Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tuxguitar for openSUSE:Factory checked in at 2023-10-12 23:41:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tuxguitar (Old) and /work/SRC/openSUSE:Factory/.tuxguitar.new.1807 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tuxguitar" Thu Oct 12 23:41:46 2023 rev:12 rq:1117171 version:1.6.0 Changes: -------- --- /work/SRC/openSUSE:Factory/tuxguitar/tuxguitar.changes 2023-10-12 11:59:28.998649600 +0200 +++ /work/SRC/openSUSE:Factory/.tuxguitar.new.1807/tuxguitar.changes 2023-10-12 23:43:08.691147007 +0200 @@ -1,0 +2,18 @@ +Thu Oct 12 06:49:30 UTC 2023 - Fridrich Å trba <fst...@suse.com> + +- Added patch: + * tuxguitar-CVE-2020-13940.patch + + fix bsc#1173633 (CVE-2020-14940): improper configuration of + XML parsers might lead to XXE while loading GP6 (.gpx) and + GP7 (.gp) tablature files + +------------------------------------------------------------------- +Thu Oct 12 05:21:31 UTC 2023 - Fridrich Strba <fst...@suse.com> + +- Package also a sample tuxguitar.tg file +- Modified patch: + * 0013-startscript.patch + + compose the CLASSPATH jar by jar, since wildcards are not + working for CLASSPATH variable + +------------------------------------------------------------------- New: ---- tuxguitar-CVE-2020-13940.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tuxguitar.spec ++++++ --- /var/tmp/diff_new_pack.bnqQmB/_old 2023-10-12 23:43:10.471211442 +0200 +++ /var/tmp/diff_new_pack.bnqQmB/_new 2023-10-12 23:43:10.475211587 +0200 @@ -65,6 +65,7 @@ Patch20: 0012-default-soundfont.patch Patch21: 0013-startscript.patch Patch22: 0014-desktop.patch +Patch30: tuxguitar-CVE-2020-13940.patch BuildRequires: alsa-devel BuildRequires: fdupes BuildRequires: gcc-c++ @@ -133,6 +134,8 @@ %patch21 -p1 %patch22 -p1 +%patch30 -p1 + %pom_xpath_remove "pom:profile[pom:id[text()='platform-windows-swt-all']]" %pom_xpath_remove "pom:profile[pom:id[text()='platform-macos-swt-cocoa-64']]" %pom_xpath_remove "pom:profile[pom:id[text()='platform-freebsd-swt-x86_64']]" @@ -158,7 +161,7 @@ # Launch script mkdir -p %{buildroot}/%{_bindir} -cp -a build-scripts/common-resources/common-linux/tuxguitar.sh %{buildroot}/%{_bindir}/%{name} +cat build-scripts/common-resources/common-linux/tuxguitar.sh | sed 's#@LIBDIR@#%{_libdir}#g' > %{buildroot}/%{_bindir}/%{name} # Fix permissions chmod 755 %{buildroot}/%{_bindir}/%{name} @@ -171,6 +174,7 @@ # data files mkdir -p %{buildroot}/%{_datadir}/%{name} cp -a TuxGuitar/share/* %{buildroot}/%{_datadir}/%{name} +cp -a misc/tuxguitar.tg %{buildroot}/%{_datadir}/%{name} cp -a build-scripts/%{name}-linux-swt-%{bit}/target/%{name}-%{version}-linux-swt-%{bit}/dist/* %{buildroot}/%{_datadir}/%{name} # desktop files ++++++ 0013-startscript.patch ++++++ --- /var/tmp/diff_new_pack.bnqQmB/_old 2023-10-12 23:43:10.527213470 +0200 +++ /var/tmp/diff_new_pack.bnqQmB/_new 2023-10-12 23:43:10.527213470 +0200 @@ -1,17 +1,17 @@ -From b135bbd92d7753b2ac94634c6248efe1cfd376e1 Mon Sep 17 00:00:00 2001 +From 4fb1777834e863a14cfb8ca1ab08c8d4a8a1651c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fridrich=20=C5=A0trba?= <fridrich.st...@bluewin.ch> Date: Tue, 10 Oct 2023 13:06:25 +0200 Subject: [PATCH 13/14] startscript --- - .../common-linux/tuxguitar.sh | 61 ++++++++++++++++--- - 1 file changed, 54 insertions(+), 7 deletions(-) + .../common-linux/tuxguitar.sh | 148 +++++++++++++++++- + 1 file changed, 141 insertions(+), 7 deletions(-) diff --git a/build-scripts/common-resources/common-linux/tuxguitar.sh b/build-scripts/common-resources/common-linux/tuxguitar.sh -index a213786a..348848bb 100755 +index a213786a..62a895d1 100755 --- a/build-scripts/common-resources/common-linux/tuxguitar.sh +++ b/build-scripts/common-resources/common-linux/tuxguitar.sh -@@ -1,20 +1,67 @@ +@@ -1,20 +1,154 @@ #!/bin/sh -##SCRIPT DIR -TG_DIR=`dirname $(realpath "$0")` @@ -61,12 +61,99 @@ JAVA=`which java` ##LIBRARY_PATH -LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:${TG_DIR}/lib/ -+LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/lib64/tuxguitar ++LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:@LIBDIR@/tuxguitar ##CLASSPATH -CLASSPATH=${CLASSPATH}:${TG_DIR}/lib/* -CLASSPATH=${CLASSPATH}:${TG_DIR}/share/ -CLASSPATH=${CLASSPATH}:${TG_DIR}/dist/ -+CLASSPATH=/usr/share/java/tuxguitar/tuxguitar.jar:/usr/share/java/tuxguitar/*: ++PACKAGE=${PACKAGE:=tuxguitar} ++PACKAGE_HOME=${PACKAGE_HOME:=/usr/share/java/${PACKAGE}/} ++t="${PACKAGE_HOME}/${PACKAGE}.jar" ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-alsa.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-ascii.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-awt-graphics.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-browser-ftp.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-community.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-compat.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-converter.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-debug-helper.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-editor-utils.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-fluidsynth.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-gervill.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-gm-settings.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-gm-utils.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-gpx.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-gtp.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-gtp-ui.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-image.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-jack.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-jack-ui.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-jsa.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-lib.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-lilypond.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-lilypond-ui.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-midi.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-midi-ui.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-musicxml.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-pdf.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-pdf-ui.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-ptb.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-svg.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-synth.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-synth-export.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-synth-gervill.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-synth-lv2.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-synth-vst.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-tef.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-tray.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-tuner.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-ui-toolkit.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-ui-toolkit-swt.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/${PACKAGE}-viewer.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t ++t=${PACKAGE_HOME}/gervill.jar ++[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t +t=$(itext_pdf_guess_) +[ -r "$t" ] && CLASSPATH=${CLASSPATH}:$t +t=$(itext_xmlworker_guess_) ++++++ tuxguitar-CVE-2020-13940.patch ++++++ >From bcaa280e93b0d67dc6f903b6e23a051a7894ba0c Mon Sep 17 00:00:00 2001 From: guiv42 <129443524+gui...@users.noreply.github.com> Date: Tue, 10 Oct 2023 23:02:29 +0200 Subject: [PATCH] fix CVE-2020-14940 see: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14940 https://sourceforge.net/p/tuxguitar/bugs/126/ https://bugzilla.opensuse.org/show_bug.cgi?id=1173633 https://logicaltrust.net/blog/2020/06/tuxguitar.html https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html Issue could be reproduced on Linux before the fix, as described by sourceforge page listed above note: needed to de-activate firewall to reproduce issue Not all TuxGuitar files mentioned in this page have been modified, as some of them do not parse input xml files. Then they should not be concerned by vulnerability: - TuxGuitar-musicxml/src/org/herac/tuxguitar/io/musicxml/MusicXMLWriter.java - TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingWriter.java - TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserWriter.java note: protection does not seem to be supported on Android, so just try to activate it, and ignore if it fails (or else Android version can no more open .gp and .gpx files) basically: this patch doesn't provide full coverage also (independent from CVE): GPXDocumentReader: removed warnings from deprecated Integer constructors --- .../community/browser/TGBrowserResponse.java | 6 +++ .../community/io/TGShareSongResponse.java | 6 +++ .../editor/template/TGTemplateReader.java | 6 +++ .../tuxguitar/io/gpx/GPXDocumentReader.java | 38 +++++++++++-------- .../keybindings/xml/KeyBindingReader.java | 12 ++++++ .../tools/browser/xml/TGBrowserReader.java | 7 +++- .../app/tools/scale/xml/ScaleReader.java | 7 +++- .../dialog/chord/xml/TGChordXMLReader.java | 6 +++ 8 files changed, 71 insertions(+), 17 deletions(-) diff --git a/TuxGuitar-community/src/org/herac/tuxguitar/community/browser/TGBrowserResponse.java b/TuxGuitar-community/src/org/herac/tuxguitar/community/browser/TGBrowserResponse.java index f82415584..d515446eb 100644 --- a/TuxGuitar-community/src/org/herac/tuxguitar/community/browser/TGBrowserResponse.java +++ b/TuxGuitar-community/src/org/herac/tuxguitar/community/browser/TGBrowserResponse.java @@ -35,6 +35,12 @@ public TGBrowserResponse( InputStream stream ) throws Throwable { private void initialize(InputStream stream) throws Throwable { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + // CVE-2020-14940 + try { + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setXIncludeAware(false); + } catch (Throwable throwable) { + } DocumentBuilder builder = factory.newDocumentBuilder(); this.document = builder.parse(stream); } diff --git a/TuxGuitar-community/src/org/herac/tuxguitar/community/io/TGShareSongResponse.java b/TuxGuitar-community/src/org/herac/tuxguitar/community/io/TGShareSongResponse.java index 67dbabb03..39c33bcaf 100644 --- a/TuxGuitar-community/src/org/herac/tuxguitar/community/io/TGShareSongResponse.java +++ b/TuxGuitar-community/src/org/herac/tuxguitar/community/io/TGShareSongResponse.java @@ -28,6 +28,12 @@ public TGShareSongResponse( InputStream stream ) throws Throwable { private void initialize(InputStream stream) throws Throwable { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + // CVE-2020-14940 + try { + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setXIncludeAware(false); + } catch (Throwable throwable) { + } DocumentBuilder builder = factory.newDocumentBuilder(); this.document = builder.parse(stream); } diff --git a/TuxGuitar-editor-utils/src/org/herac/tuxguitar/editor/template/TGTemplateReader.java b/TuxGuitar-editor-utils/src/org/herac/tuxguitar/editor/template/TGTemplateReader.java index 439eef348..24688b16d 100644 --- a/TuxGuitar-editor-utils/src/org/herac/tuxguitar/editor/template/TGTemplateReader.java +++ b/TuxGuitar-editor-utils/src/org/herac/tuxguitar/editor/template/TGTemplateReader.java @@ -51,6 +51,12 @@ private void loadTemplates(List<TGTemplate> templates,Node node) throws Throwabl private Document createDocument(InputStream stream) throws Throwable { Document document = null; DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + // CVE-2020-14940 + try { + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setXIncludeAware(false); + } catch (Throwable throwable) { + } DocumentBuilder builder = factory.newDocumentBuilder(); document = builder.parse(stream); diff --git a/TuxGuitar-gpx/src/org/herac/tuxguitar/io/gpx/GPXDocumentReader.java b/TuxGuitar-gpx/src/org/herac/tuxguitar/io/gpx/GPXDocumentReader.java index a8b869f28..5232fa6a2 100644 --- a/TuxGuitar-gpx/src/org/herac/tuxguitar/io/gpx/GPXDocumentReader.java +++ b/TuxGuitar-gpx/src/org/herac/tuxguitar/io/gpx/GPXDocumentReader.java @@ -35,8 +35,16 @@ public GPXDocumentReader(InputStream stream, Integer version) throws GPXFormatEx } private Document getDocument(InputStream stream) { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + // CVE-2020-14940 try { - return DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(stream); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setXIncludeAware(false); + } catch (Throwable throwable) { + } + + try { + return factory.newDocumentBuilder().parse(stream); } catch (Throwable throwable) { throw new GPXFormatException("Invalid file format", throwable); } @@ -309,25 +317,25 @@ public void readBeats(){ beat.setWhammyBarEnabled( getChildNode(propertyNode, "Enable") != null ); } if( propertyName.equals("WhammyBarOriginValue") ){ - beat.setWhammyBarOriginValue( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) ); + beat.setWhammyBarOriginValue( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) ); } if( propertyName.equals("WhammyBarMiddleValue") ){ - beat.setWhammyBarMiddleValue( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) ); + beat.setWhammyBarMiddleValue( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) ); } if( propertyName.equals("WhammyBarDestinationValue") ){ - beat.setWhammyBarDestinationValue( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) ); + beat.setWhammyBarDestinationValue( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) ); } if( propertyName.equals("WhammyBarOriginOffset") ){ - beat.setWhammyBarOriginOffset( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) ); + beat.setWhammyBarOriginOffset( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) ); } if( propertyName.equals("WhammyBarMiddleOffset1") ){ - beat.setWhammyBarMiddleOffset1( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) ); + beat.setWhammyBarMiddleOffset1( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) ); } if( propertyName.equals("WhammyBarMiddleOffset2") ){ - beat.setWhammyBarMiddleOffset2( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) ); + beat.setWhammyBarMiddleOffset2( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) ); } if( propertyName.equals("WhammyBarDestinationOffset") ){ - beat.setWhammyBarDestinationOffset( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) ); + beat.setWhammyBarDestinationOffset( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) ); } if( propertyName.equals("Brush") ){ beat.setBrush( getChildNodeContent(propertyNode, "Direction") ); @@ -408,25 +416,25 @@ public void readNotes(){ note.setBendEnabled( getChildNode(propertyNode, "Enable") != null ); } if( propertyName.equals("BendOriginValue") ){ - note.setBendOriginValue( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) ); + note.setBendOriginValue( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) ); } if( propertyName.equals("BendMiddleValue") ){ - note.setBendMiddleValue( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) ); + note.setBendMiddleValue( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) ); } if( propertyName.equals("BendDestinationValue") ){ - note.setBendDestinationValue( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) ); + note.setBendDestinationValue( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) ); } if( propertyName.equals("BendOriginOffset") ){ - note.setBendOriginOffset( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) ); + note.setBendOriginOffset( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) ); } if( propertyName.equals("BendMiddleOffset1") ){ - note.setBendMiddleOffset1( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) ); + note.setBendMiddleOffset1( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) ); } if( propertyName.equals("BendMiddleOffset2") ){ - note.setBendMiddleOffset2( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) ); + note.setBendMiddleOffset2( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) ); } if( propertyName.equals("BendDestinationOffset") ){ - note.setBendDestinationOffset( new Integer(getChildNodeIntegerContent(propertyNode, "Float")) ); + note.setBendDestinationOffset( Integer.valueOf(getChildNodeIntegerContent(propertyNode, "Float")) ); } if( propertyName.equals("HopoOrigin") ){ note.setHammer(true); diff --git a/TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingReader.java b/TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingReader.java index 55beeefb0..ed87fd535 100644 --- a/TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingReader.java +++ b/TuxGuitar/src/org/herac/tuxguitar/app/system/keybindings/xml/KeyBindingReader.java @@ -52,6 +52,12 @@ public static List<KeyBindingAction> getKeyBindings(InputStream is) { private static Document getDocument(InputStream is) { Document document = null; DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + // CVE-2020-14940 + try { + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setXIncludeAware(false); + } catch (Throwable throwable) { + } try { DocumentBuilder builder = factory.newDocumentBuilder(); document = builder.parse(is); @@ -69,6 +75,12 @@ private static Document getDocument(InputStream is) { private static Document getDocument(File file) { Document document = null; DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + // CVE-2020-14940 + try { + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setXIncludeAware(false); + } catch (Throwable throwable) { + } try { DocumentBuilder builder = factory.newDocumentBuilder(); document = builder.parse(file); diff --git a/TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserReader.java b/TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserReader.java index 7c4c0e2ab..1303bc16a 100644 --- a/TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserReader.java +++ b/TuxGuitar/src/org/herac/tuxguitar/app/tools/browser/xml/TGBrowserReader.java @@ -59,7 +59,12 @@ private static void loadCollections(TGBrowserManager manager,Node node){ private static Document getDocument(File file) throws ParserConfigurationException, SAXException, IOException { Document document = null; DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - + // CVE-2020-14940 + try { + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setXIncludeAware(false); + } catch (Throwable throwable) { + } DocumentBuilder builder = factory.newDocumentBuilder(); document = builder.parse(file); diff --git a/TuxGuitar/src/org/herac/tuxguitar/app/tools/scale/xml/ScaleReader.java b/TuxGuitar/src/org/herac/tuxguitar/app/tools/scale/xml/ScaleReader.java index 44a263fb2..26f0a6d16 100644 --- a/TuxGuitar/src/org/herac/tuxguitar/app/tools/scale/xml/ScaleReader.java +++ b/TuxGuitar/src/org/herac/tuxguitar/app/tools/scale/xml/ScaleReader.java @@ -34,7 +34,12 @@ public void loadScales(List<ScaleInfo> scales,InputStream stream){ private static Document getDocument(InputStream stream) throws ParserConfigurationException, SAXException, IOException { Document document = null; DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - + // CVE-2020-14940 + try { + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setXIncludeAware(false); + } catch (Throwable throwable) { + } DocumentBuilder builder = factory.newDocumentBuilder(); document = builder.parse(stream); diff --git a/TuxGuitar/src/org/herac/tuxguitar/app/view/dialog/chord/xml/TGChordXMLReader.java b/TuxGuitar/src/org/herac/tuxguitar/app/view/dialog/chord/xml/TGChordXMLReader.java index abf94e056..c06c04dae 100644 --- a/TuxGuitar/src/org/herac/tuxguitar/app/view/dialog/chord/xml/TGChordXMLReader.java +++ b/TuxGuitar/src/org/herac/tuxguitar/app/view/dialog/chord/xml/TGChordXMLReader.java @@ -36,6 +36,12 @@ public static List<TGChord> getChords(String fileName) { private static Document getDocument(File file) { Document document = null; DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + // CVE-2020-14940 + try { + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setXIncludeAware(false); + } catch (Throwable throwable) { + } try { DocumentBuilder builder = factory.newDocumentBuilder(); document = builder.parse(file);