Skip to content
Snippets Groups Projects
Commit 557e74d9 authored by Miguel Landaeta's avatar Miguel Landaeta
Browse files

Fix CVE-2014-0054 and CVE-2014-1904 in stable

parent 839adf8d
No related branches found
No related tags found
No related merge requests found
libspring-java (3.0.6.RELEASE-6+deb7u3) UNRELEASED; urgency=high
* Team upload.
* Fix CVE-2013-6429 and CVE-2013-6430. (Closes: #741604).
-- Miguel Landaeta <nomadium@debian.org> Mon, 24 Mar 2014 18:12:13 -0300
libspring-java (3.0.6.RELEASE-6+deb7u2) wheezy-security; urgency=high
* Team upload.
......
From: Miguel Landaeta <nomadium@debian.org>
Date: Mon, 24 Mar 2014 16:57:19 -0300
Subject: CVE-2014-0054
Bug: http://bugs.debian.org/741604
diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
index 871075f..fea0519 100644
--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
@@ -120,6 +120,11 @@ public class CastorMarshaller extends AbstractMarshaller implements Initializing
this.encoding = encoding;
}
+ @Override
+ protected String getDefaultEncoding() {
+ return this.encoding;
+ }
+
/**
* Set the locations of the Castor XML Mapping files.
*/
diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
index 1b3412d..37d7937 100644
--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
@@ -317,6 +317,13 @@ public class Jaxb2Marshaller
this.processExternalEntities = processExternalEntities;
}
+ /**
+ * @return the configured value for whether XML external entities are allowed.
+ */
+ public boolean isProcessExternalEntities() {
+ return this.processExternalEntities;
+ }
+
public void setBeanClassLoader(ClassLoader classLoader) {
this.beanClassLoader = classLoader;
}
diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java
index 5d6a053..0de00b2 100644
--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java
+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2010 the original author or authors.
+ * Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -28,6 +28,7 @@ import javax.xml.stream.XMLEventWriter;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.stream.XMLStreamWriter;
+import javax.xml.transform.OutputKeys;
import javax.xml.transform.Result;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
@@ -133,6 +134,11 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
this.encoding = encoding;
}
+ @Override
+ protected String getDefaultEncoding() {
+ return this.encoding;
+ }
+
/**
* Set the document standalone flag for marshalling. By default, this flag is not present.
*/
@@ -301,7 +307,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
}
catch (TransformerException ex) {
throw new MarshallingFailureException(
- "Could not transform to [" + ClassUtils.getShortName(result.getClass()) + "]");
+ "Could not transform to [" + ClassUtils.getShortName(result.getClass()) + "]", ex);
}
}
@@ -367,7 +373,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
@Override
protected Object unmarshalDomNode(Node node) throws XmlMappingException {
try {
- return transformAndUnmarshal(new DOMSource(node));
+ return transformAndUnmarshal(new DOMSource(node), null);
}
catch (IOException ex) {
throw new UnmarshallingFailureException("JiBX unmarshalling exception", ex);
@@ -377,12 +383,15 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
@Override
protected Object unmarshalSaxReader(XMLReader xmlReader, InputSource inputSource)
throws XmlMappingException, IOException {
- return transformAndUnmarshal(new SAXSource(xmlReader, inputSource));
+ return transformAndUnmarshal(new SAXSource(xmlReader, inputSource), inputSource.getEncoding());
}
- private Object transformAndUnmarshal(Source source) throws IOException {
+ private Object transformAndUnmarshal(Source source, String encoding) throws IOException {
try {
Transformer transformer = transformerFactory.newTransformer();
+ if (encoding != null) {
+ transformer.setOutputProperty(OutputKeys.ENCODING, encoding);
+ }
ByteArrayOutputStream os = new ByteArrayOutputStream();
transformer.transform(source, new StreamResult(os));
ByteArrayInputStream is = new ByteArrayInputStream(os.toByteArray());
@@ -390,7 +399,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
}
catch (TransformerException ex) {
throw new MarshallingFailureException(
- "Could not transform from [" + ClassUtils.getShortName(source.getClass()) + "]");
+ "Could not transform from [" + ClassUtils.getShortName(source.getClass()) + "]", ex);
}
}
diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
index cee37bb..09bc006 100644
--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2010 the original author or authors.
+ * Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -73,6 +73,34 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
private final Object documentBuilderFactoryMonitor = new Object();
+ private boolean processExternalEntities = false;
+
+
+ /**
+ * Indicates whether external XML entities are processed when unmarshalling.
+ * <p>Default is {@code false}, meaning that external entities are not resolved.
+ * Note that processing of external entities will only be enabled/disabled when the
+ * {@code Source} passed to {@link #unmarshal(Source)} is a {@link SAXSource} or
+ * {@link StreamSource}. It has no effect for {@link DOMSource} or {@link StAXSource}
+ * instances.
+ */
+ public void setProcessExternalEntities(boolean processExternalEntities) {
+ this.processExternalEntities = processExternalEntities;
+ }
+
+ /**
+ * @return the configured value for whether XML external entities are allowed.
+ */
+ public boolean isProcessExternalEntities() {
+ return this.processExternalEntities;
+ }
+
+ /**
+ * @return the default encoding to use for marshalling or unmarshalling from
+ * a byte stream, or {@code null}.
+ */
+ abstract protected String getDefaultEncoding();
+
/**
* Marshals the object graph with the given root into the provided <code>javax.xml.transform.Result</code>.
@@ -131,7 +159,7 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
return unmarshalSaxSource((SAXSource) source);
}
else if (source instanceof StreamSource) {
- return unmarshalStreamSource((StreamSource) source);
+ return unmarshalStreamSourceNoExternalEntitities((StreamSource) source);
}
else {
throw new IllegalArgumentException("Unknown Source type: " + source.getClass());
@@ -173,7 +201,9 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
* @throws SAXException if thrown by JAXP methods
*/
protected XMLReader createXmlReader() throws SAXException {
- return XMLReaderFactory.createXMLReader();
+ XMLReader xmlReader = XMLReaderFactory.createXMLReader();
+ xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", isProcessExternalEntities());
+ return xmlReader;
}
@@ -356,8 +386,42 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
}
/**
+ * Template method for handling {@code StreamSource}s with protection against
+ * the XML External Entity (XXE) processing vulnerability taking into account
+ * the value of the {@link #setProcessExternalEntities(boolean)} property.
+ * <p>
+ * The default implementation wraps the StreamSource as a SAXSource and delegates
+ * to {@link #unmarshalSaxSource(javax.xml.transform.sax.SAXSource)}.
+ *
+ * @param streamSource the {@code StreamSource}
+ * @return the object graph
+ * @throws IOException if an I/O exception occurs
+ * @throws XmlMappingException if the given source cannot be mapped to an object
+ *
+ * @see <a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">XML_External_Entity_(XXE)_Processing</a>
+ */
+ protected Object unmarshalStreamSourceNoExternalEntitities(StreamSource streamSource) throws XmlMappingException, IOException {
+ InputSource inputSource;
+ if (streamSource.getInputStream() != null) {
+ inputSource = new InputSource(streamSource.getInputStream());
+ inputSource.setEncoding(getDefaultEncoding());
+ }
+ else if (streamSource.getReader() != null) {
+ inputSource = new InputSource(streamSource.getReader());
+ }
+ else {
+ inputSource = new InputSource(streamSource.getSystemId());
+ }
+ return unmarshalSaxSource(new SAXSource(inputSource));
+ }
+
+ /**
* Template method for handling <code>StreamSource</code>s.
* <p>This implementation defers to <code>unmarshalInputStream</code> or <code>unmarshalReader</code>.
+ * <p>As of 3.2.8 and 4.0.2 this method is no longer invoked from
+ * {@link #unmarshal(javax.xml.transform.Source)}. The method invoked instead is
+ * {@link #unmarshalStreamSourceNoExternalEntitities(javax.xml.transform.stream.StreamSource)}.
+ *
* @param streamSource the <code>StreamSource</code>
* @return the object graph
* @throws IOException if an I/O exception occurs
diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java
index eb5a6e6..9f06b35 100644
--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java
+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2009 the original author or authors.
+ * Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -116,6 +116,10 @@ public class XmlBeansMarshaller extends AbstractMarshaller {
return this.validating;
}
+ @Override
+ protected String getDefaultEncoding() {
+ return null;
+ }
/**
* This implementation returns true if the given class is an implementation of {@link XmlObject}.
diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
index d6521ff..efa9403 100644
--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
@@ -26,11 +26,9 @@ import java.io.Writer;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
-import javax.xml.stream.XMLEventReader;
-import javax.xml.stream.XMLEventWriter;
-import javax.xml.stream.XMLStreamException;
-import javax.xml.stream.XMLStreamReader;
-import javax.xml.stream.XMLStreamWriter;
+import javax.xml.stream.*;
+import javax.xml.transform.stax.StAXSource;
+import javax.xml.transform.stream.StreamSource;
import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.converters.ConversionException;
@@ -349,6 +347,11 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin
this.encoding = encoding;
}
+ @Override
+ protected String getDefaultEncoding() {
+ return this.encoding;
+ }
+
/**
* Set the classes supported by this marshaller.
* <p>If this property is empty (the default), all classes are supported.
@@ -470,6 +473,13 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin
// Unmarshalling
@Override
+ protected Object unmarshalStreamSourceNoExternalEntitities(StreamSource streamSource)
+ throws XmlMappingException, IOException {
+
+ return super.unmarshalStreamSource(streamSource);
+ }
+
+ @Override
protected Object unmarshalDomNode(Node node) throws XmlMappingException {
HierarchicalStreamReader streamReader;
if (node instanceof Document) {
diff --git a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
index 15b7d8e..3126ca4 100644
--- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
+++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
@@ -85,6 +85,13 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe
this.processExternalEntities = processExternalEntities;
}
+ /**
+ * @return the configured value for whether XML external entities are allowed.
+ */
+ public boolean isProcessExternalEntities() {
+ return this.processExternalEntities;
+ }
+
@Override
public boolean supports(Class<?> clazz) {
return DOMSource.class.equals(clazz) || SAXSource.class.equals(clazz)
@@ -146,7 +153,7 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe
private Source readStAXSource(InputStream body) {
try {
XMLInputFactory inputFactory = XMLInputFactory.newFactory();
- inputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", processExternalEntities);
+ inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, this.processExternalEntities);
XMLStreamReader streamReader = inputFactory.createXMLStreamReader(body);
return StaxUtils.createStaxSource(streamReader);
}
From: Miguel Landaeta <nomadium@debian.org>
Date: Mon, 24 Mar 2014 17:07:58 -0300
Subject: CVE-2014-1904
Bug: http://bugs.debian.org/741604
diff --git a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java
index 2e9cc84..b416084 100644
--- a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java
+++ b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2010 the original author or authors.
+ * Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -21,11 +21,14 @@ import javax.servlet.http.HttpServletResponse;
import javax.servlet.jsp.JspException;
import javax.servlet.jsp.PageContext;
+import java.io.UnsupportedEncodingException;
+
import org.springframework.beans.PropertyAccessor;
import org.springframework.core.Conventions;
import org.springframework.util.ObjectUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.util.HtmlUtils;
+import org.springframework.web.util.UriUtils;
/**
* Databinding-aware JSP tag for rendering an HTML '<code>form</code>' whose
@@ -397,6 +400,13 @@ public class FormTag extends AbstractHtmlElementTag {
}
else {
String requestUri = getRequestContext().getRequestUri();
+ String encoding = pageContext.getResponse().getCharacterEncoding();
+ try {
+ requestUri = UriUtils.encodePath(requestUri, encoding);
+ }
+ catch (UnsupportedEncodingException e) {
+ throw new JspException(e);
+ }
ServletResponse response = this.pageContext.getResponse();
if (response instanceof HttpServletResponse) {
requestUri = ((HttpServletResponse) response).encodeURL(requestUri);
......@@ -10,3 +10,5 @@
Add-processExternalEntities-to-JAXB2Marshaller.patch
CVE-2013-6429.patch
CVE-2013-6430.patch
CVE-2014-0054.patch
CVE-2014-1904.patch
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment