Chris Lamb pushed to branch debian/buster at Debian Java Maintainers / velocity
Commits: 285e6809 by Chris Lamb at 2021-05-13T11:04:52+01:00 CVE-2020-13936: Prevent a potential arbitrary code execution vulnerability that can be exploited by applications that allow untrusted users to upload/modify Velocity templates. (Closes: #985220) - - - - - 6e13b05b by Chris Lamb at 2021-05-13T11:14:13+01:00 releasing package velocity version 1.7-5+deb10u1 - - - - - 3 changed files: - debian/changelog - + debian/patches/0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,11 @@ +velocity (1.7-5+deb10u1) buster; urgency=medium + + * CVE-2020-13936: Prevent a potential arbitrary code execution vulnerability + that can be exploited by applications that allow untrusted users to + upload/modify Velocity templates. (Closes: #985220) + + -- Chris Lamb <[email protected]> Thu, 13 May 2021 11:11:57 +0100 + velocity (1.7-5) unstable; urgency=medium * Team upload. ===================================== debian/patches/0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch ===================================== @@ -0,0 +1,58 @@ +From: Chris Lamb <[email protected]> +Date: Thu, 13 May 2021 11:03:13 +0100 +Subject: CVE-2020-13936: Prevent a potential arbitrary code execution + vulnerability that can be exploited by applications that allow untrusted + users to upload/modify Velocity templates. (Closes: #985220) + +--- + .../org/apache/velocity/runtime/defaults/velocity.properties | 7 +------ + .../velocity/util/introspection/SecureIntrospectorImpl.java | 9 +++++++++ + 2 files changed, 10 insertions(+), 6 deletions(-) + +diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties +index 750a59a..9415ca5 100644 +--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties ++++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties +@@ -247,13 +247,9 @@ runtime.introspector.uberspect = org.apache.velocity.util.introspection.Uberspec + + introspector.restrict.packages = java.lang.reflect + +-# The two most dangerous classes ++## ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl + + introspector.restrict.classes = java.lang.Class +-introspector.restrict.classes = java.lang.ClassLoader +- +-# Restrict these for extra safety +- + introspector.restrict.classes = java.lang.Compiler + introspector.restrict.classes = java.lang.InheritableThreadLocal + introspector.restrict.classes = java.lang.Package +@@ -262,7 +258,6 @@ introspector.restrict.classes = java.lang.Runtime + introspector.restrict.classes = java.lang.RuntimePermission + introspector.restrict.classes = java.lang.SecurityManager + introspector.restrict.classes = java.lang.System +-introspector.restrict.classes = java.lang.Thread + introspector.restrict.classes = java.lang.ThreadGroup + introspector.restrict.classes = java.lang.ThreadLocal + +diff --git a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java +index f317b1c..35ea9e9 100644 +--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java ++++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java +@@ -121,6 +121,15 @@ public class SecureIntrospectorImpl extends Introspector implements SecureIntros + return true; + } + ++ /** ++ * Always disallow ClassLoader, Thread and subclasses ++ */ ++ if (ClassLoader.class.isAssignableFrom(clazz) || ++ Thread.class.isAssignableFrom(clazz)) ++ { ++ return false; ++ } ++ + /** + * check the classname (minus any array info) + * whether it matches disallowed classes or packages ===================================== debian/patches/series ===================================== @@ -1 +1,2 @@ 0001-fix-example-scripts.patch +0002-CVE-2020-13936-Prevent-a-potential-arbitrary-code-ex.patch View it on GitLab: https://salsa.debian.org/java-team/velocity/-/compare/ff71af50914361e226ad21103ca24c9b3dc6bc18...6e13b05b1b32765d2731a09ade14f2118530aa13 -- View it on GitLab: https://salsa.debian.org/java-team/velocity/-/compare/ff71af50914361e226ad21103ca24c9b3dc6bc18...6e13b05b1b32765d2731a09ade14f2118530aa13 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
