Bug#966247: buster-pu: package commons-configuration2/2.2-1+deb10u1

Sat, 25 Jul 2020 06:13:20 -0700 

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

Fixes a minor security issue, debdiff below.

Cheers,
        Moritz

diff -Nru commons-configuration2-2.2/debian/changelog 
commons-configuration2-2.2/debian/changelog
--- commons-configuration2-2.2/debian/changelog 2017-12-29 23:12:51.000000000 
+0100
+++ commons-configuration2-2.2/debian/changelog 2020-07-13 18:19:38.000000000 
+0200
@@ -1,3 +1,9 @@
+commons-configuration2 (2.2-1+deb10u1) buster; urgency=medium
+
+  * CVE-2020-1953 (Closes: #954713)
+
+ -- Moritz Mühlenhoff <j...@debian.org>  Mon, 13 Jul 2020 19:18:37 +0200
+
 commons-configuration2 (2.2-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch 
commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch
--- commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch       
1970-01-01 01:00:00.000000000 +0100
+++ commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch       
2020-07-13 18:06:19.000000000 +0200
@@ -0,0 +1,179 @@
+Backport to 2.2 of the following upstream commit:
+
+From add7375cf37fd316d4838c6c56b054fc293b4641 Mon Sep 17 00:00:00 2001
+From: oheger <oliver.he...@oliver-heger.de>
+Date: Wed, 4 Mar 2020 21:33:22 +0100
+Subject: [PATCH] Prevent object creation when loading YAML files.
+
+When creating a new Yaml instance from SnakeYaml to read in a
+configuration file the instance is now configured that no objects are
+created automatically.
+
+--- 
commons-configuration2-2.2.orig/src/main/java/org/apache/commons/configuration2/YAMLConfiguration.java
++++ 
commons-configuration2-2.2/src/main/java/org/apache/commons/configuration2/YAMLConfiguration.java
+@@ -18,11 +18,14 @@
+ package org.apache.commons.configuration2;
+ 
+ import org.apache.commons.configuration2.ex.ConfigurationException;
++import org.apache.commons.configuration2.ex.ConfigurationRuntimeException;
+ import org.apache.commons.configuration2.io.InputStreamSupport;
+ import org.apache.commons.configuration2.tree.ImmutableNode;
+ import org.yaml.snakeyaml.DumperOptions;
+ import org.yaml.snakeyaml.LoaderOptions;
+ import org.yaml.snakeyaml.Yaml;
++import org.yaml.snakeyaml.constructor.Constructor;
++import org.yaml.snakeyaml.representer.Representer;
+ 
+ import java.io.IOException;
+ import java.io.InputStream;
+@@ -65,7 +68,7 @@ public class YAMLConfiguration extends A
+     {
+         try
+         {
+-            Yaml yaml = new Yaml();
++            Yaml yaml = createYamlForReading(new LoaderOptions());
+             Map<String, Object> map = (Map) yaml.load(in);
+             load(map);
+         }
+@@ -80,7 +83,7 @@ public class YAMLConfiguration extends A
+     {
+         try
+         {
+-            Yaml yaml = new Yaml(options);
++            Yaml yaml = createYamlForReading(options);
+             Map<String, Object> map = (Map) yaml.load(in);
+             load(map);
+         }
+@@ -117,7 +120,7 @@ public class YAMLConfiguration extends A
+     {
+         try
+         {
+-            Yaml yaml = new Yaml();
++            Yaml yaml = createYamlForReading(new LoaderOptions());
+             Map<String, Object> map = (Map) yaml.load(in);
+             load(map);
+         }
+@@ -132,7 +135,7 @@ public class YAMLConfiguration extends A
+     {
+         try
+         {
+-            Yaml yaml = new Yaml(options);
++            Yaml yaml = createYamlForReading(options);
+             Map<String, Object> map = (Map) yaml.load(in);
+             load(map);
+         }
+@@ -142,4 +145,34 @@ public class YAMLConfiguration extends A
+         }
+     }
+ 
++    /**
++     * Creates a {@code Yaml} object for reading a Yaml file. The object is
++     * configured with some default settings.
++     *
++     * @param options options for loading the file
++     * @return the {@code Yaml} instance for loading a file
++     */
++    private static Yaml createYamlForReading(LoaderOptions options)
++    {
++        return new Yaml(createClassLoadingDisablingConstructor(), new 
Representer(), new DumperOptions(), options);
++    }
++
++    /**
++     * Returns a {@code Constructor} object for the YAML parser that prevents
++     * all classes from being loaded. This effectively disables the dynamic
++     * creation of Java objects that are declared in YAML files to be loaded.
++     *
++     * @return the {@code Constructor} preventing object creation
++     */
++    private static Constructor createClassLoadingDisablingConstructor()
++    {
++        return new Constructor()
++        {
++            @Override
++            protected Class<?> getClassForName(String name)
++            {
++                throw new ConfigurationRuntimeException("Class loading is 
disabled.");
++            }
++        };
++    }
+ }
+--- 
commons-configuration2-2.2.orig/src/test/java/org/apache/commons/configuration2/TestYAMLConfiguration.java
++++ 
commons-configuration2-2.2/src/test/java/org/apache/commons/configuration2/TestYAMLConfiguration.java
+@@ -20,26 +20,36 @@ package org.apache.commons.configuration
+ import org.apache.commons.configuration2.ex.ConfigurationException;
+ import org.junit.Before;
+ import org.junit.Rule;
++import org.junit.Rule;
+ import org.junit.Test;
+ import org.junit.rules.TemporaryFolder;
+ import org.yaml.snakeyaml.Yaml;
+ 
+ import java.io.File;
+ import java.io.FileReader;
++import java.io.ByteArrayInputStream;
++import java.io.File;
+ import java.io.IOException;
++import java.io.StringReader;
+ import java.io.StringWriter;
++import java.nio.charset.StandardCharsets;
+ import java.util.Arrays;
+ import java.util.List;
+ import java.util.Map;
+ 
+ import static org.junit.Assert.assertEquals;
++import static org.junit.Assert.assertFalse;
+ import static org.junit.Assert.assertTrue;
++import static org.junit.Assert.fail;
+ 
+ /**
+  * Unit test for {@link YAMLConfiguration}
+  */
+ public class TestYAMLConfiguration
+ {
++    @Rule
++    public TemporaryFolder temporaryFolder = new TemporaryFolder();
++    
+     /** The files that we test with. */
+     private String testYaml =
+             ConfigurationAssert.getTestFile("test.yaml").getAbsolutePath();
+@@ -137,4 +147,40 @@ public class TestYAMLConfiguration
+         yamlConfiguration = new YAMLConfiguration(c);
+         assertEquals("bar", yamlConfiguration.getString("foo"));
+     }
++
++    @Test
++    public void testObjectCreationFromReader()
++    {
++        final File createdFile = new File(temporaryFolder.getRoot(), 
"data.txt");
++        final String yaml = "!!java.io.FileOutputStream [" + 
createdFile.getAbsolutePath() + "]";
++
++        try
++        {
++            yamlConfiguration.read(new StringReader(yaml));
++            fail("Loading configuration did not cause an exception!");
++        }
++        catch (ConfigurationException e)
++        {
++            //expected
++        }
++        assertFalse("Java object was created", createdFile.exists());
++    }
++
++    @Test
++    public void testObjectCreationFromStream()
++    {
++        final File createdFile = new File(temporaryFolder.getRoot(), 
"data.txt");
++        final String yaml = "!!java.io.FileOutputStream [" + 
createdFile.getAbsolutePath() + "]";
++
++        try
++        {
++            yamlConfiguration.read(new 
ByteArrayInputStream(yaml.getBytes(StandardCharsets.UTF_8)));
++            fail("Loading configuration did not cause an exception!");
++        }
++        catch (ConfigurationException e)
++        {
++            //expected
++        }
++        assertFalse("Java object was created", createdFile.exists());
++    }
+ }
diff -Nru commons-configuration2-2.2/debian/patches/series 
commons-configuration2-2.2/debian/patches/series
--- commons-configuration2-2.2/debian/patches/series    1970-01-01 
01:00:00.000000000 +0100
+++ commons-configuration2-2.2/debian/patches/series    2020-07-13 
18:05:49.000000000 +0200
@@ -0,0 +1 @@
+CVE-2020-1953.patch

Reply via email to