tags 962828 +patch thanks Hi,
Am Sonntag, den 14.06.2020, 22:28 +0200 schrieb Christoph Berg: > Re: Salvatore Bonaccorso > > CVE-2020-13692[0]: > > > PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. > > > > which older versions are affected by this, and what is the impact? > > > > > > > I would probably only worry about 42.2.x versions > > impact summary > > https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html > > > > > > > In Debian, we currently ship: > > > > > > libpgjava | 9.2-1002-1 | oldoldstable | source (ignore, it's EOL > > > really soon) > > > libpgjava | 9.4.1212-1 | oldstable | source > > > libpgjava | 42.2.5-2 | stable | source > > > libpgjava | 42.2.12-1 | testing | source > > > libpgjava | 42.2.12-1 | unstable | source > > > > > > Can you share the actual CVE diff, so we can fix it in the older > > > versions? > > > > Here is the diff > > https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65 > > (I haven't checked yet if that diff applies to the buster package.) I've backpatched that commit to the stable version (several edits were required but the general code structure is similar) and verified that it builds and that autopkgtest runs fine. I haven't tested it otherwise yet, nor tried to reproduce the CVE, I guess no exploits are available? Michael -- Michael Banck Projektleiter / Senior Berater Tel.: +49 2166 9901-171 Fax: +49 2166 9901-100 Email: [email protected] credativ GmbH, HRB Mönchengladbach 12080 USt-ID-Nummer: DE204566209 Trompeterallee 108, 41189 Mönchengladbach Geschäftsführung: Dr. Michael Meskes, Jörg Folz, Sascha Heuer Unser Umgang mit personenbezogenen Daten unterliegt folgenden Bestimmungen: https://www.credativ.de/datenschutz
diff -Nru libpgjava-42.2.5/debian/changelog libpgjava-42.2.5/debian/changelog --- libpgjava-42.2.5/debian/changelog 2019-02-07 10:54:50.000000000 +0100 +++ libpgjava-42.2.5/debian/changelog 2020-06-19 11:56:51.000000000 +0200 @@ -1,3 +1,12 @@ +libpgjava (42.2.5-3) stable-security; urgency=medium + + * Team upload. + * debian/patches/cve-2020-13692.patch: New patch, fixes XML External Entitiy + (XXE) injection (CVE-2020-13692). + https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65 + + -- Michael Banck <[email protected]> Fri, 19 Jun 2020 12:02:27 +0200 + libpgjava (42.2.5-2) unstable; urgency=medium * Update PostgreSQL Maintainers address. diff -Nru libpgjava-42.2.5/debian/patches/cve-2020-13692.patch libpgjava-42.2.5/debian/patches/cve-2020-13692.patch --- libpgjava-42.2.5/debian/patches/cve-2020-13692.patch 1970-01-01 01:00:00.000000000 +0100 +++ libpgjava-42.2.5/debian/patches/cve-2020-13692.patch 2020-06-19 11:25:04.000000000 +0200 @@ -0,0 +1,585 @@ +From 14b62aca4764d496813f55a43d050b017e01eb65 Mon Sep 17 00:00:00 2001 +From: Sehrope Sarkuni <[email protected]> +Date: Mon, 1 Jun 2020 08:54:32 -0400 +Subject: [PATCH] Merge pull request from GHSA-37xm-4h3m-5w3v + +* refactor: Clean up whitespace in existing PgSQLXMLTest + +* fix: Fix XXE vulnerability in PgSQLXML by disabling external access and doctypes + +Fixes XXE vulnerability by defaulting to disabling external access and doc types. The +legacy insecure behavior can be restored via the new connection property xmlFactoryFactory +with a value of LEGACY_INSECURE. Alternatively, a custom class name can be specified that +implements org.postgresql.xml.PGXmlFactoryFactory and takes a no argument constructor. + +* fix: Add missing getter and setter for XML_FACTORY_FACTORY to BasicDataSource +--- + .../main/java/org/postgresql/PGProperty.java | 11 ++ + .../org/postgresql/core/BaseConnection.java | 9 ++ + .../postgresql/ds/common/BaseDataSource.java | 8 + + .../org/postgresql/jdbc/PgConnection.java | 40 +++++ + .../java/org/postgresql/jdbc/PgSQLXML.java | 43 +++--- + .../xml/DefaultPGXmlFactoryFactory.java | 140 ++++++++++++++++++ + .../xml/EmptyStringEntityResolver.java | 23 +++ + .../LegacyInsecurePGXmlFactoryFactory.java | 57 +++++++ + .../org/postgresql/xml/NullErrorHandler.java | 25 ++++ + .../postgresql/xml/PGXmlFactoryFactory.java | 30 ++++ + .../org/postgresql/jdbc/PgSQLXMLTest.java | 96 +++++++++++- + 11 files changed, 453 insertions(+), 29 deletions(-) + create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/DefaultPGXmlFactoryFactory.java + create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/EmptyStringEntityResolver.java + create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/LegacyInsecurePGXmlFactoryFactory.java + create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/NullErrorHandler.java + create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/PGXmlFactoryFactory.java + +Index: libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/PGProperty.java +=================================================================== +--- libpgjava-42.2.5.orig/pgjdbc/src/main/java/org/postgresql/PGProperty.java ++++ libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/PGProperty.java +@@ -426,7 +426,20 @@ public enum PGProperty { + + "to the database specified in the dbname parameter, " + + "which will allow the connection to be used for logical replication " + + "from that database. " +- + "(backend >= 9.4)"); ++ + "(backend >= 9.4)"), ++ ++ /** ++ * Factory class to instantiate factories for XML processing. ++ * The default factory disables external entity processing. ++ * Legacy behavior with external entity processing can be enabled by specifying a value of LEGACY_INSECURE. ++ * Or specify a custom class that implements {@code org.postgresql.xml.PGXmlFactoryFactory}. ++ */ ++ XML_FACTORY_FACTORY( ++ "xmlFactoryFactory", ++ "", ++ "Factory class to instantiate factories for XML processing"), ++ ++ ; + + private String _name; + private String _defaultValue; +Index: libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/core/BaseConnection.java +=================================================================== +--- libpgjava-42.2.5.orig/pgjdbc/src/main/java/org/postgresql/core/BaseConnection.java ++++ libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/core/BaseConnection.java +@@ -9,6 +9,7 @@ import org.postgresql.PGConnection; + import org.postgresql.jdbc.FieldMetadata; + import org.postgresql.jdbc.TimestampUtils; + import org.postgresql.util.LruCache; ++import org.postgresql.xml.PGXmlFactoryFactory; + + import java.sql.Connection; + import java.sql.ResultSet; +@@ -202,4 +203,12 @@ public interface BaseConnection extends + * @param flushCacheOnDeallocate true if statement cache should be reset when "deallocate/discard" message observed + */ + void setFlushCacheOnDeallocate(boolean flushCacheOnDeallocate); ++ ++ /** ++ * Retrieve the factory to instantiate XML processing factories. ++ * ++ * @return The factory to use to instantiate XML processing factories ++ * @throws SQLException if the class cannot be found or instantiated. ++ */ ++ PGXmlFactoryFactory getXmlFactoryFactory() throws SQLException; + } +Index: libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/ds/common/BaseDataSource.java +=================================================================== +--- libpgjava-42.2.5.orig/pgjdbc/src/main/java/org/postgresql/ds/common/BaseDataSource.java ++++ libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/ds/common/BaseDataSource.java +@@ -52,6 +52,14 @@ public abstract class BaseDataSource imp + // Map for all other properties + private Properties properties = new Properties(); + ++ public String getXmlFactoryFactory() { ++ return PGProperty.XML_FACTORY_FACTORY.get(properties); ++ } ++ ++ public void setXmlFactoryFactory(String xmlFactoryFactory) { ++ PGProperty.XML_FACTORY_FACTORY.set(properties, xmlFactoryFactory); ++ } ++ + /* + * Ensure the driver is loaded as JDBC Driver might be invisible to Java's ServiceLoader. + * Usually, {@code Class.forName(...)} is not required as {@link DriverManager} detects JDBC drivers +Index: libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/jdbc/PgConnection.java +=================================================================== +--- libpgjava-42.2.5.orig/pgjdbc/src/main/java/org/postgresql/jdbc/PgConnection.java ++++ libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/jdbc/PgConnection.java +@@ -37,6 +37,9 @@ import org.postgresql.util.PGBinaryObjec + import org.postgresql.util.PGobject; + import org.postgresql.util.PSQLException; + import org.postgresql.util.PSQLState; ++import org.postgresql.xml.DefaultPGXmlFactoryFactory; ++import org.postgresql.xml.LegacyInsecurePGXmlFactoryFactory; ++import org.postgresql.xml.PGXmlFactoryFactory; + + import java.io.IOException; + import java.sql.Array; +@@ -142,6 +145,9 @@ public class PgConnection implements Bas + + private final LruCache<FieldMetadata.Key, FieldMetadata> fieldMetadataCache; + ++ private final String xmlFactoryFactoryClass; ++ private PGXmlFactoryFactory xmlFactoryFactory; ++ + final CachedQuery borrowQuery(String sql) throws SQLException { + return queryExecutor.borrowQuery(sql); + } +@@ -290,6 +296,8 @@ public class PgConnection implements Bas + false); + + replicationConnection = PGProperty.REPLICATION.get(info) != null; ++ ++ xmlFactoryFactoryClass = PGProperty.XML_FACTORY_FACTORY.get(info); + } + + private static Set<Integer> getBinaryOids(Properties info) throws PSQLException { +@@ -1729,4 +1737,36 @@ public class PgConnection implements Bas + } + return ps; + } ++ @Override ++ public PGXmlFactoryFactory getXmlFactoryFactory() throws SQLException { ++ if (xmlFactoryFactory == null) { ++ if (xmlFactoryFactoryClass == null || xmlFactoryFactoryClass.equals("")) { ++ xmlFactoryFactory = DefaultPGXmlFactoryFactory.INSTANCE; ++ } else if (xmlFactoryFactoryClass.equals("LEGACY_INSECURE")) { ++ xmlFactoryFactory = LegacyInsecurePGXmlFactoryFactory.INSTANCE; ++ } else { ++ Class<?> clazz; ++ try { ++ clazz = Class.forName(xmlFactoryFactoryClass); ++ } catch (ClassNotFoundException ex) { ++ throw new PSQLException( ++ GT.tr("Could not instantiate xmlFactoryFactory: {0}", xmlFactoryFactoryClass), ++ PSQLState.INVALID_PARAMETER_VALUE, ex); ++ } ++ if (!clazz.isAssignableFrom(PGXmlFactoryFactory.class)) { ++ throw new PSQLException( ++ GT.tr("Connection property xmlFactoryFactory must implement PGXmlFactoryFactory: {0}", xmlFactoryFactoryClass), ++ PSQLState.INVALID_PARAMETER_VALUE); ++ } ++ try { ++ xmlFactoryFactory = (PGXmlFactoryFactory) clazz.newInstance(); ++ } catch (Exception ex) { ++ throw new PSQLException( ++ GT.tr("Could not instantiate xmlFactoryFactory: {0}", xmlFactoryFactoryClass), ++ PSQLState.INVALID_PARAMETER_VALUE, ex); ++ } ++ } ++ } ++ return xmlFactoryFactory; ++ } + } +Index: libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/jdbc/PgSQLXML.java +=================================================================== +--- libpgjava-42.2.5.orig/pgjdbc/src/main/java/org/postgresql/jdbc/PgSQLXML.java ++++ libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/jdbc/PgSQLXML.java +@@ -9,10 +9,11 @@ import org.postgresql.core.BaseConnectio + import org.postgresql.util.GT; + import org.postgresql.util.PSQLException; + import org.postgresql.util.PSQLState; ++import org.postgresql.xml.DefaultPGXmlFactoryFactory; ++import org.postgresql.xml.PGXmlFactoryFactory; + +-import org.xml.sax.ErrorHandler; + import org.xml.sax.InputSource; +-import org.xml.sax.SAXParseException; ++import org.xml.sax.XMLReader; + + import java.io.ByteArrayInputStream; + import java.io.ByteArrayOutputStream; +@@ -27,7 +28,6 @@ import java.sql.SQLException; + import java.sql.SQLXML; + + import javax.xml.parsers.DocumentBuilder; +-import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.stream.XMLInputFactory; + import javax.xml.stream.XMLOutputFactory; + import javax.xml.stream.XMLStreamException; +@@ -77,6 +77,13 @@ public class PgSQLXML implements SQLXML + _freed = false; + } + ++ private PGXmlFactoryFactory getXmlFactoryFactory() throws SQLException { ++ if (_conn != null) { ++ return _conn.getXmlFactoryFactory(); ++ } ++ return DefaultPGXmlFactoryFactory.INSTANCE; ++ } ++ + public synchronized void free() { + _freed = true; + _data = null; +@@ -128,18 +135,17 @@ public class PgSQLXML implements SQLXML + + try { + if (sourceClass == null || DOMSource.class.equals(sourceClass)) { +- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); +- DocumentBuilder builder = factory.newDocumentBuilder(); +- builder.setErrorHandler(new NonPrintingErrorHandler()); ++ DocumentBuilder builder = getXmlFactoryFactory().newDocumentBuilder(); + InputSource input = new InputSource(new StringReader(_data)); + return (T) new DOMSource(builder.parse(input)); + } else if (SAXSource.class.equals(sourceClass)) { ++ XMLReader reader = getXmlFactoryFactory().createXMLReader(); + InputSource is = new InputSource(new StringReader(_data)); +- return (T) new SAXSource(is); ++ return (T) new SAXSource(reader, is); + } else if (StreamSource.class.equals(sourceClass)) { + return (T) new StreamSource(new StringReader(_data)); + } else if (StAXSource.class.equals(sourceClass)) { +- XMLInputFactory xif = XMLInputFactory.newInstance(); ++ XMLInputFactory xif = getXmlFactoryFactory().newXMLInputFactory(); + XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(_data)); + return (T) new StAXSource(xsr); + } +@@ -182,8 +188,7 @@ public class PgSQLXML implements SQLXML + return (T) _domResult; + } else if (SAXResult.class.equals(resultClass)) { + try { +- SAXTransformerFactory transformerFactory = +- (SAXTransformerFactory) SAXTransformerFactory.newInstance(); ++ SAXTransformerFactory transformerFactory = getXmlFactoryFactory().newSAXTransformerFactory(); + TransformerHandler transformerHandler = transformerFactory.newTransformerHandler(); + _stringWriter = new StringWriter(); + transformerHandler.setResult(new StreamResult(_stringWriter)); +@@ -200,7 +205,7 @@ public class PgSQLXML implements SQLXML + } else if (StAXResult.class.equals(resultClass)) { + _stringWriter = new StringWriter(); + try { +- XMLOutputFactory xof = XMLOutputFactory.newInstance(); ++ XMLOutputFactory xof = getXmlFactoryFactory().newXMLOutputFactory(); + XMLStreamWriter xsw = xof.createXMLStreamWriter(_stringWriter); + _active = true; + return (T) new StAXResult(xsw); +@@ -262,7 +267,7 @@ public class PgSQLXML implements SQLXML + // and use the identify transform to get it into a + // friendlier result format. + try { +- TransformerFactory factory = TransformerFactory.newInstance(); ++ TransformerFactory factory = getXmlFactoryFactory().newTransformerFactory(); + Transformer transformer = factory.newTransformer(); + DOMSource domSource = new DOMSource(_domResult.getNode()); + StringWriter stringWriter = new StringWriter(); +@@ -289,19 +294,5 @@ public class PgSQLXML implements SQLXML + } + _initialized = true; + } +- +- // Don't clutter System.err with errors the user can't silence. +- // If something bad really happens an exception will be thrown. +- static class NonPrintingErrorHandler implements ErrorHandler { +- public void error(SAXParseException e) { +- } +- +- public void fatalError(SAXParseException e) { +- } +- +- public void warning(SAXParseException e) { +- } +- } +- + } + +Index: libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/xml/DefaultPGXmlFactoryFactory.java +=================================================================== +--- /dev/null ++++ libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/xml/DefaultPGXmlFactoryFactory.java +@@ -0,0 +1,140 @@ ++/* ++ * Copyright (c) 2020, PostgreSQL Global Development Group ++ * See the LICENSE file in the project root for more information. ++ */ ++ ++package org.postgresql.xml; ++ ++import org.xml.sax.SAXException; ++import org.xml.sax.XMLReader; ++import org.xml.sax.helpers.XMLReaderFactory; ++ ++import javax.xml.XMLConstants; ++import javax.xml.parsers.DocumentBuilder; ++import javax.xml.parsers.DocumentBuilderFactory; ++import javax.xml.parsers.ParserConfigurationException; ++import javax.xml.stream.XMLInputFactory; ++import javax.xml.stream.XMLOutputFactory; ++import javax.xml.transform.TransformerFactory; ++import javax.xml.transform.sax.SAXTransformerFactory; ++ ++/** ++ * Default implementation of PGXmlFactoryFactory that configures each factory per OWASP recommendations. ++ * ++ * @see <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html";>https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html</a> ++ */ ++public class DefaultPGXmlFactoryFactory implements PGXmlFactoryFactory { ++ public static final DefaultPGXmlFactoryFactory INSTANCE = new DefaultPGXmlFactoryFactory(); ++ ++ private DefaultPGXmlFactoryFactory() { ++ } ++ ++ private DocumentBuilderFactory getDocumentBuilderFactory() { ++ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ setFactoryProperties(factory); ++ factory.setXIncludeAware(false); ++ factory.setExpandEntityReferences(false); ++ return factory; ++ } ++ ++ @Override ++ public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException { ++ DocumentBuilder builder = getDocumentBuilderFactory().newDocumentBuilder(); ++ builder.setEntityResolver(EmptyStringEntityResolver.INSTANCE); ++ builder.setErrorHandler(NullErrorHandler.INSTANCE); ++ return builder; ++ } ++ ++ @Override ++ public TransformerFactory newTransformerFactory() { ++ TransformerFactory factory = TransformerFactory.newInstance(); ++ setFactoryProperties(factory); ++ return factory; ++ } ++ ++ @Override ++ public SAXTransformerFactory newSAXTransformerFactory() { ++ SAXTransformerFactory factory = (SAXTransformerFactory) SAXTransformerFactory.newInstance(); ++ setFactoryProperties(factory); ++ return factory; ++ } ++ ++ @Override ++ public XMLInputFactory newXMLInputFactory() { ++ XMLInputFactory factory = XMLInputFactory.newInstance(); ++ setPropertyQuietly(factory, XMLInputFactory.SUPPORT_DTD, false); ++ setPropertyQuietly(factory, XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); ++ return factory; ++ } ++ ++ @Override ++ public XMLOutputFactory newXMLOutputFactory() { ++ XMLOutputFactory factory = XMLOutputFactory.newInstance(); ++ return factory; ++ } ++ ++ @Override ++ public XMLReader createXMLReader() throws SAXException { ++ XMLReader factory = XMLReaderFactory.createXMLReader(); ++ setFeatureQuietly(factory, "http://apache.org/xml/features/disallow-doctype-decl";, true); ++ setFeatureQuietly(factory, "http://apache.org/xml/features/nonvalidating/load-external-dtd";, false); ++ setFeatureQuietly(factory, "http://xml.org/sax/features/external-general-entities";, false); ++ setFeatureQuietly(factory, "http://xml.org/sax/features/external-parameter-entities";, false); ++ factory.setErrorHandler(NullErrorHandler.INSTANCE); ++ return factory; ++ } ++ ++ private static void setFeatureQuietly(Object factory, String name, boolean value) { ++ try { ++ if (factory instanceof DocumentBuilderFactory) { ++ ((DocumentBuilderFactory) factory).setFeature(name, value); ++ } else if (factory instanceof TransformerFactory) { ++ ((TransformerFactory) factory).setFeature(name, value); ++ } else if (factory instanceof XMLReader) { ++ ((XMLReader) factory).setFeature(name, value); ++ } else { ++ throw new Error("Invalid factory class: " + factory.getClass()); ++ } ++ return; ++ } catch (Exception ignore) { ++ } ++ } ++ ++ private static void setAttributeQuietly(Object factory, String name, Object value) { ++ try { ++ if (factory instanceof DocumentBuilderFactory) { ++ ((DocumentBuilderFactory) factory).setAttribute(name, value); ++ } else if (factory instanceof TransformerFactory) { ++ ((TransformerFactory) factory).setAttribute(name, value); ++ } else { ++ throw new Error("Invalid factory class: " + factory.getClass()); ++ } ++ } catch (Exception ignore) { ++ } ++ } ++ ++ private static void setFactoryProperties(Object factory) { ++ setFeatureQuietly(factory, XMLConstants.FEATURE_SECURE_PROCESSING, true); ++ setFeatureQuietly(factory, "http://apache.org/xml/features/disallow-doctype-decl";, true); ++ setFeatureQuietly(factory, "http://apache.org/xml/features/nonvalidating/load-external-dtd";, false); ++ setFeatureQuietly(factory, "http://xml.org/sax/features/external-general-entities";, false); ++ setFeatureQuietly(factory, "http://xml.org/sax/features/external-parameter-entities";, false); ++ // Values from XMLConstants inlined for JDK 1.6 compatibility ++ setAttributeQuietly(factory, "http://javax.xml.XMLConstants/property/accessExternalDTD";, ""); ++ setAttributeQuietly(factory, "http://javax.xml.XMLConstants/property/accessExternalSchema";, ""); ++ setAttributeQuietly(factory, "http://javax.xml.XMLConstants/property/accessExternalStylesheet";, ""); ++ } ++ ++ private static void setPropertyQuietly(Object factory, String name, Object value) { ++ try { ++ if (factory instanceof XMLReader) { ++ ((XMLReader) factory).setProperty(name, value); ++ } else if (factory instanceof XMLInputFactory) { ++ ((XMLInputFactory) factory).setProperty(name, value); ++ } else { ++ throw new Error("Invalid factory class: " + factory.getClass()); ++ } ++ } catch (Exception ignore) { ++ } ++ } ++} +Index: libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/xml/EmptyStringEntityResolver.java +=================================================================== +--- /dev/null ++++ libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/xml/EmptyStringEntityResolver.java +@@ -0,0 +1,23 @@ ++/* ++ * Copyright (c) 2020, PostgreSQL Global Development Group ++ * See the LICENSE file in the project root for more information. ++ */ ++ ++package org.postgresql.xml; ++ ++import org.xml.sax.EntityResolver; ++import org.xml.sax.InputSource; ++import org.xml.sax.SAXException; ++ ++import java.io.IOException; ++import java.io.StringReader; ++ ++public class EmptyStringEntityResolver implements EntityResolver { ++ public static final EmptyStringEntityResolver INSTANCE = new EmptyStringEntityResolver(); ++ ++ @Override ++ public InputSource resolveEntity(String publicId, String systemId) ++ throws SAXException, IOException { ++ return new InputSource(new StringReader("")); ++ } ++} +Index: libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/xml/LegacyInsecurePGXmlFactoryFactory.java +=================================================================== +--- /dev/null ++++ libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/xml/LegacyInsecurePGXmlFactoryFactory.java +@@ -0,0 +1,57 @@ ++/* ++ * Copyright (c) 2020, PostgreSQL Global Development Group ++ * See the LICENSE file in the project root for more information. ++ */ ++ ++package org.postgresql.xml; ++ ++import org.xml.sax.SAXException; ++import org.xml.sax.XMLReader; ++import org.xml.sax.helpers.XMLReaderFactory; ++ ++import javax.xml.parsers.DocumentBuilder; ++import javax.xml.parsers.DocumentBuilderFactory; ++import javax.xml.parsers.ParserConfigurationException; ++import javax.xml.stream.XMLInputFactory; ++import javax.xml.stream.XMLOutputFactory; ++import javax.xml.transform.TransformerFactory; ++import javax.xml.transform.sax.SAXTransformerFactory; ++ ++public class LegacyInsecurePGXmlFactoryFactory implements PGXmlFactoryFactory { ++ public static final LegacyInsecurePGXmlFactoryFactory INSTANCE = new LegacyInsecurePGXmlFactoryFactory(); ++ ++ private LegacyInsecurePGXmlFactoryFactory() { ++ } ++ ++ @Override ++ public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException { ++ DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); ++ builder.setErrorHandler(NullErrorHandler.INSTANCE); ++ return builder; ++ } ++ ++ @Override ++ public TransformerFactory newTransformerFactory() { ++ return TransformerFactory.newInstance(); ++ } ++ ++ @Override ++ public SAXTransformerFactory newSAXTransformerFactory() { ++ return (SAXTransformerFactory) SAXTransformerFactory.newInstance(); ++ } ++ ++ @Override ++ public XMLInputFactory newXMLInputFactory() { ++ return XMLInputFactory.newInstance(); ++ } ++ ++ @Override ++ public XMLOutputFactory newXMLOutputFactory() { ++ return XMLOutputFactory.newInstance(); ++ } ++ ++ @Override ++ public XMLReader createXMLReader() throws SAXException { ++ return XMLReaderFactory.createXMLReader(); ++ } ++} +Index: libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/xml/NullErrorHandler.java +=================================================================== +--- /dev/null ++++ libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/xml/NullErrorHandler.java +@@ -0,0 +1,25 @@ ++/* ++ * Copyright (c) 2020, PostgreSQL Global Development Group ++ * See the LICENSE file in the project root for more information. ++ */ ++ ++package org.postgresql.xml; ++ ++import org.xml.sax.ErrorHandler; ++import org.xml.sax.SAXParseException; ++ ++/** ++ * Error handler that silently suppresses all errors. ++ */ ++public class NullErrorHandler implements ErrorHandler { ++ public static final NullErrorHandler INSTANCE = new NullErrorHandler(); ++ ++ public void error(SAXParseException e) { ++ } ++ ++ public void fatalError(SAXParseException e) { ++ } ++ ++ public void warning(SAXParseException e) { ++ } ++} +Index: libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/xml/PGXmlFactoryFactory.java +=================================================================== +--- /dev/null ++++ libpgjava-42.2.5/pgjdbc/src/main/java/org/postgresql/xml/PGXmlFactoryFactory.java +@@ -0,0 +1,30 @@ ++/* ++ * Copyright (c) 2020, PostgreSQL Global Development Group ++ * See the LICENSE file in the project root for more information. ++ */ ++ ++package org.postgresql.xml; ++ ++import org.xml.sax.SAXException; ++import org.xml.sax.XMLReader; ++ ++import javax.xml.parsers.DocumentBuilder; ++import javax.xml.parsers.ParserConfigurationException; ++import javax.xml.stream.XMLInputFactory; ++import javax.xml.stream.XMLOutputFactory; ++import javax.xml.transform.TransformerFactory; ++import javax.xml.transform.sax.SAXTransformerFactory; ++ ++public interface PGXmlFactoryFactory { ++ DocumentBuilder newDocumentBuilder() throws ParserConfigurationException; ++ ++ TransformerFactory newTransformerFactory(); ++ ++ SAXTransformerFactory newSAXTransformerFactory(); ++ ++ XMLInputFactory newXMLInputFactory(); ++ ++ XMLOutputFactory newXMLOutputFactory(); ++ ++ XMLReader createXMLReader() throws SAXException; ++} diff -Nru libpgjava-42.2.5/debian/patches/series libpgjava-42.2.5/debian/patches/series --- libpgjava-42.2.5/debian/patches/series 2018-08-27 16:55:54.000000000 +0200 +++ libpgjava-42.2.5/debian/patches/series 2020-06-18 21:57:31.000000000 +0200 @@ -1,3 +1,4 @@ 01-missing-pom-configuration.patch 02-scram-optional.patch 03-javadoc.patch +cve-2020-13692.patch
