Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: a...@debian.org
Low severity bugfix for freecol, which doesn't warrant a DSA. The (identical) patch has been in unstable for half a year, also doublechecked by playing for half an hour :-) Cheers, Moritz
diff -Nru freecol-0.11.6+dfsg2/debian/changelog freecol-0.11.6+dfsg2/debian/changelog --- freecol-0.11.6+dfsg2/debian/changelog 2018-08-31 19:22:57.000000000 +0200 +++ freecol-0.11.6+dfsg2/debian/changelog 2020-10-07 22:20:46.000000000 +0200 @@ -1,3 +1,9 @@ +freecol (0.11.6+dfsg2-2+deb10u1) buster; urgency=medium + + * CVE-2018-1000825 (Closes: #917023) + + -- Moritz Mühlenhoff <j...@debian.org> Wed, 07 Oct 2020 22:20:46 +0200 + freecol (0.11.6+dfsg2-2) unstable; urgency=medium * Declare compliance with Debian Policy 4.2.1. diff -Nru freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch --- freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch 1970-01-01 01:00:00.000000000 +0100 +++ freecol-0.11.6+dfsg2/debian/patches/CVE-2018-1000825.patch 2020-10-07 22:20:40.000000000 +0200 @@ -0,0 +1,142 @@ +From: Markus Koschany <a...@debian.org> +Date: Mon, 24 Feb 2020 12:33:58 +0100 +Subject: CVE-2018-1000825 + +Bug-Debian: https://bugs.debian.org/917023 +Origin: https://github.com/FreeCol/freecol/commit/8963506897e3270a75b062f28486934bcb79b1e3 +--- + src/net/sf/freecol/common/io/FreeColXMLReader.java | 19 +++++++++++++++++-- + src/net/sf/freecol/common/model/FreeColObject.java | 3 +++ + src/net/sf/freecol/common/networking/Connection.java | 3 +++ + src/net/sf/freecol/common/networking/DOMMessage.java | 3 +++ + src/net/sf/freecol/tools/GenerateDocumentation.java | 3 +++ + 5 files changed, 29 insertions(+), 2 deletions(-) + +diff --git a/src/net/sf/freecol/common/io/FreeColXMLReader.java b/src/net/sf/freecol/common/io/FreeColXMLReader.java +index dd78a40..abbaba6 100644 +--- a/src/net/sf/freecol/common/io/FreeColXMLReader.java ++++ b/src/net/sf/freecol/common/io/FreeColXMLReader.java +@@ -88,7 +88,7 @@ public class FreeColXMLReader extends StreamReaderDelegate + super(); + + try { +- XMLInputFactory xif = XMLInputFactory.newInstance(); ++ XMLInputFactory xif = newXMLInputFactory(); + setParent(xif.createXMLStreamReader(inputStream, "UTF-8")); + } catch (XMLStreamException e) { + throw new IOException(e); +@@ -109,7 +109,7 @@ public class FreeColXMLReader extends StreamReaderDelegate + super(); + + try { +- XMLInputFactory xif = XMLInputFactory.newInstance(); ++ XMLInputFactory xif = newXMLInputFactory(); + setParent(xif.createXMLStreamReader(reader)); + } catch (XMLStreamException e) { + throw new IOException(e); +@@ -118,6 +118,21 @@ public class FreeColXMLReader extends StreamReaderDelegate + this.readScope = ReadScope.NORMAL; + } + ++ /** ++ * Create a new XMLInputFactory. ++ * ++ * Respond to CVE 2018-1000825. ++ * ++ * @return A new <code>XMLInputFactory</code>. ++ */ ++ private static XMLInputFactory newXMLInputFactory() { ++ XMLInputFactory xif = XMLInputFactory.newInstance(); ++ // This disables DTDs entirely for that factory ++ xif.setProperty(XMLInputFactory.SUPPORT_DTD, false); ++ // disable external entities ++ xif.setProperty("javax.xml.stream.isSupportingExternalEntities", false); ++ return xif; ++ } + + /** + * Should reads from this stream intern their objects into the +diff --git a/src/net/sf/freecol/common/model/FreeColObject.java b/src/net/sf/freecol/common/model/FreeColObject.java +index 01c9887..d8f3754 100644 +--- a/src/net/sf/freecol/common/model/FreeColObject.java ++++ b/src/net/sf/freecol/common/model/FreeColObject.java +@@ -49,6 +49,7 @@ import javax.xml.transform.TransformerException; + import javax.xml.transform.TransformerFactory; + import javax.xml.transform.dom.DOMSource; + import javax.xml.transform.stream.StreamResult; ++import javax.xml.XMLConstants; + + import net.sf.freecol.common.ObjectWithId; + import net.sf.freecol.common.io.FreeColXMLReader; +@@ -895,6 +896,8 @@ public abstract class FreeColObject + public void readFromXMLElement(Element element) { + try { + TransformerFactory factory = TransformerFactory.newInstance(); ++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer xmlTransformer = factory.newTransformer(); + StringWriter stringWriter = new StringWriter(); + xmlTransformer.transform(new DOMSource(element), +diff --git a/src/net/sf/freecol/common/networking/Connection.java b/src/net/sf/freecol/common/networking/Connection.java +index f88d2ed..48954bd 100644 +--- a/src/net/sf/freecol/common/networking/Connection.java ++++ b/src/net/sf/freecol/common/networking/Connection.java +@@ -40,6 +40,7 @@ import javax.xml.transform.TransformerException; + import javax.xml.transform.TransformerFactory; + import javax.xml.transform.dom.DOMSource; + import javax.xml.transform.stream.StreamResult; ++import javax.xml.XMLConstants; + + import net.sf.freecol.common.FreeColException; + import net.sf.freecol.common.debug.FreeColDebugger; +@@ -101,6 +102,8 @@ public class Connection implements Closeable { + Transformer myTransformer = null; + try { + TransformerFactory factory = TransformerFactory.newInstance(); ++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + myTransformer = factory.newTransformer(); + myTransformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, + "yes"); +diff --git a/src/net/sf/freecol/common/networking/DOMMessage.java b/src/net/sf/freecol/common/networking/DOMMessage.java +index 7181a7d..8fe7295 100644 +--- a/src/net/sf/freecol/common/networking/DOMMessage.java ++++ b/src/net/sf/freecol/common/networking/DOMMessage.java +@@ -37,6 +37,7 @@ import javax.xml.transform.TransformerException; + import javax.xml.transform.TransformerFactory; + import javax.xml.transform.dom.DOMSource; + import javax.xml.transform.stream.StreamResult; ++import javax.xml.XMLConstants; + + import net.sf.freecol.common.io.FreeColXMLWriter; + import net.sf.freecol.common.debug.FreeColDebugger; +@@ -448,6 +449,8 @@ public class DOMMessage { + public static String elementToString(Element element) { + try { + TransformerFactory factory = TransformerFactory.newInstance(); ++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer xt = factory.newTransformer(); + StringWriter sw = new StringWriter(); + xt.transform(new DOMSource(element), new StreamResult(sw)); +diff --git a/src/net/sf/freecol/tools/GenerateDocumentation.java b/src/net/sf/freecol/tools/GenerateDocumentation.java +index aac0f55..a52cf5b 100644 +--- a/src/net/sf/freecol/tools/GenerateDocumentation.java ++++ b/src/net/sf/freecol/tools/GenerateDocumentation.java +@@ -35,6 +35,7 @@ import javax.xml.transform.Source; + import javax.xml.transform.Transformer; + import javax.xml.transform.TransformerException; + import javax.xml.transform.TransformerFactory; ++import javax.xml.XMLConstants; + + import net.sf.freecol.common.i18n.Messages; + import net.sf.freecol.common.model.StringTemplate; +@@ -192,6 +193,8 @@ public class GenerateDocumentation { + Messages.loadMessageBundle(Messages.getLocale(languageCode)); + try { + TransformerFactory factory = TransformerFactory.newInstance(); ++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Source xsl = new StreamSource(new File("doc", XSL)); + Transformer stylesheet; + try { diff -Nru freecol-0.11.6+dfsg2/debian/patches/series freecol-0.11.6+dfsg2/debian/patches/series --- freecol-0.11.6+dfsg2/debian/patches/series 2018-08-31 19:22:57.000000000 +0200 +++ freecol-0.11.6+dfsg2/debian/patches/series 2020-10-07 22:20:40.000000000 +0200 @@ -1,2 +1,3 @@ commons-cli-1.3.patch valid-appdata.patch +CVE-2018-1000825.patch