From a4caac49eb2bd8a769a28b4e03e476641acaea9d Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski Date: Thu, 27 Mar 2014 10:02:28 +0100 Subject: [PATCH] Add patch to fix remote code execution vulnerability - Resolves: CVE-2014-0107 --- xalan-j2-CVE-2014-0107.patch | 148 +++++++++++++++++++++++++++++++++++ xalan-j2.spec | 11 ++- 2 files changed, 158 insertions(+), 1 deletion(-) create mode 100644 xalan-j2-CVE-2014-0107.patch diff --git a/xalan-j2-CVE-2014-0107.patch b/xalan-j2-CVE-2014-0107.patch new file mode 100644 index 0000000..3358f60 --- /dev/null +++ b/xalan-j2-CVE-2014-0107.patch @@ -0,0 +1,148 @@ +diff --git a/src/org/apache/xalan/processor/TransformerFactoryImpl.java b/src/org/apache/xalan/processor/TransformerFactoryImpl.java +index 1298943..96a5e58 100644 +--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java ++++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java +@@ -335,6 +335,10 @@ public class TransformerFactoryImpl extends SAXTransformerFactory + reader = XMLReaderFactory.createXMLReader(); + } + ++ if(m_isSecureProcessing) ++ { ++ reader.setFeature("http://xml.org/sax/features/external-general-entities",false); ++ } + // Need to set options! + reader.setContentHandler(handler); + reader.parse(isource); +diff --git a/src/org/apache/xalan/processor/XSLTElementProcessor.java b/src/org/apache/xalan/processor/XSLTElementProcessor.java +index b946743..17b7395 100644 +--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java ++++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java +@@ -338,17 +338,31 @@ public class XSLTElementProcessor extends ElemTemplateElement + } + else + { +- // Can we switch the order here: +- +- boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName, +- attributes.getQName(i), attributes.getValue(i), +- target); +- +- // Now we only add the element if it passed a validation check +- if (success) +- processedDefs.add(attrDef); +- else +- errorDefs.add(attrDef); ++ //handle secure processing ++ if(handler.getStylesheetProcessor()==null) ++ System.out.println("stylesheet processor null"); ++ if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing()) ++ { ++ //foreign attributes are not allowed in secure processing mode ++ // Then barf, because this element does not allow this attribute. ++ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\"" ++ //+ " attribute is not allowed on the " + rawName ++ // + " element!", null); ++ } ++ else ++ { ++ ++ ++ boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName, ++ attributes.getQName(i), attributes.getValue(i), ++ target); ++ ++ // Now we only add the element if it passed a validation check ++ if (success) ++ processedDefs.add(attrDef); ++ else ++ errorDefs.add(attrDef); ++ } + } + } + +diff --git a/src/org/apache/xalan/transformer/TransformerImpl.java b/src/org/apache/xalan/transformer/TransformerImpl.java +index dd0d4d9..0906d24 100644 +--- a/src/org/apache/xalan/transformer/TransformerImpl.java ++++ b/src/org/apache/xalan/transformer/TransformerImpl.java +@@ -438,7 +438,9 @@ public class TransformerImpl extends Transformer + try + { + if (sroot.getExtensions() != null) +- m_extensionsTable = new ExtensionsTable(sroot); ++ //only load extensions if secureProcessing is disabled ++ if(!sroot.isSecureProcessing()) ++ m_extensionsTable = new ExtensionsTable(sroot); + } + catch (javax.xml.transform.TransformerException te) + {te.printStackTrace();} +diff --git a/src/org/apache/xpath/functions/FuncSystemProperty.java b/src/org/apache/xpath/functions/FuncSystemProperty.java +index 4bea356..78ac980 100644 +--- a/src/org/apache/xpath/functions/FuncSystemProperty.java ++++ b/src/org/apache/xpath/functions/FuncSystemProperty.java +@@ -58,7 +58,7 @@ public class FuncSystemProperty extends FunctionOneArg + + String fullName = m_arg0.execute(xctxt).str(); + int indexOfNSSep = fullName.indexOf(':'); +- String result; ++ String result = null; + String propName = ""; + + // List of properties where the name of the +@@ -98,14 +98,20 @@ public class FuncSystemProperty extends FunctionOneArg + + try + { +- result = System.getProperty(propName); +- +- if (null == result) +- { +- +- // result = System.getenv(propName); +- return XString.EMPTYSTRING; +- } ++ //if secure procession is enabled only handle required properties do not not map any valid system property ++ if(!xctxt.isSecureProcessing()) ++ { ++ result = System.getProperty(propName); ++ } ++ else ++ { ++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION, ++ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName); ++ } ++ if (null == result) ++ { ++ return XString.EMPTYSTRING; ++ } + } + catch (SecurityException se) + { +@@ -120,14 +126,20 @@ public class FuncSystemProperty extends FunctionOneArg + { + try + { +- result = System.getProperty(fullName); +- +- if (null == result) +- { +- +- // result = System.getenv(fullName); +- return XString.EMPTYSTRING; +- } ++ //if secure procession is enabled only handle required properties do not not map any valid system property ++ if(!xctxt.isSecureProcessing()) ++ { ++ result = System.getProperty(fullName); ++ } ++ else ++ { ++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION, ++ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName); ++ } ++ if (null == result) ++ { ++ return XString.EMPTYSTRING; ++ } + } + catch (SecurityException se) + { diff --git a/xalan-j2.spec b/xalan-j2.spec index 6e0122e..97e1097 100644 --- a/xalan-j2.spec +++ b/xalan-j2.spec @@ -32,7 +32,7 @@ Name: xalan-j2 Version: 2.7.1 -Release: 21%{?dist} +Release: 22%{?dist} Epoch: 0 Summary: Java XSLT processor # src/org/apache/xpath/domapi/XPathStylesheetDOM3Exception.java is W3C @@ -47,6 +47,10 @@ Patch0: %{name}-noxsltcdeps.patch # Fix the serializer JAR filename in xalan-j2's MANIFEST.MF # https://bugzilla.redhat.com/show_bug.cgi?id=718738 Patch1: %{name}-serializerJARname.patch +# Fix CVE-2014-0107: insufficient constraints in secure processing +# feature (oCERT-2014-002). Generated form upstream revisions 1581058 +# and 1581426. +Patch2: %{name}-CVE-2014-0107.patch URL: http://xalan.apache.org/ Group: Development/Libraries @@ -116,6 +120,7 @@ Demonstrations and samples for %{name}. %setup -q -n xalan-j_%{cvs_version} %patch0 -p0 %patch1 -p0 +%patch2 -p1 # Remove all binary libs, except ones needed to build docs and N/A elsewhere. for j in $(find . -name "*.jar"); do mv $j $j.no @@ -244,6 +249,10 @@ update-alternatives --install %{_javadir}/jaxp_transform_impl.jar \ %{_datadir}/%{name} %changelog +* Thu Mar 27 2014 Mikolaj Izdebski - 0:2.7.1-22 +- Add patch to fix remote code execution vulnerability +- Resolves: CVE-2014-0107 + * Mon Aug 19 2013 Mikolaj Izdebski - 0:2.7.1-21 - Move depmaps to appropriate packages - Resolves: rhbz#998594