[libpdfbox-java] 01/01: Imported Debian patch 1:1.7.0+dfsg-4+deb7u1

Fri, 10 Jun 2016 12:51:10 -0700 

This is an automated email from the git hooks/post-receive script.

gregoa pushed a commit to branch wheezy
in repository libpdfbox-java.

commit 75e02365f84c0a19c4f4cddf313d8576021517c2
Author: Markus Koschany <[email protected]>
Date:   Mon Jun 6 13:28:50 2016 +0200

    Imported Debian patch 1:1.7.0+dfsg-4+deb7u1
---
 debian/changelog                   | 13 +++++++
 debian/patches/CVE-2016-2175.patch | 70 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 84 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index ba62e97..b9ef280 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+libpdfbox-java (1:1.7.0+dfsg-4+deb7u1) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2016-2175:
+    Apache PDFBox parses different XML data within PDF files such as XMP and
+    the initialization of the XML parsers did not protect against XML External
+    Entity (XXE) vulnerabilities. According to www.owasp.org: "This attack
+    may lead to the disclosure of confidential data, denial of service, server
+    side request forgery, port scanning from the perspective of the machine
+    where the parser is located, and other system impacts."
+
+ -- Markus Koschany <[email protected]>  Mon, 06 Jun 2016 13:28:50 +0200
+
 libpdfbox-java (1:1.7.0+dfsg-4) unstable; urgency=low
 
   * Fix installation of CMap tables during build:
diff --git a/debian/patches/CVE-2016-2175.patch 
b/debian/patches/CVE-2016-2175.patch
new file mode 100644
index 0000000..bbee857
--- /dev/null
+++ b/debian/patches/CVE-2016-2175.patch
@@ -0,0 +1,70 @@
+From: Markus Koschany <[email protected]>
+Date: Mon, 6 Jun 2016 13:20:19 +0200
+Subject: CVE-2016-2175
+
+In addition to the original fix for the 1.8 branch,
+xmpbox/src/main/java/org/apache/padaf/xmpbox/parser/XMLUtil.java has been fixed
+similar to the other affected classes.
+
+xmpbox/src/main/java/org/apache/xmpbox/xml/DomXmpParser.java did not exist.
+pdfbox/src/main/java/org/apache/pdfbox/pdmodel/interactive/form/PDXFA.java was
+not affected.
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1739564
+---
+ jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java       | 6 ++++++
+ pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java         | 6 ++++++
+ xmpbox/src/main/java/org/apache/padaf/xmpbox/parser/XMLUtil.java | 6 ++++++
+ 3 files changed, 18 insertions(+)
+
+diff --git a/jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java 
b/jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java
+index 07db2b7..8759902 100644
+--- a/jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java
++++ b/jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java
+@@ -71,6 +71,12 @@ public class XMLUtil
+         try
+         {
+             DocumentBuilderFactory builderFactory = 
DocumentBuilderFactory.newInstance();
++            
builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
 true);
++            
builderFactory.setFeature("http://xml.org/sax/features/external-general-entities";,
 false);
++            
builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
 false);
++            
builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
 false);
++            builderFactory.setXIncludeAware(false);
++            builderFactory.setExpandEntityReferences(false);
+             DocumentBuilder builder = builderFactory.newDocumentBuilder();
+             return builder.parse( is );
+         }
+diff --git a/pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java 
b/pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java
+index ae6c6df..49a207b 100644
+--- a/pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java
++++ b/pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java
+@@ -56,6 +56,12 @@ public class XMLUtil
+         try
+         {
+             DocumentBuilderFactory builderFactory = 
DocumentBuilderFactory.newInstance();
++            
builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
 true);
++            
builderFactory.setFeature("http://xml.org/sax/features/external-general-entities";,
 false);
++            
builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
 false);
++            
builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
 false);
++            builderFactory.setXIncludeAware(false);
++            builderFactory.setExpandEntityReferences(false);
+             DocumentBuilder builder = builderFactory.newDocumentBuilder();
+             return builder.parse( is );
+         }
+diff --git a/xmpbox/src/main/java/org/apache/padaf/xmpbox/parser/XMLUtil.java 
b/xmpbox/src/main/java/org/apache/padaf/xmpbox/parser/XMLUtil.java
+index bbba959..3c9d145 100644
+--- a/xmpbox/src/main/java/org/apache/padaf/xmpbox/parser/XMLUtil.java
++++ b/xmpbox/src/main/java/org/apache/padaf/xmpbox/parser/XMLUtil.java
+@@ -75,6 +75,12 @@ public final class XMLUtil {
+         try {
+             DocumentBuilderFactory builderFactory = DocumentBuilderFactory
+             .newInstance();
++            
builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
 true);
++            
builderFactory.setFeature("http://xml.org/sax/features/external-general-entities";,
 false);
++            
builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
 false);
++            
builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
 false);
++            builderFactory.setXIncludeAware(false);
++            builderFactory.setExpandEntityReferences(false);
+             DocumentBuilder builder = builderFactory.newDocumentBuilder();
+             return builder.parse(is);
+         } catch (Exception e) {
diff --git a/debian/patches/series b/debian/patches/series
index bfb7354..9deae95 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 build.xml.patch
 build-subproject-docs.patch
+CVE-2016-2175.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-java/libpdfbox-java.git

_______________________________________________
pkg-java-commits mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits

Reply via email to