Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: a...@debian.org
Low severity bugfix for freecol, which doesn't warrant a DSA.
The (identical) patch has been in unstable for half a year, also
doublechecked by playing for half an hour :-)
Cheers,
Moritz
diff -Nru freecol-0.11.6+dfsg2/debian/changelog
freecol-0.11.6+dfsg2/debian/changelog
--- freecol-0.11.6+dfsg2/debian/changelog 2018-08-31 19:22:57.000000000
+0200
+++ freecol-0.11.6+dfsg2/debian/changelog 2020-10-07 22:20:46.000000000
+0200
@@ -1,3 +1,9 @@
+freecol (0.11.6+dfsg2-2+deb10u1) buster; urgency=medium
+
+ * CVE-2018-1000825 (Closes: #917023)
+
+ -- Moritz Mühlenhoff <j...@debian.org> Wed, 07 Oct 2020 22:20:46 +0200
+
freecol (0.11.6+dfsg2-2) unstable; urgency=medium
* Declare compliance with Debian Policy 4.2.1.
diff -Nru freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch
freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch
--- freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch 1970-01-01
01:00:00.000000000 +0100
+++ freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch 2020-10-07
22:20:40.000000000 +0200
@@ -0,0 +1,142 @@
+From: Markus Koschany <a...@debian.org>
+Date: Mon, 24 Feb 2020 12:33:58 +0100
+Subject: CVE-2018-1000825
+
+Bug-Debian: https://bugs.debian.org/917023
+Origin:
https://github.com/FreeCol/freecol/commit/8963506897e3270a75b062f28486934bcb79b1e3
+---
+ src/net/sf/freecol/common/io/FreeColXMLReader.java | 19 +++++++++++++++++--
+ src/net/sf/freecol/common/model/FreeColObject.java | 3 +++
+ src/net/sf/freecol/common/networking/Connection.java | 3 +++
+ src/net/sf/freecol/common/networking/DOMMessage.java | 3 +++
+ src/net/sf/freecol/tools/GenerateDocumentation.java | 3 +++
+ 5 files changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/src/net/sf/freecol/common/io/FreeColXMLReader.java
b/src/net/sf/freecol/common/io/FreeColXMLReader.java
+index dd78a40..abbaba6 100644
+--- a/src/net/sf/freecol/common/io/FreeColXMLReader.java
++++ b/src/net/sf/freecol/common/io/FreeColXMLReader.java
+@@ -88,7 +88,7 @@ public class FreeColXMLReader extends StreamReaderDelegate
+ super();
+
+ try {
+- XMLInputFactory xif = XMLInputFactory.newInstance();
++ XMLInputFactory xif = newXMLInputFactory();
+ setParent(xif.createXMLStreamReader(inputStream, "UTF-8"));
+ } catch (XMLStreamException e) {
+ throw new IOException(e);
+@@ -109,7 +109,7 @@ public class FreeColXMLReader extends StreamReaderDelegate
+ super();
+
+ try {
+- XMLInputFactory xif = XMLInputFactory.newInstance();
++ XMLInputFactory xif = newXMLInputFactory();
+ setParent(xif.createXMLStreamReader(reader));
+ } catch (XMLStreamException e) {
+ throw new IOException(e);
+@@ -118,6 +118,21 @@ public class FreeColXMLReader extends StreamReaderDelegate
+ this.readScope = ReadScope.NORMAL;
+ }
+
++ /**
++ * Create a new XMLInputFactory.
++ *
++ * Respond to CVE 2018-1000825.
++ *
++ * @return A new <code>XMLInputFactory</code>.
++ */
++ private static XMLInputFactory newXMLInputFactory() {
++ XMLInputFactory xif = XMLInputFactory.newInstance();
++ // This disables DTDs entirely for that factory
++ xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
++ // disable external entities
++ xif.setProperty("javax.xml.stream.isSupportingExternalEntities",
false);
++ return xif;
++ }
+
+ /**
+ * Should reads from this stream intern their objects into the
+diff --git a/src/net/sf/freecol/common/model/FreeColObject.java
b/src/net/sf/freecol/common/model/FreeColObject.java
+index 01c9887..d8f3754 100644
+--- a/src/net/sf/freecol/common/model/FreeColObject.java
++++ b/src/net/sf/freecol/common/model/FreeColObject.java
+@@ -49,6 +49,7 @@ import javax.xml.transform.TransformerException;
+ import javax.xml.transform.TransformerFactory;
+ import javax.xml.transform.dom.DOMSource;
+ import javax.xml.transform.stream.StreamResult;
++import javax.xml.XMLConstants;
+
+ import net.sf.freecol.common.ObjectWithId;
+ import net.sf.freecol.common.io.FreeColXMLReader;
+@@ -895,6 +896,8 @@ public abstract class FreeColObject
+ public void readFromXMLElement(Element element) {
+ try {
+ TransformerFactory factory = TransformerFactory.newInstance();
++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ Transformer xmlTransformer = factory.newTransformer();
+ StringWriter stringWriter = new StringWriter();
+ xmlTransformer.transform(new DOMSource(element),
+diff --git a/src/net/sf/freecol/common/networking/Connection.java
b/src/net/sf/freecol/common/networking/Connection.java
+index f88d2ed..48954bd 100644
+--- a/src/net/sf/freecol/common/networking/Connection.java
++++ b/src/net/sf/freecol/common/networking/Connection.java
+@@ -40,6 +40,7 @@ import javax.xml.transform.TransformerException;
+ import javax.xml.transform.TransformerFactory;
+ import javax.xml.transform.dom.DOMSource;
+ import javax.xml.transform.stream.StreamResult;
++import javax.xml.XMLConstants;
+
+ import net.sf.freecol.common.FreeColException;
+ import net.sf.freecol.common.debug.FreeColDebugger;
+@@ -101,6 +102,8 @@ public class Connection implements Closeable {
+ Transformer myTransformer = null;
+ try {
+ TransformerFactory factory = TransformerFactory.newInstance();
++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ myTransformer = factory.newTransformer();
+ myTransformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION,
+ "yes");
+diff --git a/src/net/sf/freecol/common/networking/DOMMessage.java
b/src/net/sf/freecol/common/networking/DOMMessage.java
+index 7181a7d..8fe7295 100644
+--- a/src/net/sf/freecol/common/networking/DOMMessage.java
++++ b/src/net/sf/freecol/common/networking/DOMMessage.java
+@@ -37,6 +37,7 @@ import javax.xml.transform.TransformerException;
+ import javax.xml.transform.TransformerFactory;
+ import javax.xml.transform.dom.DOMSource;
+ import javax.xml.transform.stream.StreamResult;
++import javax.xml.XMLConstants;
+
+ import net.sf.freecol.common.io.FreeColXMLWriter;
+ import net.sf.freecol.common.debug.FreeColDebugger;
+@@ -448,6 +449,8 @@ public class DOMMessage {
+ public static String elementToString(Element element) {
+ try {
+ TransformerFactory factory = TransformerFactory.newInstance();
++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ Transformer xt = factory.newTransformer();
+ StringWriter sw = new StringWriter();
+ xt.transform(new DOMSource(element), new StreamResult(sw));
+diff --git a/src/net/sf/freecol/tools/GenerateDocumentation.java
b/src/net/sf/freecol/tools/GenerateDocumentation.java
+index aac0f55..a52cf5b 100644
+--- a/src/net/sf/freecol/tools/GenerateDocumentation.java
++++ b/src/net/sf/freecol/tools/GenerateDocumentation.java
+@@ -35,6 +35,7 @@ import javax.xml.transform.Source;
+ import javax.xml.transform.Transformer;
+ import javax.xml.transform.TransformerException;
+ import javax.xml.transform.TransformerFactory;
++import javax.xml.XMLConstants;
+
+ import net.sf.freecol.common.i18n.Messages;
+ import net.sf.freecol.common.model.StringTemplate;
+@@ -192,6 +193,8 @@ public class GenerateDocumentation {
+ Messages.loadMessageBundle(Messages.getLocale(languageCode));
+ try {
+ TransformerFactory factory =
TransformerFactory.newInstance();
++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD,
"");
++
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ Source xsl = new StreamSource(new File("doc", XSL));
+ Transformer stylesheet;
+ try {
diff -Nru freecol-0.11.6+dfsg2/debian/patches/series
freecol-0.11.6+dfsg2/debian/patches/series
--- freecol-0.11.6+dfsg2/debian/patches/series 2018-08-31 19:22:57.000000000
+0200
+++ freecol-0.11.6+dfsg2/debian/patches/series 2020-10-07 22:20:40.000000000
+0200
@@ -1,2 +1,3 @@
commons-cli-1.3.patch
valid-appdata.patch
+CVE-2018-1000825.patch
