Markus Koschany · Markus Koschany · Markus Koschany · Markus Koschany · Markus Koschany · f0eed5c6
--- a/debian/changelog
+++ b/debian/changelog
+lucene-solr (3.6.2+dfsg-12) unstable; urgency=high
+
+  * Team upload.
+  * Fix FTBFS with Ant 1.10. (Closes: #895797)
+  * Fix CVE-2018-1308. (Closes: #896604)
+  * Declare compliance with Debian Policy 4.1.4.
+
+ -- Markus Koschany <apo@debian.org>  Tue, 01 May 2018 23:35:41 +0200
+
 lucene-solr (3.6.2+dfsg-11) unstable; urgency=medium

  * Team upload.

--- a/debian/control
+++ b/debian/control
@@ -46,7 +46,7 @@ Build-Depends:
 libxml-commons-resolver1.1-java,
 maven-repo-helper (>= 1.5~),
 po-debconf
-Standards-Version: 4.1.3
+Standards-Version: 4.1.4
 Vcs-Git: https://anonscm.debian.org/git/pkg-java/lucene-solr.git
 Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/lucene-solr.git
 Homepage: http://lucene.apache.org

--- a/debian/patches/CVE-2018-1308.patch
+++ b/debian/patches/CVE-2018-1308.patch
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 1 May 2018 23:11:09 +0200
+Subject: CVE-2018-1308
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896604
+Origin: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/02c693f3
+---
+ .../apache/solr/handler/dataimport/DataImporter.java | 13 +++++++++++--
+ .../solr/handler/dataimport/TestErrorHandling.java   | 20 ++++++++++++++++++++
+ 2 files changed, 31 insertions(+), 2 deletions(-)
+
+diff --git a/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImporter.java b/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImporter.java
+index 4a69220..02912f0 100644
+--- a/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImporter.java
+++ b/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImporter.java
+@@ -17,6 +17,7 @@
+ 
+ package org.apache.solr.handler.dataimport;
+ 
+import org.apache.solr.util.EmptyEntityResolver;
+ import org.apache.solr.common.SolrException;
+ import org.apache.solr.common.SolrInputDocument;
+ import org.apache.solr.core.SolrConfig;
+@@ -196,8 +197,10 @@ public class DataImporter {
+ 
+     try {
+       DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+      dbf.setValidating(false);
+       
+-      // only enable xinclude, if a a SolrCore and SystemId is present (makes no sense otherwise)
+      // only enable xinclude, if XML is coming from safe source (local file)
+      // and a a SolrCore and SystemId is present (makes no sense otherwise):
+       if (core != null && configFile.getSystemId() != null) {
+         try {
+           dbf.setXIncludeAware(true);
+@@ -208,8 +211,14 @@ public class DataImporter {
+       }
+       
+       DocumentBuilder builder = dbf.newDocumentBuilder();
+-      if (core != null)
+      // only enable xinclude / external entities, if XML is coming from
+      // safe source (local file) and a a SolrCore and SystemId is present:
+      if (core != null && configFile.getSystemId() != null) {
+         builder.setEntityResolver(new SystemIdResolver(core.getResourceLoader()));
+      } else {
+        // Don't allow external entities without having a system ID:
+        builder.setEntityResolver(EmptyEntityResolver.SAX_INSTANCE);
+      }
+       builder.setErrorHandler(XMLLOG);
+       Document document;
+       try {
+diff --git a/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/TestErrorHandling.java b/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/TestErrorHandling.java
+index 64f58df..c75e07c 100644
+--- a/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/TestErrorHandling.java
+++ b/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/TestErrorHandling.java
+@@ -76,6 +76,13 @@ public class TestErrorHandling extends AbstractDataImportHandlerTestCase {
+     assertQ(req("*:*"), "//*[@numFound='3']");
+   }
+ 
+  public void testExternalEntity() throws Exception {
+    StringDataSource.xml = wellformedXml;
+    // This should not fail as external entities are replaced by an empty string during parsing:
+    runFullImport(dataConfigWithEntity);
+    assertQ(req("*:*"), "//*[@numFound='3']");
+  }
+
+   public static class StringDataSource extends DataSource<Reader> {
+     public static String xml = "";
+ 
+@@ -144,6 +151,19 @@ public class TestErrorHandling extends AbstractDataImportHandlerTestCase {
+           "    </document>\n" +
+           "</dataConfig>";
+ 
+  private String dataConfigWithEntity = "<!DOCTYPE dataConfig [\n" + 
+          "  <!ENTITY internalTerm \"node\">\n" + 
+          "  <!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" + 
+          "]><dataConfig>\n" +
+          "    <dataSource name=\"str\" type=\"TestErrorHandling$StringDataSource\" />" +
+          "    <document>\n" +
+          "        <entity name=\"&internalTerm;\" dataSource=\"str\" processor=\"XPathEntityProcessor\" url=\"test\" forEach=\"/root/node\" onError=\"skip\">\n" +
+          "            <field column=\"id\" xpath=\"/root/node/id\">&externalTerm;</field>\n" +
+          "            <field column=\"desc\" xpath=\"/root/node/desc\" />\n" +
+          "        </entity>\n" +
+          "    </document>\n" +
+          "</dataConfig>";
+
+   private String malformedXml = "<root>\n" +
+           "    <node>\n" +
+           "        <id>1</id>\n" +
--- a/debian/patches/ant-1.10.patch
+++ b/debian/patches/ant-1.10.patch
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 1 May 2018 22:12:27 +0200
+Subject: ant 1.10
+
+---
+ .../java/org/apache/lucene/util/LuceneJUnitDividingSelector.java    | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/lucene/test-framework/src/java/org/apache/lucene/util/LuceneJUnitDividingSelector.java b/lucene/test-framework/src/java/org/apache/lucene/util/LuceneJUnitDividingSelector.java
+index 5a9509c..beecebe 100644
+--- a/lucene/test-framework/src/java/org/apache/lucene/util/LuceneJUnitDividingSelector.java
+++ b/lucene/test-framework/src/java/org/apache/lucene/util/LuceneJUnitDividingSelector.java
+@@ -21,6 +21,7 @@ import java.io.File;
+ import org.apache.tools.ant.BuildException;
+ import org.apache.tools.ant.types.Parameter;
+ import org.apache.tools.ant.types.selectors.BaseExtendSelector;
+import org.apache.tools.ant.types.Resource;
+ 
+ /** Divides filesets into equal groups */
+ public class LuceneJUnitDividingSelector extends BaseExtendSelector {
+@@ -30,6 +31,11 @@ public class LuceneJUnitDividingSelector extends BaseExtendSelector {
+   /** Current part to accept. */
+   private int part;
+ 
+  @Override
+  public boolean isSelected(Resource r) {
+      return false;
+  }
+
+   @Override
+   public void setParameters(Parameter[] pParameters) {
+     super.setParameters(pParameters);
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,3 +14,5 @@ java8-compatibility.patch
 CVE-2017-12629.patch
 remove-RunExecutableListener.patch
 CVE-2017-3163.patch
+ant-1.10.patch
+CVE-2018-1308.patch