Skip to content
Commits on Source (2)
Show whitespace changes
Inline Side-by-side
debian/changelog
View file @ f6a50cbf
jabref (3.8.2+ds-12) UNRELEASED; urgency=medium
TODO: FTBFS with
/build/jabref-3.8.2+ds/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java:16: error: package org.slf4j does not exist
import org.slf4j.Logger;
^
etc.
* Add patch from upstream commit to fix CVE-2018-1000652: XML External
Entity attack.
Thanks to Moritz Muehlenhoff for the bug report. (Closes: #921772)
-- gregor herrmann <gregoa@debian.org> Sat, 09 Feb 2019 00:54:59 +0100
jabref (3.8.2+ds-11) unstable; urgency=medium
* Add build dependency on libicu4j-java.
......
debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch 0 → 100644
View file @ f6a50cbf
From 89f855d76713b4cd25ac0830c719cd61c511851e Mon Sep 17 00:00:00 2001
From: Nick <nick.s.weatherley@protonmail.com>
Date: Mon, 30 Jul 2018 16:06:07 +0000
Subject: [PATCH] Fix importer vulnerability (#4240)
* Fix importer vulnerability
Fixed issue #4229 where importer was vulnerable to XXE attacks by
disabling DTDs along with adding warning to logger if features are
unavailable. fixes #4229
Bugs-Debian: https://bugs.debian.org/921772
Bug: https://github.com/JabRef/jabref/issues/4229
--- a/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java
+++ b/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java
@@ -6,12 +6,15 @@
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
import net.sf.jabref.logic.importer.Importer;
import net.sf.jabref.logic.importer.ParserResult;
import net.sf.jabref.logic.msbib.MSBibDatabase;
import net.sf.jabref.logic.util.FileExtensions;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import org.w3c.dom.Document;
import org.xml.sax.InputSource;
@@ -23,6 +26,10 @@
*/
public class MsBibImporter extends Importer {
+ private static final Logger LOGGER = LoggerFactory.getLogger(MsBibImporter.class);
+ private static final String DISABLEDTD = "http://apache.org/xml/features/disallow-doctype-decl";
+ private static final String DISABLEEXTERNALDTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
@Override
public boolean isRecognizedFormat(BufferedReader reader) throws IOException {
Objects.requireNonNull(reader);
@@ -34,7 +41,7 @@
*/
Document docin;
try {
- DocumentBuilder dbuild = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+ DocumentBuilder dbuild = makeSafeDocBuilderFactory(DocumentBuilderFactory.newInstance()).newDocumentBuilder();
docin = dbuild.parse(new InputSource(reader));
} catch (Exception e) {
return false;
@@ -65,4 +72,29 @@
return "Importer for the MS Office 2007 XML bibliography format.";
}
+ /**
+ * DocumentBuilderFactory makes a XXE safe Builder factory from dBuild. If not supported by current
+ * XML then returns original builder given and logs error.
+ * @param dBuild | DocumentBuilderFactory to be made XXE safe.
+ * @return If supported, XXE safe DocumentBuilderFactory. Else, returns original builder given
+ */
+ private DocumentBuilderFactory makeSafeDocBuilderFactory(DocumentBuilderFactory dBuild) {
+ String feature = null;
+
+ try {
+ feature = DISABLEDTD;
+ dBuild.setFeature(feature, true);
+
+ feature = DISABLEEXTERNALDTD;
+ dBuild.setFeature(feature, false);
+
+ dBuild.setXIncludeAware(false);
+ dBuild.setExpandEntityReferences(false);
+
+ } catch (ParserConfigurationException e) {
+ LOGGER.warn("Builder not fully configured. Feature:'{}' is probably not supported by current XML processor. {}", feature, e);
+ }
+
+ return dBuild;
+ }
}
debian/patches/series
View file @ f6a50cbf
......@@ -7,3 +7,4 @@
070_jdk9_swing.patch
080_jdk11_jaxb.patch
090_mariadb.patch
100_CVE-2018-1000652_XXE-vulnerability.patch