Package: libcommons-fileupload-java
Version: 1.3-2
Followup-For: Bug #726601
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu trusty ubuntu-patch
*** /tmp/tmpA8shKI/bug_body
In Ubuntu, the attached patch was applied to achieve the following:
* SECURITY UPDATE: arbitrary file overwrite via poison null byte
- debian/patches/CVE-2013-2186.patch: properly validate repository in
src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java.
- CVE-2013-2186
Thanks for considering the patch.
-- System Information:
Debian Release: wheezy/sid
APT prefers saucy-updates
APT policy: (500, 'saucy-updates'), (500, 'saucy-security'), (500,
'saucy-proposed'), (500, 'saucy'), (100, 'saucy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.11.0-13-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru libcommons-fileupload-java-1.3/debian/changelog libcommons-fileupload-java-1.3/debian/changelog
diff -Nru libcommons-fileupload-java-1.3/debian/patches/CVE-2013-2186.patch libcommons-fileupload-java-1.3/debian/patches/CVE-2013-2186.patch
--- libcommons-fileupload-java-1.3/debian/patches/CVE-2013-2186.patch 1969-12-31 19:00:00.000000000 -0500
+++ libcommons-fileupload-java-1.3/debian/patches/CVE-2013-2186.patch 2013-11-07 09:35:41.000000000 -0500
@@ -0,0 +1,37 @@
+Description: fix arbitrary file overwrite via poison null byte
+Origin: upstream, http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601
+Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=846174
+Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=974814
+
+Index: libcommons-fileupload-java-1.3/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java
+===================================================================
+--- libcommons-fileupload-java-1.3.orig/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-03-24 08:36:44.000000000 -0400
++++ libcommons-fileupload-java-1.3/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-11-07 09:32:20.042865874 -0500
+@@ -656,6 +656,26 @@
+ // read values
+ in.defaultReadObject();
+
++ /* One expected use of serialization is to migrate HTTP sessions
++ * containing a DiskFileItem between JVMs. Particularly if the JVMs are
++ * on different machines It is possible that the repository location is
++ * not valid so validate it.
++ */
++ if (repository != null) {
++ if (repository.isDirectory()) {
++ // Check path for nulls
++ if (repository.getPath().contains("\0")) {
++ throw new IOException(format(
++ "The repository [%s] contains a null character",
++ repository.getPath()));
++ }
++ } else {
++ throw new IOException(format(
++ "The repository [%s] is not a directory",
++ repository.getAbsolutePath()));
++ }
++ }
++
+ OutputStream output = getOutputStream();
+ if (cachedContent != null) {
+ output.write(cachedContent);
diff -Nru libcommons-fileupload-java-1.3/debian/patches/series libcommons-fileupload-java-1.3/debian/patches/series
--- libcommons-fileupload-java-1.3/debian/patches/series 2013-04-27 23:28:22.000000000 -0400
+++ libcommons-fileupload-java-1.3/debian/patches/series 2013-11-07 09:32:01.000000000 -0500
@@ -1 +1,2 @@
001_update-tests-for-servlet3-api.patch
+CVE-2013-2186.patch
