Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-CC: Andreas Beckmann <a...@debian.org>
Dear stable release managers, Please consider velocity (1.7-5+deb10u1) for buster: velocity (1.7-5+deb10u1) buster; urgency=medium . * CVE-2020-13936: Prevent a potential arbitrary code execution vulnerability that can be exploited by applications that allow untrusted users to upload/modify Velocity templates. (Closes: #985220) This fixes the lack of clean updates from stretch to buster. The full debdiff is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
diff --git a/debian/changelog b/debian/changelog index 811e75f..f4df0ff 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +velocity (1.7-5+deb10u1) buster; urgency=medium + + * CVE-2020-13936: Prevent a potential arbitrary code execution vulnerability + that can be exploited by applications that allow untrusted users to + upload/modify Velocity templates. (Closes: #985220) + + -- Chris Lamb <la...@debian.org> Thu, 13 May 2021 11:11:57 +0100 + velocity (1.7-5) unstable; urgency=medium * Team upload. diff --git a/debian/patches/0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch b/debian/patches/0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch new file mode 100644 index 0000000..cfc81e2 --- /dev/null +++ b/debian/patches/0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch @@ -0,0 +1,58 @@ +From: Chris Lamb <la...@debian.org> +Date: Thu, 13 May 2021 11:03:13 +0100 +Subject: CVE-2020-13936: Prevent a potential arbitrary code execution + vulnerability that can be exploited by applications that allow untrusted + users to upload/modify Velocity templates. (Closes: #985220) + +--- + .../org/apache/velocity/runtime/defaults/velocity.properties | 7 +------ + .../velocity/util/introspection/SecureIntrospectorImpl.java | 9 +++++++++ + 2 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties +index 750a59a..9415ca5 100644 +--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties ++++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties +@@ -247,13 +247,9 @@ runtime.introspector.uberspect = org.apache.velocity.util.introspection.Uberspec + + introspector.restrict.packages = java.lang.reflect + +-# The two most dangerous classes ++## ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl + + introspector.restrict.classes = java.lang.Class +-introspector.restrict.classes = java.lang.ClassLoader +- +-# Restrict these for extra safety +- + introspector.restrict.classes = java.lang.Compiler + introspector.restrict.classes = java.lang.InheritableThreadLocal + introspector.restrict.classes = java.lang.Package +@@ -262,7 +258,6 @@ introspector.restrict.classes = java.lang.Runtime + introspector.restrict.classes = java.lang.RuntimePermission + introspector.restrict.classes = java.lang.SecurityManager + introspector.restrict.classes = java.lang.System +-introspector.restrict.classes = java.lang.Thread + introspector.restrict.classes = java.lang.ThreadGroup + introspector.restrict.classes = java.lang.ThreadLocal + +diff --git a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java +index f317b1c..35ea9e9 100644 +--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java ++++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java +@@ -121,6 +121,15 @@ public class SecureIntrospectorImpl extends Introspector implements SecureIntros + return true; + } + ++ /** ++ * Always disallow ClassLoader, Thread and subclasses ++ */ ++ if (ClassLoader.class.isAssignableFrom(clazz) || ++ Thread.class.isAssignableFrom(clazz)) ++ { ++ return false; ++ } ++ + /** + * check the classname (minus any array info) + * whether it matches disallowed classes or packages diff --git a/debian/patches/series b/debian/patches/series index 1bd3c45..a609f6a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 0001-fix-example-scripts.patch +0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch