Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org
[ Reason ] Fixing CVE-2023-41886 and CVE-2023-41887. OpenRefine is a powerful free, open source tool for working with messy data. Prior to this version, a remote code execution vulnerability allows any unauthenticated user to execute code on the server. [ Tests ] I have verified that the new test case works as expected. [ Risks ] Low, leaf package, all tests work as expected. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Other info ] Please note that I have previously uploaded another bookworm-pu, #1051429, to fix CVE-2023-37476. This update addresses the new CVE mentioned in this bug report. CVE-2023-37476 has been fixed with 3.6.2-2+deb12u1 already.
diff --git a/debian/changelog b/debian/changelog index 16033d8..37acbbf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +openrefine (3.6.2-2+deb12u2) bookworm; urgency=medium + + * Fix CVE-2023-41887 and CVE-2023-41886: + OpenRefine is a powerful free, open source tool for working with messy + data. Prior to this version, a remote code execution vulnerability allows + any unauthenticated user to execute code on the server. + + -- Markus Koschany <a...@debian.org> Wed, 04 Oct 2023 15:02:45 +0200 + openrefine (3.6.2-2+deb12u1) bookworm; urgency=medium * Fix CVE-2023-37476: diff --git a/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch b/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch new file mode 100644 index 0000000..274b758 --- /dev/null +++ b/debian/patches/CVE-2023-41887-and-CVE-2023-41886.patch @@ -0,0 +1,183 @@ +From: Markus Koschany <a...@debian.org> +Date: Wed, 4 Oct 2023 14:39:55 +0200 +Subject: CVE-2023-41887 and CVE-2023-41886 + +Origin: https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511 +--- + .../extension/database/DatabaseConfiguration.java | 16 ++++++++++++++++ + .../database/mariadb/MariaDBConnectionManager.java | 12 +----------- + .../database/mysql/MySQLConnectionManager.java | 11 +---------- + .../database/pgsql/PgSQLConnectionManager.java | 11 +---------- + .../database/sqlite/SQLiteConnectionManager.java | 9 ++++++++- + .../database/DatabaseConfigurationTest.java | 21 +++++++++++++++++++++ + 6 files changed, 48 insertions(+), 32 deletions(-) + create mode 100644 extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java + +diff --git a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java +index 47dad7f..3f0dd57 100644 +--- a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java ++++ b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java +@@ -29,6 +29,9 @@ + package com.google.refine.extension.database; + + ++import java.net.URI; ++import java.net.URISyntaxException; ++ + public class DatabaseConfiguration { + + private String connectionName; +@@ -128,4 +131,17 @@ public class DatabaseConfiguration { + + + ++ public URI toURI() { ++ try { ++ return new URI( ++ "jdbc:" + databaseType.toLowerCase(), ++ databaseHost + ((databasePort == 0) ? "" : (":" + databasePort)), ++ "/" + databaseName, ++ useSSL ? "useSSL=true" : null, ++ null ++ ); ++ } catch (URISyntaxException e) { ++ throw new IllegalArgumentException(e); ++ } ++ } + } +diff --git a/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java b/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java +index 4af014a..04c7dc8 100644 +--- a/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java ++++ b/extensions/database/src/com/google/refine/extension/database/mariadb/MariaDBConnectionManager.java +@@ -139,7 +139,7 @@ public class MariaDBConnectionManager { + + Class.forName(type.getClassPath()); + DriverManager.setLoginTimeout(10); +- String dbURL = getDatabaseUrl(databaseConfiguration); ++ String dbURL = databaseConfiguration.toURI().toString(); + connection = DriverManager.getConnection(dbURL, databaseConfiguration.getDatabaseUser(), + databaseConfiguration.getDatabasePassword()); + +@@ -173,14 +173,4 @@ public class MariaDBConnectionManager { + } + + } +- +- +- +- private static String getDatabaseUrl(DatabaseConfiguration dbConfig) { +- +- int port = dbConfig.getDatabasePort(); +- return "jdbc:" + dbConfig.getDatabaseType().toLowerCase() + "://" + dbConfig.getDatabaseHost() +- + ((port == 0) ? "" : (":" + port)) + "/" + dbConfig.getDatabaseName(); +- +- } + } +diff --git a/extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java b/extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java +index 9e81fd2..ac11dfe 100644 +--- a/extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java ++++ b/extensions/database/src/com/google/refine/extension/database/mysql/MySQLConnectionManager.java +@@ -131,7 +131,7 @@ public class MySQLConnectionManager { + return connection; + } + } +- String dbURL = getDatabaseUrl(databaseConfiguration); ++ String dbURL = databaseConfiguration.toURI().toString(); + Class.forName(type.getClassPath()); + + //logger.info("*** type.getClassPath() ::{}, {}**** ", type.getClassPath()); +@@ -171,13 +171,4 @@ public class MySQLConnectionManager { + } + + } +- +- +- private String getDatabaseUrl(DatabaseConfiguration dbConfig) { +- +- int port = dbConfig.getDatabasePort(); +- return "jdbc:" + dbConfig.getDatabaseType() + "://" + dbConfig.getDatabaseHost() +- + ((port == 0) ? "" : (":" + port)) + "/" + dbConfig.getDatabaseName() + "?useSSL=" + dbConfig.isUseSSL(); +- +- } + } +diff --git a/extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java b/extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java +index bef6c9a..156997f 100644 +--- a/extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java ++++ b/extensions/database/src/com/google/refine/extension/database/pgsql/PgSQLConnectionManager.java +@@ -142,7 +142,7 @@ public class PgSQLConnectionManager { + + Class.forName(type.getClassPath()); + DriverManager.setLoginTimeout(10); +- String dbURL = getDatabaseUrl(databaseConfiguration); ++ String dbURL = databaseConfiguration.toURI().toString(); + connection = DriverManager.getConnection(dbURL, databaseConfiguration.getDatabaseUser(), + databaseConfiguration.getDatabasePassword()); + +@@ -173,13 +173,4 @@ public class PgSQLConnectionManager { + } + + } +- +- +- private static String getDatabaseUrl(DatabaseConfiguration dbConfig) { +- +- int port = dbConfig.getDatabasePort(); +- return "jdbc:" + dbConfig.getDatabaseType().toLowerCase() + "://" + dbConfig.getDatabaseHost() +- + ((port == 0) ? "" : (":" + port)) + "/" + dbConfig.getDatabaseName(); +- +- } + } +diff --git a/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java b/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java +index 5b9b4cf..7d42e00 100644 +--- a/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java ++++ b/extensions/database/src/com/google/refine/extension/database/sqlite/SQLiteConnectionManager.java +@@ -35,6 +35,8 @@ import com.google.refine.extension.database.SQLType; + import org.slf4j.Logger; + import org.slf4j.LoggerFactory; + ++import java.net.URI; ++import java.net.URISyntaxException; + import java.sql.Connection; + import java.sql.DriverManager; + import java.sql.SQLException; +@@ -66,7 +68,12 @@ public class SQLiteConnectionManager { + } + + public static String getDatabaseUrl(DatabaseConfiguration dbConfig) { +- return "jdbc:" + dbConfig.getDatabaseType().toLowerCase() + ":" + dbConfig.getDatabaseName(); ++ try { ++ URI uri = new URI("jdbc:" + dbConfig.getDatabaseType().toLowerCase(), dbConfig.getDatabaseName(), null); ++ return uri.toASCIIString(); ++ } catch (URISyntaxException e) { ++ throw new IllegalArgumentException(e); ++ } + } + + /** +diff --git a/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java b/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java +new file mode 100644 +index 0000000..5a571e8 +--- /dev/null ++++ b/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java +@@ -0,0 +1,21 @@ ++package com.google.refine.extension.database; ++ ++import org.testng.annotations.Test; ++ ++import static org.testng.Assert.assertEquals; ++ ++public class DatabaseConfigurationTest { ++ ++ @Test ++ public void testToURI() { ++ DatabaseConfiguration config = new DatabaseConfiguration(); ++ config.setDatabaseType("mysql"); ++ config.setDatabaseHost("my.host"); ++ // maliciously crafted database name which attempts to enable local file reads for an exploit ++ config.setDatabaseName("test?allowLoadLocalInfile=true#"); ++ ++ String url = config.toURI().toString(); ++ // the database name is escaped, preventing the exploit ++ assertEquals(url, "jdbc:mysql://my.host/test%3FallowLoadLocalInfile=true%23"); ++ } ++} diff --git a/debian/patches/series b/debian/patches/series index 2657037..ff5e387 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,3 +5,4 @@ log4j-api.patch no-java-files.patch gdata-extension.patch CVE-2023-37476.patch +CVE-2023-41887-and-CVE-2023-41886.patch
