Package: release.debian.org Severity: normal Tags: bookworm User: [email protected] Usertags: pu X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:openrefine
[ Reason ] Fixing no-dsa CVE in bookworm. I have backported patches to fix six CVE in bookworm. The patch for CVE-2024-47879 introduced a regression which is the reason why it is currently not included. I may follow up later but the issue is not that severe IMO. [ Impact ] OpenRefine in bookworm would continue to be vulnerable. [ Tests ] I have tested the update manually and run the maven test suite. I didn't spot any regressions. [ Risks ] Nothing I would be aware of. OpenRefine is a standalone application and CVE fixes should not affect other software on the user's system. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Applied six patches to fix open CVE in bookworm. See also the openrefine.debdiff. Thank you
diff -Nru openrefine-3.6.2/debian/changelog openrefine-3.6.2/debian/changelog --- openrefine-3.6.2/debian/changelog 2023-10-04 15:02:45.000000000 +0200 +++ openrefine-3.6.2/debian/changelog 2025-09-28 00:52:50.000000000 +0200 @@ -1,3 +1,13 @@ +openrefine (3.6.2-2+deb12u3) bookworm; urgency=medium + + * Fix CVE-2024-23833, CVE-2024-47878, CVE-2024-47880, CVE-2024-47881, + CVE-2024-47882 and CVE-2024-49760. + OpenRefine is a free, open source tool for data processing. Users could be + tricked into opening malicious websites which then enabled attackers to run + arbitrary code on the server due to improper escaping or code restrictions. + + -- Markus Koschany <[email protected]> Sun, 28 Sep 2025 00:52:50 +0200 + openrefine (3.6.2-2+deb12u2) bookworm; urgency=medium * Fix CVE-2023-41887 and CVE-2023-41886: diff -Nru openrefine-3.6.2/debian/patches/build.patch openrefine-3.6.2/debian/patches/build.patch --- openrefine-3.6.2/debian/patches/build.patch 2023-10-04 15:02:45.000000000 +0200 +++ openrefine-3.6.2/debian/patches/build.patch 2025-09-28 00:52:50.000000000 +0200 @@ -7,7 +7,7 @@ 1 file changed, 4 insertions(+) diff --git a/main/pom.xml b/main/pom.xml -index c0b409c..27f789d 100644 +index 17b8ddc..4b61428 100644 --- a/main/pom.xml +++ b/main/pom.xml @@ -337,6 +337,10 @@ diff -Nru openrefine-3.6.2/debian/patches/CVE-2024-23833.patch openrefine-3.6.2/debian/patches/CVE-2024-23833.patch --- openrefine-3.6.2/debian/patches/CVE-2024-23833.patch 1970-01-01 01:00:00.000000000 +0100 +++ openrefine-3.6.2/debian/patches/CVE-2024-23833.patch 2025-09-28 00:52:50.000000000 +0200 @@ -0,0 +1,56 @@ +From: Markus Koschany <[email protected]> +Date: Sat, 27 Sep 2025 15:13:00 +0200 +Subject: CVE-2024-23833 + +Origin: https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a +Debian-Bug: https://bugs.debian.org/1064192 +--- + .../refine/extension/database/DatabaseConfiguration.java | 7 +++++++ + .../refine/extension/database/DatabaseConfigurationTest.java | 12 ++++++++++++ + 2 files changed, 19 insertions(+) + +diff --git a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java +index 3f0dd57..579ee00 100644 +--- a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java ++++ b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java +@@ -68,6 +68,13 @@ public class DatabaseConfiguration { + } + + public void setDatabaseHost(String databaseServer) { ++ // forbid setting settings inside the host parameter: ++ // https://dev.mysql.com/doc/connector-j/en/connector-j-reference-jdbc-url-format.html ++ if (databaseServer == null || ++ databaseServer.contains("(") || ++ databaseServer.contains("=")) { ++ throw new IllegalArgumentException("Invalid host supplied"); ++ } + this.databaseHost = databaseServer; + } + +diff --git a/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java b/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java +index 5a571e8..928aeac 100644 +--- a/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java ++++ b/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java +@@ -1,5 +1,8 @@ + package com.google.refine.extension.database; + ++import static org.testng.Assert.assertEquals; ++import static org.testng.Assert.assertThrows; ++ + import org.testng.annotations.Test; + + import static org.testng.Assert.assertEquals; +@@ -18,4 +21,13 @@ public class DatabaseConfigurationTest { + // the database name is escaped, preventing the exploit + assertEquals(url, "jdbc:mysql://my.host/test%3FallowLoadLocalInfile=true%23"); + } ++ ++ @Test ++ public void testSetMaliciousHost() { ++ DatabaseConfiguration config = new DatabaseConfiguration(); ++ config.setDatabaseType("mysql"); ++ ++ assertThrows(IllegalArgumentException.class, ++ () -> config.setDatabaseHost("127.0.0.1:3306,(allowLoadLocalInfile=true,allowUrlInLocalInfile=true),127.0.0.1")); ++ } + } diff -Nru openrefine-3.6.2/debian/patches/CVE-2024-47878.patch openrefine-3.6.2/debian/patches/CVE-2024-47878.patch --- openrefine-3.6.2/debian/patches/CVE-2024-47878.patch 1970-01-01 01:00:00.000000000 +0100 +++ openrefine-3.6.2/debian/patches/CVE-2024-47878.patch 2025-09-28 00:52:50.000000000 +0200 @@ -0,0 +1,156 @@ +From: Markus Koschany <[email protected]> +Date: Sat, 27 Sep 2025 15:15:58 +0200 +Subject: CVE-2024-47878 + +Origin: https://github.com/OpenRefine/OpenRefine/commit/37b375478eca41b8948b104bf6790ebf659a88cb +Bug-Debian: https://bugs.debian.org/1086041 +--- + extensions/gdata/module/MOD-INF/controller.js | 21 +----- + extensions/gdata/module/authorized.vt | 6 +- + .../refine/extension/gdata/AuthorizedCommand.java | 88 ++++++++++++++++++++++ + 3 files changed, 94 insertions(+), 21 deletions(-) + create mode 100644 extensions/gdata/src/com/google/refine/extension/gdata/AuthorizedCommand.java + +diff --git a/extensions/gdata/module/MOD-INF/controller.js b/extensions/gdata/module/MOD-INF/controller.js +index fc6ff96..549c6be 100644 +--- a/extensions/gdata/module/MOD-INF/controller.js ++++ b/extensions/gdata/module/MOD-INF/controller.js +@@ -101,23 +101,10 @@ function process(path, request, response) { + + send(request, response, "authorize.vt", context); + } else if (path == "authorized") { +- var context = {}; +- context.state = request.getParameter("state"); +- +- (function() { +- if (Packages.com.google.refine.extension.gdata.TokenCookie.getToken(request) !== null) { +- return; +- } +- var tokenAndExpiresInSeconds = Packages.com.google.refine.extension.gdata.GoogleAPIExtension.getTokenFromCode(module,request); +- if (tokenAndExpiresInSeconds) { +- var tokenInfo = tokenAndExpiresInSeconds.split(","); +- Packages.com.google.refine.extension.gdata.TokenCookie.setToken(request, response, tokenInfo[0], tokenInfo[1]); +- return; +- } +- Packages.com.google.refine.extension.gdata.TokenCookie.deleteToken(request, response); +- })(); +- +- send(request, response, "authorized.vt", context); ++ // it's a command but we handle it manually here, so as to preserve the URL ++ var command = new Packages.com.google.refine.extension.gdata.AuthorizedCommand(module); ++ command.doGet(request, response); ++ butterfly.responded(); + } else if (path == "/" || path == "") { + var context = {}; + context.version = version; +diff --git a/extensions/gdata/module/authorized.vt b/extensions/gdata/module/authorized.vt +index 67ed3f5..3c16371 100644 +--- a/extensions/gdata/module/authorized.vt ++++ b/extensions/gdata/module/authorized.vt +@@ -40,10 +40,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + <span id="gdata-authorized"></span> + + <script> +- var state = JSON.parse(window.atob("$state")); +- +- var windowName = state.winname; +- var callbackName = state.cb; ++ var windowName = "$winname"; ++ var callbackName = "$cb"; + + var w = window.open("", windowName); + var callback = w[callbackName]; +diff --git a/extensions/gdata/src/com/google/refine/extension/gdata/AuthorizedCommand.java b/extensions/gdata/src/com/google/refine/extension/gdata/AuthorizedCommand.java +new file mode 100644 +index 0000000..b3dbb4b +--- /dev/null ++++ b/extensions/gdata/src/com/google/refine/extension/gdata/AuthorizedCommand.java +@@ -0,0 +1,88 @@ ++ ++package com.google.refine.extension.gdata; ++ ++import java.io.IOException; ++import java.util.Base64; ++import java.util.regex.Pattern; ++ ++import javax.servlet.ServletException; ++import javax.servlet.http.HttpServletRequest; ++import javax.servlet.http.HttpServletResponse; ++ ++import com.fasterxml.jackson.databind.JsonNode; ++import com.fasterxml.jackson.databind.node.ObjectNode; ++import edu.mit.simile.butterfly.ButterflyModule; ++import org.apache.velocity.VelocityContext; ++ ++import com.google.refine.commands.Command; ++import com.google.refine.util.ParsingUtilities; ++ ++public class AuthorizedCommand extends Command { ++ ++ Pattern callbackPattern = Pattern.compile("^cb[0-9]+$"); ++ Pattern winnamePattern = Pattern.compile("^openrefine[0-9]+$"); ++ ++ ButterflyModule module; ++ ++ public AuthorizedCommand(ButterflyModule module) { ++ this.module = module; ++ } ++ ++ @Override ++ public void doGet(HttpServletRequest request, HttpServletResponse response) ++ throws ServletException, IOException { ++ VelocityContext velocityContext = new VelocityContext(); ++ String state = request.getParameter("state"); ++ if (state == null) { ++ respond(response, "error", "No 'state' parameter provided"); ++ return; ++ } ++ try { ++ byte[] decoded = Base64.getDecoder().decode(state); ++ JsonNode parsed = ParsingUtilities.mapper.readTree(decoded); ++ if (parsed instanceof ObjectNode && parsed.has("winname") && parsed.has("cb")) { ++ ObjectNode object = (ObjectNode) parsed; ++ String cb = object.get("cb").asText(); ++ String winname = object.get("winname").asText(); ++ if (!winnamePattern.matcher(winname).find()) { ++ respond(response, "error", "Invalid winname provided"); ++ return; ++ } ++ if (!callbackPattern.matcher(cb).find()) { ++ respond(response, "error", "Invalid callback provided"); ++ return; ++ } ++ velocityContext.internalPut("winname", winname); ++ velocityContext.internalPut("cb", cb); ++ ++ } else { ++ throw new IllegalArgumentException("expected a JSON object"); ++ } ++ } catch (IllegalArgumentException | IOException e) { ++ respond(response, "error", "Invalid 'state' parameter provided"); ++ return; ++ } ++ ++ updateToken(request, response); ++ ++ try { ++ module.sendTextFromTemplate(request, response, velocityContext, "authorized.vt", "UTF-8", "text/html", false); ++ } catch (Exception e) { ++ respondException(response, e); ++ } ++ } ++ ++ private void updateToken(HttpServletRequest request, HttpServletResponse response) throws IOException { ++ if (TokenCookie.getToken(request) != null) { ++ return; ++ } ++ var tokenAndExpiresInSeconds = GoogleAPIExtension.getTokenFromCode(module, request); ++ if (tokenAndExpiresInSeconds != null) { ++ var tokenInfo = tokenAndExpiresInSeconds.split(","); ++ TokenCookie.setToken(request, response, tokenInfo[0], tokenInfo[1]); ++ return; ++ } ++ TokenCookie.deleteToken(request, response); ++ } ++ ++} diff -Nru openrefine-3.6.2/debian/patches/CVE-2024-47880.patch openrefine-3.6.2/debian/patches/CVE-2024-47880.patch --- openrefine-3.6.2/debian/patches/CVE-2024-47880.patch 1970-01-01 01:00:00.000000000 +0100 +++ openrefine-3.6.2/debian/patches/CVE-2024-47880.patch 2025-09-28 00:52:50.000000000 +0200 @@ -0,0 +1,40 @@ +From: Markus Koschany <[email protected]> +Date: Sat, 27 Sep 2025 15:27:12 +0200 +Subject: CVE-2024-47880 + +Origin: https://github.com/OpenRefine/OpenRefine/commit/fbf94fe3f001d6e2aa02e890930cf1affb0847b0 +Bug-Debian: https://bugs.debian.org/1086041 +--- + .../google/refine/commands/project/ExportRowsCommand.java | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/main/src/com/google/refine/commands/project/ExportRowsCommand.java b/main/src/com/google/refine/commands/project/ExportRowsCommand.java +index 1912078..78d1f13 100644 +--- a/main/src/com/google/refine/commands/project/ExportRowsCommand.java ++++ b/main/src/com/google/refine/commands/project/ExportRowsCommand.java +@@ -64,7 +64,8 @@ public class ExportRowsCommand extends Command { + private static final Logger logger = LoggerFactory.getLogger("ExportRowsCommand"); + + /** +- * This command uses POST but is left CSRF-unprotected as it does not incur a state change. ++ * This command uses POST but is left CSRF-unprotected as it does not incur a state change. TODO: add CSRF ++ * protection anyway, as it does not cost much and could still have prevented an XSS vulnerability + */ + + @SuppressWarnings("unchecked") +@@ -96,11 +97,10 @@ public class ExportRowsCommand extends Command { + exporter = new CsvExporter('\t'); + } + +- String contentType = params.getProperty("contentType"); +- if (contentType == null) { +- contentType = exporter.getContentType(); +- } +- response.setHeader("Content-Type", contentType); ++ ++ response.setHeader("Content-Type", exporter.getContentType()); ++ // in case the content-type is text/html, to avoid XSS attacks ++ response.setHeader("Content-Security-Policy", "script-src 'none'; connect-src 'none'"); + + String preview = params.getProperty("preview"); + if (!"true".equals(preview)) { diff -Nru openrefine-3.6.2/debian/patches/CVE-2024-47881.patch openrefine-3.6.2/debian/patches/CVE-2024-47881.patch --- openrefine-3.6.2/debian/patches/CVE-2024-47881.patch 1970-01-01 01:00:00.000000000 +0100 +++ openrefine-3.6.2/debian/patches/CVE-2024-47881.patch 2025-09-28 00:52:50.000000000 +0200 @@ -0,0 +1,181 @@ +From: Markus Koschany <[email protected]> +Date: Sat, 27 Sep 2025 15:59:27 +0200 +Subject: CVE-2024-47881 + +Origin: https://github.com/OpenRefine/OpenRefine/commit/8a5cced755f9d4544cfc9fd1b9dc9274807b5020 +Bug-Debian: https://bugs.debian.org/1086041 +--- + .../database/sqlite/SQLiteConnectionManager.java | 16 ++++++++- + extensions/database/tests/conf/tests.xml | 2 +- + .../extension/database/DBExtensionTests.java | 2 +- + .../sqlite/SQLiteConnectionManagerTest.java | 10 ------ + .../database/sqlite/SQLiteDatabaseServiceTest.java | 42 +++++++++++++++------- + 5 files changed, 47 insertions(+), 25 deletions(-) + +diff --git a/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java b/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java +index 7d42e00..0def4d2 100644 +--- a/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java ++++ b/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java +@@ -35,6 +35,7 @@ import com.google.refine.extension.database.SQLType; + import org.slf4j.Logger; + import org.slf4j.LoggerFactory; + ++import java.io.File; + import java.net.URI; + import java.net.URISyntaxException; + import java.sql.Connection; +@@ -68,8 +69,21 @@ public class SQLiteConnectionManager { + } + + public static String getDatabaseUrl(DatabaseConfiguration dbConfig) { ++ String dbPath = dbConfig.getDatabaseName(); ++ if (dbPath.contains("?")) { ++ throw new IllegalArgumentException("Paths to SQLite databases are not allowed to contain '?'"); ++ } ++ if (dbPath.startsWith("//") || dbPath.startsWith("\\\\") || dbPath.startsWith("\\/") || dbPath.startsWith("/\\")) { ++ throw new IllegalArgumentException("File path starts with illegal prefix; only local files are accepted."); ++ } ++ if (!new File(dbPath).isFile()) { ++ throw new IllegalArgumentException("File could not be read: " + dbPath); ++ } + try { +- URI uri = new URI("jdbc:" + dbConfig.getDatabaseType().toLowerCase(), dbConfig.getDatabaseName(), null); ++ URI uri = new URI( ++ "jdbc:" + dbConfig.getDatabaseType().toLowerCase(), ++ dbPath + "?open_mode=1&limit_attached=0", // open_mode=1 means read-only ++ null); + return uri.toASCIIString(); + } catch (URISyntaxException e) { + throw new IllegalArgumentException(e); +diff --git a/extensions/database/tests/conf/tests.xml b/extensions/database/tests/conf/tests.xml +index 7885174..a0910c9 100644 +--- a/extensions/database/tests/conf/tests.xml ++++ b/extensions/database/tests/conf/tests.xml +@@ -29,7 +29,7 @@ + <parameter name = "mariadbDbPassword" value=""/> + <parameter name = "mariadbTestTable" value="test_table"/> + +- <parameter name = "sqliteDbName" value="extension_test_db.sqlite"/> ++ <parameter name = "sqliteDbName" value="tests/resources/test_db.sqlite"/> + <parameter name = "sqliteDbHost" value=""/> + <parameter name = "sqliteDbPort" value=""/> + <parameter name = "sqliteDbUser" value=""/> +diff --git a/extensions/database/tests/src/com/google/refine/extension/database/DBExtensionTests.java b/extensions/database/tests/src/com/google/refine/extension/database/DBExtensionTests.java +index bd1d0bc..a98f55a 100644 +--- a/extensions/database/tests/src/com/google/refine/extension/database/DBExtensionTests.java ++++ b/extensions/database/tests/src/com/google/refine/extension/database/DBExtensionTests.java +@@ -61,7 +61,7 @@ public class DBExtensionTests { + protected final String DEFAULT_MARIADB_NAME = "testdb"; + + protected final String SQLITE_DB_NAME = "sqlite"; +- protected final String DEFAULT_SQLITE_DB_NAME = "extension_test_db.sqlite"; ++ protected final String DEFAULT_SQLITE_DB_NAME = "tests/resources/test_db.sqlite"; + + protected final String DEFAULT_TEST_TABLE = "test_data"; + +diff --git a/extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManagerTest.java b/extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManagerTest.java +index 2daf059..5afcdcb 100644 +--- a/extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManagerTest.java ++++ b/extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManagerTest.java +@@ -37,7 +37,6 @@ import org.mockito.MockitoAnnotations; + import org.testng.Assert; + import org.testng.annotations.*; + +-import java.io.File; + import java.sql.Connection; + import java.sql.SQLException; + +@@ -61,15 +60,6 @@ public class SQLiteConnectionManagerTest extends DBExtensionTests { + DatabaseService.DBType.registerDatabase(SQLiteDatabaseService.DB_NAME, SQLiteDatabaseService.getInstance()); + } + +- @AfterTest +- @Parameters({ "sqliteDbName" }) +- public void afterTest(@Optional(DEFAULT_SQLITE_DB_NAME) String sqliteDbName) { +- File f = new File(sqliteDbName); +- if (f.exists()) { +- f.delete(); +- } +- } +- + @Test + public void testTestConnection() throws DatabaseServiceException { + boolean isConnected = SQLiteConnectionManager.getInstance().testConnection(testDbConfig); +diff --git a/extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteDatabaseServiceTest.java b/extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteDatabaseServiceTest.java +index c29cc82..cd6f244 100644 +--- a/extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteDatabaseServiceTest.java ++++ b/extensions/database/tests/src/com/google/refine/extension/database/sqlite/SQLiteDatabaseServiceTest.java +@@ -37,7 +37,6 @@ import org.mockito.MockitoAnnotations; + import org.testng.Assert; + import org.testng.annotations.*; + +-import java.io.File; + import java.sql.Connection; + import java.sql.SQLException; + import java.util.List; +@@ -60,20 +59,10 @@ public class SQLiteDatabaseServiceTest extends DBExtensionTests { + testDbConfig.setDatabaseType(SQLiteDatabaseService.DB_NAME); + + testTable = sqliteTestTable; +- DBExtensionTestUtils.initTestData(testDbConfig, sqliteTestTable); + + DatabaseService.DBType.registerDatabase(SQLiteDatabaseService.DB_NAME, SQLiteDatabaseService.getInstance()); + } + +- @AfterTest +- @Parameters({ "sqliteDbName" }) +- public void afterTest(@Optional(DEFAULT_SQLITE_DB_NAME) String sqliteDbName) { +- File f = new File(sqliteDbName); +- if (f.exists()) { +- f.delete(); +- } +- } +- + @Test + public void testGetDatabaseUrl() { + SQLiteDatabaseService sqLiteDatabaseService = (SQLiteDatabaseService) DatabaseService +@@ -81,7 +70,7 @@ public class SQLiteDatabaseServiceTest extends DBExtensionTests { + String dbUrl = sqLiteDatabaseService.getDatabaseUrl(testDbConfig); + + Assert.assertNotNull(dbUrl); +- Assert.assertEquals(dbUrl, "jdbc:sqlite:extension_test_db.sqlite"); ++ Assert.assertEquals(dbUrl, "jdbc:sqlite:tests/resources/test_db.sqlite?open_mode=1&limit_attached=0"); + } + + @Test +@@ -94,6 +83,35 @@ public class SQLiteDatabaseServiceTest extends DBExtensionTests { + Assert.assertNotNull(conn); + } + ++ /* ++ * We don't allow loading extensions because that executes arbitrary code ++ */ ++ @Test(expectedExceptions = IllegalArgumentException.class) ++ public void testGetConnectionWithExtensions() throws DatabaseServiceException { ++ DatabaseConfiguration testDbConfigWithExtensions = new DatabaseConfiguration(); ++ testDbConfigWithExtensions.setDatabaseName("test_db.sqlite?enable_load_extension=true"); ++ testDbConfigWithExtensions.setDatabaseType(SQLiteDatabaseService.DB_NAME); ++ ++ SQLiteDatabaseService sqLiteDatabaseService = (SQLiteDatabaseService) DatabaseService ++ .get(SQLiteDatabaseService.DB_NAME); ++ sqLiteDatabaseService.getConnection(testDbConfigWithExtensions); ++ } ++ ++ /* ++ * We don't allow loading a remote SQLite file to make remote code execution harder ++ */ ++ @Test(expectedExceptions = IllegalArgumentException.class) ++ public void testGetConnectionWithRemoteFile() throws DatabaseServiceException { ++ DatabaseConfiguration testDbConfigWithExtensions = new DatabaseConfiguration(); ++ testDbConfigWithExtensions ++ .setDatabaseName("https://github.com/xerial/sqlite-jdbc/raw/master/src/test/resources/org/sqlite/sample.db";); ++ testDbConfigWithExtensions.setDatabaseType(SQLiteDatabaseService.DB_NAME); ++ ++ SQLiteDatabaseService sqLiteDatabaseService = (SQLiteDatabaseService) DatabaseService ++ .get(SQLiteDatabaseService.DB_NAME); ++ sqLiteDatabaseService.getConnection(testDbConfigWithExtensions); ++ } ++ + @Test + public void testTestConnection() throws DatabaseServiceException { + SQLiteDatabaseService sqLiteDatabaseService = (SQLiteDatabaseService) DatabaseService diff -Nru openrefine-3.6.2/debian/patches/CVE-2024-47882.patch openrefine-3.6.2/debian/patches/CVE-2024-47882.patch --- openrefine-3.6.2/debian/patches/CVE-2024-47882.patch 1970-01-01 01:00:00.000000000 +0100 +++ openrefine-3.6.2/debian/patches/CVE-2024-47882.patch 2025-09-28 00:52:50.000000000 +0200 @@ -0,0 +1,33 @@ +From: Markus Koschany <[email protected]> +Date: Sat, 27 Sep 2025 16:40:21 +0200 +Subject: CVE-2024-47882 + +Bug-Debian: https://bugs.debian.org/1086041 +Origin: https://github.com/OpenRefine/OpenRefine/commit/b0d5dd0a6a40369593f4a6b593e3e0ffa213339e +--- + main/src/com/google/refine/commands/HttpUtilities.java | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/main/src/com/google/refine/commands/HttpUtilities.java b/main/src/com/google/refine/commands/HttpUtilities.java +index defea78..faa64cc 100644 +--- a/main/src/com/google/refine/commands/HttpUtilities.java ++++ b/main/src/com/google/refine/commands/HttpUtilities.java +@@ -41,6 +41,8 @@ import org.slf4j.Logger; + import org.slf4j.LoggerFactory; + + import com.fasterxml.jackson.core.JsonGenerator; ++import com.google.common.escape.Escaper; ++import com.google.common.html.HtmlEscapers; + import com.google.refine.RefineServlet; + import com.google.refine.util.ParsingUtilities; + +@@ -171,7 +173,8 @@ abstract public class HttpUtilities { + + e.printStackTrace(new PrintWriter(writer)); + +- context.put("stack", writer.toString()); ++ Escaper escaper = HtmlEscapers.htmlEscaper(); ++ context.put("stack", escaper.escape(writer.toString())); + } else { + context.put("stack", ""); + } diff -Nru openrefine-3.6.2/debian/patches/CVE-2024-49760.patch openrefine-3.6.2/debian/patches/CVE-2024-49760.patch --- openrefine-3.6.2/debian/patches/CVE-2024-49760.patch 1970-01-01 01:00:00.000000000 +0100 +++ openrefine-3.6.2/debian/patches/CVE-2024-49760.patch 2025-09-28 00:52:50.000000000 +0200 @@ -0,0 +1,54 @@ +From: Markus Koschany <[email protected]> +Date: Sat, 27 Sep 2025 17:51:56 +0200 +Subject: CVE-2024-49760 + +Bug-Debian: https://bugs.debian.org/1086041 +Origin: https://github.com/OpenRefine/OpenRefine/commit/478285afffea59c893ac472faa74898ab9e5e95a +--- + .../com/google/refine/commands/lang/LoadLanguageCommand.java | 9 ++++++++- + .../refine/commands/lang/LoadLanguageCommandTests.java | 12 ++++++++++++ + 2 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/main/src/com/google/refine/commands/lang/LoadLanguageCommand.java b/main/src/com/google/refine/commands/lang/LoadLanguageCommand.java +index 002b908..85bf2e0 100644 +--- a/main/src/com/google/refine/commands/lang/LoadLanguageCommand.java ++++ b/main/src/com/google/refine/commands/lang/LoadLanguageCommand.java +@@ -126,7 +126,14 @@ public class LoadLanguageCommand extends Command { + static ObjectNode loadLanguage(RefineServlet servlet, String modname, String lang) throws UnsupportedEncodingException { + + ButterflyModule module = servlet.getModule(modname); +- File langFile = new File(module.getPath(), "langs" + File.separator + "translation-" + lang + ".json"); ++ String strLangFile = "translation-" + lang + ".json"; ++ File langsDir = new File(module.getPath(), "langs"); ++ File langFile = new File(langsDir, strLangFile); ++ if (!langFile.toPath().normalize().toAbsolutePath().startsWith(langsDir.toPath().normalize().toAbsolutePath())) { ++ logger.error("Security: Attempt to escape the langs directory to read another file"); ++ return null; ++ } ++ + try { + Reader reader = new BufferedReader(new InputStreamReader(new FileInputStream(langFile), "UTF-8")); + return ParsingUtilities.mapper.readValue(reader, ObjectNode.class); +diff --git a/main/tests/server/src/com/google/refine/commands/lang/LoadLanguageCommandTests.java b/main/tests/server/src/com/google/refine/commands/lang/LoadLanguageCommandTests.java +index ce569b5..0e073d3 100644 +--- a/main/tests/server/src/com/google/refine/commands/lang/LoadLanguageCommandTests.java ++++ b/main/tests/server/src/com/google/refine/commands/lang/LoadLanguageCommandTests.java +@@ -77,6 +77,18 @@ public class LoadLanguageCommandTests extends CommandTestBase { + assertEquals(response.get("lang").asText(), "en"); + } + ++ @Test ++ public void testLoadLanguageWithDirectorySlip() throws JsonParseException, JsonMappingException, IOException, ServletException { ++ when(request.getParameter("module")).thenReturn("core"); ++ when(request.getParameterValues("lang")).thenReturn(new String[] { "../../../secrets" }); ++ ++ command.doPost(request, response); ++ ++ JsonNode response = ParsingUtilities.mapper.readValue(writer.toString(), JsonNode.class); ++ assertTrue(response.has("dictionary")); ++ assertEquals(response.get("lang").asText(), "en"); ++ } ++ + @Test + public void testLanguageFallback() throws JsonParseException, JsonMappingException, IOException { + String fallbackJson = "{" diff -Nru openrefine-3.6.2/debian/patches/gdata-extension.patch openrefine-3.6.2/debian/patches/gdata-extension.patch --- openrefine-3.6.2/debian/patches/gdata-extension.patch 2023-10-04 15:02:45.000000000 +0200 +++ openrefine-3.6.2/debian/patches/gdata-extension.patch 2025-09-28 00:52:50.000000000 +0200 @@ -7,7 +7,7 @@ 1 file changed, 5 insertions(+) diff --git a/extensions/gdata/pom.xml b/extensions/gdata/pom.xml -index 4fc64e5..ce9b906 100644 +index ed8b740..e310e8c 100644 --- a/extensions/gdata/pom.xml +++ b/extensions/gdata/pom.xml @@ -97,6 +97,11 @@ diff -Nru openrefine-3.6.2/debian/patches/log4j-api.patch openrefine-3.6.2/debian/patches/log4j-api.patch --- openrefine-3.6.2/debian/patches/log4j-api.patch 2023-10-04 15:02:45.000000000 +0200 +++ openrefine-3.6.2/debian/patches/log4j-api.patch 2025-09-28 00:52:50.000000000 +0200 @@ -7,7 +7,7 @@ 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/pom.xml b/server/pom.xml -index 8bb528a..89dd5ab 100644 +index 2408c76..e168085 100644 --- a/server/pom.xml +++ b/server/pom.xml @@ -180,7 +180,7 @@ diff -Nru openrefine-3.6.2/debian/patches/no-java-files.patch openrefine-3.6.2/debian/patches/no-java-files.patch --- openrefine-3.6.2/debian/patches/no-java-files.patch 2023-10-04 15:02:45.000000000 +0200 +++ openrefine-3.6.2/debian/patches/no-java-files.patch 2025-09-28 00:52:50.000000000 +0200 @@ -8,7 +8,7 @@ 2 files changed, 10 deletions(-) diff --git a/main/pom.xml b/main/pom.xml -index 27f789d..0ef3eab 100644 +index 4b61428..8ea4ef6 100644 --- a/main/pom.xml +++ b/main/pom.xml @@ -27,11 +27,6 @@ @@ -24,7 +24,7 @@ <testResources> <testResource> diff --git a/server/pom.xml b/server/pom.xml -index 89dd5ab..94fda4c 100644 +index e168085..f2955e4 100644 --- a/server/pom.xml +++ b/server/pom.xml @@ -28,11 +28,6 @@ diff -Nru openrefine-3.6.2/debian/patches/series openrefine-3.6.2/debian/patches/series --- openrefine-3.6.2/debian/patches/series 2023-10-04 15:02:45.000000000 +0200 +++ openrefine-3.6.2/debian/patches/series 2025-09-28 00:52:50.000000000 +0200 @@ -6,3 +6,9 @@ gdata-extension.patch CVE-2023-37476.patch CVE-2023-41887-and-CVE-2023-41886.patch +CVE-2024-23833.patch +CVE-2024-47878.patch +CVE-2024-47880.patch +CVE-2024-47881.patch +CVE-2024-47882.patch +CVE-2024-49760.patch
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
