tags 726601 + pending thanks Dear maintainer,
I've prepared an NMU for libcommons-fileupload-java (versioned as 1.3-2.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards, Salvatore
diff -Nru libcommons-fileupload-java-1.3/debian/changelog libcommons-fileupload-java-1.3/debian/changelog --- libcommons-fileupload-java-1.3/debian/changelog 2013-05-24 06:15:59.000000000 +0200 +++ libcommons-fileupload-java-1.3/debian/changelog 2013-11-15 15:05:01.000000000 +0100 @@ -1,3 +1,14 @@ +libcommons-fileupload-java (1.3-2.1) unstable; urgency=low + + * Non-maintainer upload. + * Add CVE-2013-2186.patch patch. + CVE-2013-2186: Arbitrary file upload via deserialization. Properly + validate repository in src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java. + Thanks to Marc Deslauriers <marc.deslauri...@ubuntu.com> for + providing the debdiff. (Closes: #726601) + + -- Salvatore Bonaccorso <car...@debian.org> Fri, 15 Nov 2013 15:04:17 +0100 + libcommons-fileupload-java (1.3-2) unstable; urgency=low * Team upload. diff -Nru libcommons-fileupload-java-1.3/debian/patches/CVE-2013-2186.patch libcommons-fileupload-java-1.3/debian/patches/CVE-2013-2186.patch --- libcommons-fileupload-java-1.3/debian/patches/CVE-2013-2186.patch 1970-01-01 01:00:00.000000000 +0100 +++ libcommons-fileupload-java-1.3/debian/patches/CVE-2013-2186.patch 2013-11-15 14:57:21.000000000 +0100 @@ -0,0 +1,37 @@ +Description: fix arbitrary file overwrite via poison null byte +Origin: upstream, http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601 +Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=846174 +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=974814 + +Index: libcommons-fileupload-java-1.3/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java +=================================================================== +--- libcommons-fileupload-java-1.3.orig/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-03-24 08:36:44.000000000 -0400 ++++ libcommons-fileupload-java-1.3/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-11-07 09:32:20.042865874 -0500 +@@ -656,6 +656,26 @@ + // read values + in.defaultReadObject(); + ++ /* One expected use of serialization is to migrate HTTP sessions ++ * containing a DiskFileItem between JVMs. Particularly if the JVMs are ++ * on different machines It is possible that the repository location is ++ * not valid so validate it. ++ */ ++ if (repository != null) { ++ if (repository.isDirectory()) { ++ // Check path for nulls ++ if (repository.getPath().contains("\0")) { ++ throw new IOException(format( ++ "The repository [%s] contains a null character", ++ repository.getPath())); ++ } ++ } else { ++ throw new IOException(format( ++ "The repository [%s] is not a directory", ++ repository.getAbsolutePath())); ++ } ++ } ++ + OutputStream output = getOutputStream(); + if (cachedContent != null) { + output.write(cachedContent); diff -Nru libcommons-fileupload-java-1.3/debian/patches/series libcommons-fileupload-java-1.3/debian/patches/series --- libcommons-fileupload-java-1.3/debian/patches/series 2013-04-28 05:28:22.000000000 +0200 +++ libcommons-fileupload-java-1.3/debian/patches/series 2013-11-15 14:57:21.000000000 +0100 @@ -1 +1,2 @@ 001_update-tests-for-servlet3-api.patch +CVE-2013-2186.patch