.org/sax/features/external-general-entities";;
++ factory.setFeature(feature, false);
++ feature =
"http://xml.org/sax/features/external-parameter-entities";;
++ factory.setFeature(feature, false);
++ } catch (Exception ex) {
++ // abort if secure processing is not supported
++ throw new IllegalStateException("Secure processing feature '" +
feature + "' not supported by the DocumentBuilderFactory: " +
factory.getClass().getName(), ex);
++ }
++ return factory;
++ }
+
+ /** The DOM document being traversed by this walker. */
+ private final Document document;
+@@ -57,6 +89,10 @@ public final class DOMWalker {
+ public DOMWalker(InputStream xml) throws IOException {
+ try {
+ DocumentBuilder builder = factory.newDocumentBuilder();
++ // defense in depth: entity resolver that will break any document
on purpose
++ EntityResolver stopMe = (publicId, systemId) -> new InputSource(
++ new StringReader("<preventing read of: " + publicId + " "
+ systemId + ">"));
++ builder.setEntityResolver(stopMe);
+ document = builder.parse(xml);
+ current = document.getDocumentElement();
+ } catch (IOException e) {
+diff --git
a/jackrabbit-spi-commons/src/main/java/org/apache/jackrabbit/spi/commons/privilege/PrivilegeXmlHandler.java
b/jackrabbit-spi-commons/src/main/java/org/apache/jackrabbit/spi/commons/privilege/PrivilegeXmlHandler.java
+index ffa24fe2001..bc241491296 100644
+---
a/jackrabbit-spi-commons/src/main/java/org/apache/jackrabbit/spi/commons/privilege/PrivilegeXmlHandler.java
++++
b/jackrabbit-spi-commons/src/main/java/org/apache/jackrabbit/spi/commons/privilege/PrivilegeXmlHandler.java
+@@ -27,10 +27,12 @@
+ import org.w3c.dom.NamedNodeMap;
+ import org.w3c.dom.Node;
+ import org.w3c.dom.NodeList;
++import org.xml.sax.EntityResolver;
+ import org.xml.sax.InputSource;
+ import org.xml.sax.SAXException;
+ import org.xml.sax.helpers.DefaultHandler;
+
++import javax.xml.XMLConstants;
+ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
+ import javax.xml.parsers.ParserConfigurationException;
+@@ -44,7 +46,9 @@
+ import java.io.InputStream;
+ import java.io.OutputStream;
+ import java.io.Reader;
++import java.io.StringReader;
+ import java.io.Writer;
++import java.rmi.server.ExportException;
+ import java.util.ArrayList;
+ import java.util.HashMap;
+ import java.util.HashSet;
+@@ -112,6 +116,28 @@ private static DocumentBuilderFactory createFactory() {
+ factory.setNamespaceAware(true);
+ factory.setIgnoringComments(false);
+ factory.setIgnoringElementContentWhitespace(true);
++ factory.setXIncludeAware(false);
++
++ // Prevent XXE attacks by disabling external entity processing
++ factory.setExpandEntityReferences(false);
++
++ String feature = null;
++
++ try {
++ feature = XMLConstants.FEATURE_SECURE_PROCESSING;
++ factory.setFeature(feature, true);
++ feature = "http://apache.org/xml/features/disallow-doctype-decl";;
++ factory.setFeature(feature, true);
++ feature =
"http://apache.org/xml/features/nonvalidating/load-external-dtd";;
++ factory.setFeature(feature, false);
++ feature = "http://xml.org/sax/features/external-general-entities";;
++ factory.setFeature(feature, false);
++ feature =
"http://xml.org/sax/features/external-parameter-entities";;
++ factory.setFeature(feature, false);
++ } catch (Exception ex) {
++ // abort if secure processing is not supported
++ throw new IllegalStateException("Secure processing feature '" +
feature + "' not supported by the DocumentBuilderFactory: " +
factory.getClass().getName(), ex);
++ }
+ return factory;
+ }
+
+@@ -279,6 +305,10 @@ private PrivilegeDefinition parseDefinition(Node n,
Map<String, String> namespac
+ */
+ private static DocumentBuilder createDocumentBuilder() throws
ParserConfigurationException {
+ DocumentBuilder builder =
DOCUMENT_BUILDER_FACTORY.newDocumentBuilder();
++ // defense in depth: entity resolver that will break any document on
purpose
++ EntityResolver stopMe = (publicId, systemId) -> new InputSource(
++ new StringReader("<preventing read of: " + publicId + " " +
systemId + ">"));
++ builder.setEntityResolver(stopMe);
+ builder.setErrorHandler(new DefaultHandler());
+ return builder;
+ }
diff -Nru jackrabbit-2.20.11/debian/patches/series
jackrabbit-2.20.11/debian/patches/series
--- jackrabbit-2.20.11/debian/patches/series 1970-01-01 01:00:00.000000000
+0100
+++ jackrabbit-2.20.11/debian/patches/series 2025-07-23 10:05:30.000000000
+0200
@@ -0,0 +1 @@
+CVE-2025-53689.patch
