Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hello, I would like to fix CVE-2019-9658 and CVE-2019-10782 in checkstyle. The security team marked this issue as no-dsa. Please find attached the debdiff for Stretch. Regards, Markus
diff -Nru checkstyle-6.15/debian/changelog checkstyle-6.15/debian/changelog --- checkstyle-6.15/debian/changelog 2016-02-04 21:52:02.000000000 +0100 +++ checkstyle-6.15/debian/changelog 2020-03-24 13:18:16.000000000 +0100 @@ -1,3 +1,14 @@ +checkstyle (6.15-1+deb9u1) stretch; urgency=medium + + * Team upload. + * Fix CVE-2019-9658 and CVE-2019-10782: + Security researchers from Snyk discovered that the fix for CVE-2019-9658 + was incomplete. Checkstyle, a development tool to help programmers write + Java code that adheres to a coding standard, was still vulnerable to XML + External Entity (XXE) injection. (Closes: #924598) + + -- Markus Koschany <a...@debian.org> Tue, 24 Mar 2020 13:18:16 +0100 + checkstyle (6.15-1) unstable; urgency=medium * Team upload. diff -Nru checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch --- checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch 1970-01-01 01:00:00.000000000 +0100 +++ checkstyle-6.15/debian/patches/CVE-2019-9658-and-CVE-2019-10782.patch 2020-03-24 13:18:16.000000000 +0100 @@ -0,0 +1,95 @@ +From: Markus Koschany <a...@debian.org> +Date: Thu, 12 Mar 2020 13:06:45 +0100 +Subject: CVE-2019-9658 and CVE-2019-10782 + +Bug-Debian: https://bugs.debian.org/924598 + +Origin: https://github.com/checkstyle/checkstyle/commit/180b4fe37a2249d4489d584505f2b7b3ab162ec6 +Origin: https://github.com/checkstyle/checkstyle/pull/7495/commits/3af187f81ab33c9a8e471cc629ff10fe722a7a56 +--- + .../tools/checkstyle/api/AbstractLoader.java | 45 ++++++++++++++++++++++ + src/xdocs/config_reporting.xml | 11 ++++++ + 2 files changed, 56 insertions(+) + +diff --git a/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java b/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java +index 2e60e6d..6ea678b 100644 +--- a/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java ++++ b/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java +@@ -80,6 +80,7 @@ public abstract class AbstractLoader + this.publicIdToResourceNameMap = + Maps.newHashMap(publicIdToResourceNameMap); + final SAXParserFactory factory = SAXParserFactory.newInstance(); ++ LoadExternalDtdFeatureProvider.setFeaturesBySystemProperty(factory); + factory.setValidating(true); + factory.setNamespaceAware(true); + parser = factory.newSAXParser().getXMLReader(); +@@ -124,4 +125,48 @@ public abstract class AbstractLoader + public void fatalError(SAXParseException exception) throws SAXException { + throw exception; + } ++ ++ /** ++ * Used for setting specific for secure java installations features to SAXParserFactory. ++ * Pulled out as a separate class in order to suppress Pitest mutations. ++ */ ++ public static final class LoadExternalDtdFeatureProvider { ++ ++ /** System property name to enable external DTD load. */ ++ public static final String ENABLE_EXTERNAL_DTD_LOAD = "checkstyle.enableExternalDtdLoad"; ++ ++ /** Feature that enables loading external DTD when loading XML files. */ ++ public static final String LOAD_EXTERNAL_DTD = ++ "http://apache.org/xml/features/nonvalidating/load-external-dtd";; ++ /** Feature that enables including external general entities in XML files. */ ++ public static final String EXTERNAL_GENERAL_ENTITIES = ++ "http://xml.org/sax/features/external-general-entities";; ++ /** Feature that enables including external parameter entities in XML files. */ ++ public static final String EXTERNAL_PARAMETER_ENTITIES = ++ "http://xml.org/sax/features/external-parameter-entities";; ++ ++ /** Stop instances being created. **/ ++ private LoadExternalDtdFeatureProvider() { ++ } ++ ++ /** ++ * Configures SAXParserFactory with features required ++ * to use external DTD file loading, this is not activated by default to not allow ++ * usage of schema files that checkstyle do not know ++ * it is even security problem to allow files from outside. ++ * @param factory factory to be configured with special features ++ * @throws SAXException if an error occurs ++ * @throws ParserConfigurationException if an error occurs ++ */ ++ public static void setFeaturesBySystemProperty(SAXParserFactory factory) ++ throws SAXException, ParserConfigurationException { ++ ++ final boolean enableExternalDtdLoad = Boolean.valueOf( ++ System.getProperty(ENABLE_EXTERNAL_DTD_LOAD, "false")); ++ ++ factory.setFeature(LOAD_EXTERNAL_DTD, enableExternalDtdLoad); ++ factory.setFeature(EXTERNAL_GENERAL_ENTITIES, enableExternalDtdLoad); ++ factory.setFeature(EXTERNAL_PARAMETER_ENTITIES, enableExternalDtdLoad); ++ } ++ } + } +diff --git a/src/xdocs/config_reporting.xml b/src/xdocs/config_reporting.xml +index 410d7eb..acf99a7 100644 +--- a/src/xdocs/config_reporting.xml ++++ b/src/xdocs/config_reporting.xml +@@ -68,5 +68,16 @@ + to an empty string. + </p> + </section> ++ ++ <section name="Enable External DTD load"> ++ <p> ++ The property <code>checkstyle.enableExternalDtdLoad</code> ++ defines ability use custom DTD files inconfig and load them from some location. ++ The property type ++ is <a href="property_types.html#boolean">boolean</a> and defaults ++ to <code>false</code>. ++ </p> ++ </section> ++ + </body> + </document> diff -Nru checkstyle-6.15/debian/patches/series checkstyle-6.15/debian/patches/series --- checkstyle-6.15/debian/patches/series 2016-02-04 21:37:44.000000000 +0100 +++ checkstyle-6.15/debian/patches/series 2020-03-24 13:18:16.000000000 +0100 @@ -2,3 +2,4 @@ 02_ignore_tests_requiring_internet_connectivity.diff 03_remove_maven3_prereq.diff 04_adjust_application_name.diff +CVE-2019-9658-and-CVE-2019-10782.patch
