Your message dated Sat, 16 May 2026 11:07:42 +0000
with message-id <[email protected]>
and subject line Released with 12.14
has caused the Debian Bug report #1135664,
regarding bookworm-pu: package c3p0/0.9.1.2-10.1~deb12u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135664: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135664
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:c3p0
User: [email protected]
Usertags: pu
* Backport fix for CVE-2019-5427. (Closes: #927936)
This has already been in trixie for a year.
diffstat for c3p0-0.9.1.2 c3p0-0.9.1.2
changelog | 14 ++++++++
patches/CVE-2019-5427.patch | 76 ++++++++++++++++++++++++++++++++++++++++++++
patches/series | 1
3 files changed, 91 insertions(+)
diff -Nru c3p0-0.9.1.2/debian/changelog c3p0-0.9.1.2/debian/changelog
--- c3p0-0.9.1.2/debian/changelog 2018-12-25 16:16:25.000000000 +0200
+++ c3p0-0.9.1.2/debian/changelog 2026-05-04 14:56:32.000000000 +0300
@@ -1,3 +1,17 @@
+c3p0 (0.9.1.2-10.1~deb12u1) bookworm; urgency=medium
+
+ * Non-maintainer upload.
+ * Rebuild for bookworm
+
+ -- Adrian Bunk <[email protected]> Mon, 04 May 2026 14:56:32 +0300
+
+c3p0 (0.9.1.2-10.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Backport fix for CVE-2019-5427. (Closes: #927936)
+
+ -- Bastian Germann <[email protected]> Fri, 04 Apr 2025 13:01:52 +0200
+
c3p0 (0.9.1.2-10) unstable; urgency=medium
* Team upload.
diff -Nru c3p0-0.9.1.2/debian/patches/CVE-2019-5427.patch
c3p0-0.9.1.2/debian/patches/CVE-2019-5427.patch
--- c3p0-0.9.1.2/debian/patches/CVE-2019-5427.patch 1970-01-01
02:00:00.000000000 +0200
+++ c3p0-0.9.1.2/debian/patches/CVE-2019-5427.patch 2025-04-04
14:01:52.000000000 +0300
@@ -0,0 +1,76 @@
+Origin: upstream, f38f27635c384806c2a9d6500d80183d9f09d78b
+From: Steve Waldman <[email protected]>
+Date: Fri, 15 Mar 2019 22:29:39 -0700
+Subject: Address more potential security concerns associated with the
+ possibility of adversarially constructed XML files, many thanks to Aaron
+ Massey at HackerOne.
+---
+--- a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
++++ b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
+@@ -147,10 +141,65 @@ public static C3P0Config
extractXmlConfigFromDefaultResource( boolean expandEnti
+ }
+ }
+
++ private static void attemptSetFeature( DocumentBuilderFactory dbf, String
featureUri, boolean setting )
++ {
++ try { dbf.setFeature( featureUri, setting ); }
++ catch (ParserConfigurationException e)
++ {
++ if ( logger.isLoggable( MLevel.FINE ) )
++ logger.log(MLevel.FINE, "Attempted but failed to set presumably
unsupported feature '" + featureUri + "' to " + setting + ".");
++ }
++ }
++
++ // thanks to zhutougg on GitHub
https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
++ // let's address hazards associated with overliberal parsing of XML,
CVE-2018-20433
++ //
++ // by default entity references will not be expanded, but callers can
specify expansion if they wish (important
++ // to retain backwards compatibility with existing config files where
users understand the risks)
++ //
++ // -=-=-=-
++ //
++ // disabling entity expansions turns out not to be sufficient to prevent
attacks (if an attacker can control the
++ // XML config file that will be parsed). we now enable a wide variety of
restrictions by default, but allow users
++ // to revert to the old behavior by setting usePermissiveParser to 'true'
++ //
++ // Many thanks to Aaron Massey (amassey) at HackerOne for calling
attention to the continued vulnerability,
++ // and to Dominique Righetto (righettod on GitHub) for
++ //
++ //
https://github.com/OWASP/CheatSheetSeries/blob/31c94f233c40af4237432008106f42a9c4bff05e/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md
++ // (via Aaron Massey)
++ //
++ // for instructions on how to overkill the fix
++
++ private static void cautionDocumentBuilderFactory( DocumentBuilderFactory
dbf )
++ {
++ // the big one, if possible disable doctype declarations entirely
++ attemptSetFeature(dbf,
"http://apache.org/xml/features/disallow-doctype-decl";, true);
++
++ // for a varety of libraries, disable external general entities
++ attemptSetFeature(dbf,
"http://xerces.apache.org/xerces-j/features.html#external-general-entities";,
false);
++ attemptSetFeature(dbf,
"http://xerces.apache.org/xerces2-j/features.html#external-general-entities";,
false);
++ attemptSetFeature(dbf,
"http://xml.org/sax/features/external-general-entities";, false);
++
++ // for a variety of libraries, disable external parameter entities
++ attemptSetFeature(dbf,
"http://xerces.apache.org/xerces-j/features.html#external-parameter-entities";,
false);
++ attemptSetFeature(dbf,
"http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities";,
false);
++ attemptSetFeature(dbf,
"http://xml.org/sax/features/external-parameter-entities";, false);
++
++ // if possible, disable external DTDs
++ attemptSetFeature(dbf,
"http://apache.org/xml/features/nonvalidating/load-external-dtd";, false);
++
++ // disallow xinclude resolution
++ dbf.setXIncludeAware(false);
++
++ // disallow entity reference expansion in general
++ dbf.setExpandEntityReferences( false );
++ }
++
+ public static C3P0Config extractXmlConfigFromInputStream(InputStream is)
throws Exception
+ {
+ DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
+- fact.setExpandEntityReferences(false);
++ cautionDocumentBuilderFactory( fact );
+ DocumentBuilder db = fact.newDocumentBuilder();
+ Document doc = db.parse( is );
+
diff -Nru c3p0-0.9.1.2/debian/patches/series c3p0-0.9.1.2/debian/patches/series
--- c3p0-0.9.1.2/debian/patches/series 2018-12-25 16:16:25.000000000 +0200
+++ c3p0-0.9.1.2/debian/patches/series 2025-04-04 14:01:52.000000000 +0300
@@ -2,3 +2,4 @@
testing.patch
java-7-compat.patch
CVE-2018-20433.patch
+CVE-2019-5427.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 12.14
This update has been released as part of Debian 12.14.
--- End Message ---
