Skip to content
Commits on Source (5)
lucene-solr (3.6.2+dfsg-12) unstable; urgency=high
* Team upload.
* Fix FTBFS with Ant 1.10. (Closes: #895797)
* Fix CVE-2018-1308. (Closes: #896604)
* Declare compliance with Debian Policy 4.1.4.
-- Markus Koschany <apo@debian.org> Tue, 01 May 2018 23:35:41 +0200
lucene-solr (3.6.2+dfsg-11) unstable; urgency=medium
* Team upload.
......
......@@ -46,7 +46,7 @@ Build-Depends:
libxml-commons-resolver1.1-java,
maven-repo-helper (>= 1.5~),
po-debconf
Standards-Version: 4.1.3
Standards-Version: 4.1.4
Vcs-Git: https://anonscm.debian.org/git/pkg-java/lucene-solr.git
Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/lucene-solr.git
Homepage: http://lucene.apache.org
......
From: Markus Koschany <apo@debian.org>
Date: Tue, 1 May 2018 23:11:09 +0200
Subject: CVE-2018-1308
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896604
Origin: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/02c693f3
---
.../apache/solr/handler/dataimport/DataImporter.java | 13 +++++++++++--
.../solr/handler/dataimport/TestErrorHandling.java | 20 ++++++++++++++++++++
2 files changed, 31 insertions(+), 2 deletions(-)
diff --git a/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImporter.java b/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImporter.java
index 4a69220..02912f0 100644
--- a/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImporter.java
+++ b/solr/contrib/dataimporthandler/src/java/org/apache/solr/handler/dataimport/DataImporter.java
@@ -17,6 +17,7 @@
package org.apache.solr.handler.dataimport;
+import org.apache.solr.util.EmptyEntityResolver;
import org.apache.solr.common.SolrException;
import org.apache.solr.common.SolrInputDocument;
import org.apache.solr.core.SolrConfig;
@@ -196,8 +197,10 @@ public class DataImporter {
try {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ dbf.setValidating(false);
- // only enable xinclude, if a a SolrCore and SystemId is present (makes no sense otherwise)
+ // only enable xinclude, if XML is coming from safe source (local file)
+ // and a a SolrCore and SystemId is present (makes no sense otherwise):
if (core != null && configFile.getSystemId() != null) {
try {
dbf.setXIncludeAware(true);
@@ -208,8 +211,14 @@ public class DataImporter {
}
DocumentBuilder builder = dbf.newDocumentBuilder();
- if (core != null)
+ // only enable xinclude / external entities, if XML is coming from
+ // safe source (local file) and a a SolrCore and SystemId is present:
+ if (core != null && configFile.getSystemId() != null) {
builder.setEntityResolver(new SystemIdResolver(core.getResourceLoader()));
+ } else {
+ // Don't allow external entities without having a system ID:
+ builder.setEntityResolver(EmptyEntityResolver.SAX_INSTANCE);
+ }
builder.setErrorHandler(XMLLOG);
Document document;
try {
diff --git a/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/TestErrorHandling.java b/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/TestErrorHandling.java
index 64f58df..c75e07c 100644
--- a/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/TestErrorHandling.java
+++ b/solr/contrib/dataimporthandler/src/test/org/apache/solr/handler/dataimport/TestErrorHandling.java
@@ -76,6 +76,13 @@ public class TestErrorHandling extends AbstractDataImportHandlerTestCase {
assertQ(req("*:*"), "//*[@numFound='3']");
}
+ public void testExternalEntity() throws Exception {
+ StringDataSource.xml = wellformedXml;
+ // This should not fail as external entities are replaced by an empty string during parsing:
+ runFullImport(dataConfigWithEntity);
+ assertQ(req("*:*"), "//*[@numFound='3']");
+ }
+
public static class StringDataSource extends DataSource<Reader> {
public static String xml = "";
@@ -144,6 +151,19 @@ public class TestErrorHandling extends AbstractDataImportHandlerTestCase {
" </document>\n" +
"</dataConfig>";
+ private String dataConfigWithEntity = "<!DOCTYPE dataConfig [\n" +
+ " <!ENTITY internalTerm \"node\">\n" +
+ " <!ENTITY externalTerm SYSTEM \"foo://bar.xyz/external\">\n" +
+ "]><dataConfig>\n" +
+ " <dataSource name=\"str\" type=\"TestErrorHandling$StringDataSource\" />" +
+ " <document>\n" +
+ " <entity name=\"&internalTerm;\" dataSource=\"str\" processor=\"XPathEntityProcessor\" url=\"test\" forEach=\"/root/node\" onError=\"skip\">\n" +
+ " <field column=\"id\" xpath=\"/root/node/id\">&externalTerm;</field>\n" +
+ " <field column=\"desc\" xpath=\"/root/node/desc\" />\n" +
+ " </entity>\n" +
+ " </document>\n" +
+ "</dataConfig>";
+
private String malformedXml = "<root>\n" +
" <node>\n" +
" <id>1</id>\n" +
From: Markus Koschany <apo@debian.org>
Date: Tue, 1 May 2018 22:12:27 +0200
Subject: ant 1.10
---
.../java/org/apache/lucene/util/LuceneJUnitDividingSelector.java | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/lucene/test-framework/src/java/org/apache/lucene/util/LuceneJUnitDividingSelector.java b/lucene/test-framework/src/java/org/apache/lucene/util/LuceneJUnitDividingSelector.java
index 5a9509c..beecebe 100644
--- a/lucene/test-framework/src/java/org/apache/lucene/util/LuceneJUnitDividingSelector.java
+++ b/lucene/test-framework/src/java/org/apache/lucene/util/LuceneJUnitDividingSelector.java
@@ -21,6 +21,7 @@ import java.io.File;
import org.apache.tools.ant.BuildException;
import org.apache.tools.ant.types.Parameter;
import org.apache.tools.ant.types.selectors.BaseExtendSelector;
+import org.apache.tools.ant.types.Resource;
/** Divides filesets into equal groups */
public class LuceneJUnitDividingSelector extends BaseExtendSelector {
@@ -30,6 +31,11 @@ public class LuceneJUnitDividingSelector extends BaseExtendSelector {
/** Current part to accept. */
private int part;
+ @Override
+ public boolean isSelected(Resource r) {
+ return false;
+ }
+
@Override
public void setParameters(Parameter[] pParameters) {
super.setParameters(pParameters);
......@@ -14,3 +14,5 @@ java8-compatibility.patch
CVE-2017-12629.patch
remove-RunExecutableListener.patch
CVE-2017-3163.patch
ant-1.10.patch
CVE-2018-1308.patch