Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
Fixes a minor security issue, debdiff below. Cheers, Moritz diff -Nru commons-configuration2-2.2/debian/changelog commons-configuration2-2.2/debian/changelog --- commons-configuration2-2.2/debian/changelog 2017-12-29 23:12:51.000000000 +0100 +++ commons-configuration2-2.2/debian/changelog 2020-07-13 18:19:38.000000000 +0200 @@ -1,3 +1,9 @@ +commons-configuration2 (2.2-1+deb10u1) buster; urgency=medium + + * CVE-2020-1953 (Closes: #954713) + + -- Moritz Mühlenhoff <j...@debian.org> Mon, 13 Jul 2020 19:18:37 +0200 + commons-configuration2 (2.2-1) unstable; urgency=medium * New upstream release diff -Nru commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch --- commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch 1970-01-01 01:00:00.000000000 +0100 +++ commons-configuration2-2.2/debian/patches/CVE-2020-1953.patch 2020-07-13 18:06:19.000000000 +0200 @@ -0,0 +1,179 @@ +Backport to 2.2 of the following upstream commit: + +From add7375cf37fd316d4838c6c56b054fc293b4641 Mon Sep 17 00:00:00 2001 +From: oheger <oliver.he...@oliver-heger.de> +Date: Wed, 4 Mar 2020 21:33:22 +0100 +Subject: [PATCH] Prevent object creation when loading YAML files. + +When creating a new Yaml instance from SnakeYaml to read in a +configuration file the instance is now configured that no objects are +created automatically. + +--- commons-configuration2-2.2.orig/src/main/java/org/apache/commons/configuration2/YAMLConfiguration.java ++++ commons-configuration2-2.2/src/main/java/org/apache/commons/configuration2/YAMLConfiguration.java +@@ -18,11 +18,14 @@ + package org.apache.commons.configuration2; + + import org.apache.commons.configuration2.ex.ConfigurationException; ++import org.apache.commons.configuration2.ex.ConfigurationRuntimeException; + import org.apache.commons.configuration2.io.InputStreamSupport; + import org.apache.commons.configuration2.tree.ImmutableNode; + import org.yaml.snakeyaml.DumperOptions; + import org.yaml.snakeyaml.LoaderOptions; + import org.yaml.snakeyaml.Yaml; ++import org.yaml.snakeyaml.constructor.Constructor; ++import org.yaml.snakeyaml.representer.Representer; + + import java.io.IOException; + import java.io.InputStream; +@@ -65,7 +68,7 @@ public class YAMLConfiguration extends A + { + try + { +- Yaml yaml = new Yaml(); ++ Yaml yaml = createYamlForReading(new LoaderOptions()); + Map<String, Object> map = (Map) yaml.load(in); + load(map); + } +@@ -80,7 +83,7 @@ public class YAMLConfiguration extends A + { + try + { +- Yaml yaml = new Yaml(options); ++ Yaml yaml = createYamlForReading(options); + Map<String, Object> map = (Map) yaml.load(in); + load(map); + } +@@ -117,7 +120,7 @@ public class YAMLConfiguration extends A + { + try + { +- Yaml yaml = new Yaml(); ++ Yaml yaml = createYamlForReading(new LoaderOptions()); + Map<String, Object> map = (Map) yaml.load(in); + load(map); + } +@@ -132,7 +135,7 @@ public class YAMLConfiguration extends A + { + try + { +- Yaml yaml = new Yaml(options); ++ Yaml yaml = createYamlForReading(options); + Map<String, Object> map = (Map) yaml.load(in); + load(map); + } +@@ -142,4 +145,34 @@ public class YAMLConfiguration extends A + } + } + ++ /** ++ * Creates a {@code Yaml} object for reading a Yaml file. The object is ++ * configured with some default settings. ++ * ++ * @param options options for loading the file ++ * @return the {@code Yaml} instance for loading a file ++ */ ++ private static Yaml createYamlForReading(LoaderOptions options) ++ { ++ return new Yaml(createClassLoadingDisablingConstructor(), new Representer(), new DumperOptions(), options); ++ } ++ ++ /** ++ * Returns a {@code Constructor} object for the YAML parser that prevents ++ * all classes from being loaded. This effectively disables the dynamic ++ * creation of Java objects that are declared in YAML files to be loaded. ++ * ++ * @return the {@code Constructor} preventing object creation ++ */ ++ private static Constructor createClassLoadingDisablingConstructor() ++ { ++ return new Constructor() ++ { ++ @Override ++ protected Class<?> getClassForName(String name) ++ { ++ throw new ConfigurationRuntimeException("Class loading is disabled."); ++ } ++ }; ++ } + } +--- commons-configuration2-2.2.orig/src/test/java/org/apache/commons/configuration2/TestYAMLConfiguration.java ++++ commons-configuration2-2.2/src/test/java/org/apache/commons/configuration2/TestYAMLConfiguration.java +@@ -20,26 +20,36 @@ package org.apache.commons.configuration + import org.apache.commons.configuration2.ex.ConfigurationException; + import org.junit.Before; + import org.junit.Rule; ++import org.junit.Rule; + import org.junit.Test; + import org.junit.rules.TemporaryFolder; + import org.yaml.snakeyaml.Yaml; + + import java.io.File; + import java.io.FileReader; ++import java.io.ByteArrayInputStream; ++import java.io.File; + import java.io.IOException; ++import java.io.StringReader; + import java.io.StringWriter; ++import java.nio.charset.StandardCharsets; + import java.util.Arrays; + import java.util.List; + import java.util.Map; + + import static org.junit.Assert.assertEquals; ++import static org.junit.Assert.assertFalse; + import static org.junit.Assert.assertTrue; ++import static org.junit.Assert.fail; + + /** + * Unit test for {@link YAMLConfiguration} + */ + public class TestYAMLConfiguration + { ++ @Rule ++ public TemporaryFolder temporaryFolder = new TemporaryFolder(); ++ + /** The files that we test with. */ + private String testYaml = + ConfigurationAssert.getTestFile("test.yaml").getAbsolutePath(); +@@ -137,4 +147,40 @@ public class TestYAMLConfiguration + yamlConfiguration = new YAMLConfiguration(c); + assertEquals("bar", yamlConfiguration.getString("foo")); + } ++ ++ @Test ++ public void testObjectCreationFromReader() ++ { ++ final File createdFile = new File(temporaryFolder.getRoot(), "data.txt"); ++ final String yaml = "!!java.io.FileOutputStream [" + createdFile.getAbsolutePath() + "]"; ++ ++ try ++ { ++ yamlConfiguration.read(new StringReader(yaml)); ++ fail("Loading configuration did not cause an exception!"); ++ } ++ catch (ConfigurationException e) ++ { ++ //expected ++ } ++ assertFalse("Java object was created", createdFile.exists()); ++ } ++ ++ @Test ++ public void testObjectCreationFromStream() ++ { ++ final File createdFile = new File(temporaryFolder.getRoot(), "data.txt"); ++ final String yaml = "!!java.io.FileOutputStream [" + createdFile.getAbsolutePath() + "]"; ++ ++ try ++ { ++ yamlConfiguration.read(new ByteArrayInputStream(yaml.getBytes(StandardCharsets.UTF_8))); ++ fail("Loading configuration did not cause an exception!"); ++ } ++ catch (ConfigurationException e) ++ { ++ //expected ++ } ++ assertFalse("Java object was created", createdFile.exists()); ++ } + } diff -Nru commons-configuration2-2.2/debian/patches/series commons-configuration2-2.2/debian/patches/series --- commons-configuration2-2.2/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ commons-configuration2-2.2/debian/patches/series 2020-07-13 18:05:49.000000000 +0200 @@ -0,0 +1 @@ +CVE-2020-1953.patch