Tony Mancill pushed to branch master at Debian Java Maintainers / libquartz-java
Commits: d043139b by tony mancill at 2023-01-31T19:31:37-08:00 Add patch for XXE vulnerability CVE-2019-13990 (Closes: #933169) - - - - - ff09a36a by tony mancill at 2023-01-31T19:31:37-08:00 Prepare changelog for upload - - - - - 3 changed files: - debian/changelog - + debian/patches/CVE-2019-13990.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,9 @@ +libquartz-java (1:1.8.6-8) unstable; urgency=medium + + * Add patch for XXE vulnerability CVE-2019-13990 (Closes: #933169) + + -- tony mancill <[email protected]> Mon, 30 Jan 2023 22:23:39 -0800 + libquartz-java (1:1.8.6-7) unstable; urgency=medium * Add build-dep on liblog4j1.2-java (Closes: #1028678) ===================================== debian/patches/CVE-2019-13990.patch ===================================== @@ -0,0 +1,91 @@ +Description: patch for CVE-2019-13990 + The method initDocumentParser() in the XMLSchedulingDataProcessor.java + does not forbid DTDs, which allows a context-dependend attacker to + perform an XXE. + . + The testcase in the patch is slightly adapted for quartz 1.8.6 +Origin: https://github.com/quartz-scheduler/quartz/commit/a1395ba118df306c7fe67c24fb0c9a95a4473140 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933169 +Forwarded: not-needed +Last-Update: 2023-01-29 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- a/quartz/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java ++++ b/quartz/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java +@@ -181,6 +181,13 @@ + docBuilderFactory.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaLanguage";, "http://www.w3.org/2001/XMLSchema";); + + docBuilderFactory.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaSource";, resolveSchemaSource()); ++ ++ docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); ++ docBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";, false); ++ docBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities";, false); ++ docBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";, false); ++ docBuilderFactory.setXIncludeAware(false); ++ docBuilderFactory.setExpandEntityReferences(false); + + docBuilder = docBuilderFactory.newDocumentBuilder(); + +--- a/quartz/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java ++++ b/quartz/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java +@@ -16,6 +16,7 @@ + import org.quartz.jobs.NoOpJob; + import org.quartz.simpl.CascadingClassLoadHelper; + import org.quartz.spi.ClassLoadHelper; ++import org.xml.sax.SAXParseException; + + /** + * Unit test for XMLSchedulingDataProcessor. +@@ -98,7 +99,29 @@ + inStream.close(); + } + } +- ++ ++ public void testXmlParserConfiguration() throws Exception { ++ Scheduler scheduler = null; ++ try { ++ StdSchedulerFactory factory = new StdSchedulerFactory("org/quartz/xml/quartz-test.properties"); ++ scheduler = factory.getDefaultScheduler(); ++ ClassLoadHelper clhelper = new CascadingClassLoadHelper(); ++ clhelper.initialize(); ++ XMLSchedulingDataProcessor processor = new XMLSchedulingDataProcessor(clhelper); ++ processor.processFileAndScheduleJobs("org/quartz/xml/bad-job-config.xml", scheduler); ++ ++ final JobDetail jobDetail = scheduler.getJobDetail("xxe", "native"); ++ final String description = jobDetail.getDescription(); ++ ++ fail("Expected parser configuration to block DOCTYPE. The following was injected into the job description field: " + description); ++ } catch (SAXParseException e) { ++ assertTrue(e.getMessage().contains("DOCTYPE is disallowed")); ++ } finally { ++ if (scheduler != null) ++ scheduler.shutdown(); ++ } ++ } ++ + /** QTZ-187 */ + public void testDirectivesNoOverwriteWithIgnoreDups() throws Exception { + Scheduler scheduler = null; +--- /dev/null ++++ b/quartz/src/test/resources/org/quartz/xml/bad-job-config.xml +@@ -0,0 +1,19 @@ ++<?xml version="1.0" encoding="UTF-8"?> ++<!DOCTYPE foo [<!ELEMENT foo ANY > ++ <!ENTITY xxe SYSTEM "/" >]> ++<job-scheduling-data xmlns="http://www.quartz-scheduler.org/xml/JobSchedulingData"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://www.quartz-scheduler.org/xml/JobSchedulingData http://www.quartz-scheduler.org/xml/job_scheduling_data_2_0.xsd"; version="2.0"> ++ <schedule> ++ <job> ++ <name>xxe</name> ++ <group>native</group> ++ <description>&xxe;</description> ++ <job-class>org.quartz.jobs.NoOpJob</job-class> ++ <volatility>false</volatility> ++ <durability>true</durability> ++ <recover>false</recover> ++ <job-data-map> ++ <entry><key>foo</key><value>bar</value></entry> ++ </job-data-map> ++ </job> ++ </schedule> ++</job-scheduling-data> ===================================== debian/patches/series ===================================== @@ -1,2 +1,3 @@ disable_update_check_864769.patch j2ee-dependencies.patch +CVE-2019-13990.patch View it on GitLab: https://salsa.debian.org/java-team/libquartz-java/-/compare/aa2f7b5ac1c49e2a86bfc595262eb920d1216ca8...ff09a36af32bd686174d97615f9fb48bd31598d7 -- View it on GitLab: https://salsa.debian.org/java-team/libquartz-java/-/compare/aa2f7b5ac1c49e2a86bfc595262eb920d1216ca8...ff09a36af32bd686174d97615f9fb48bd31598d7 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
