Add patch to fix remote code execution vulnerability
- Resolves: CVE-2014-0107
This commit is contained in:
parent
17c578d667
commit
a4caac49eb
148
xalan-j2-CVE-2014-0107.patch
Normal file
148
xalan-j2-CVE-2014-0107.patch
Normal file
@ -0,0 +1,148 @@
|
|||||||
|
diff --git a/src/org/apache/xalan/processor/TransformerFactoryImpl.java b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
|
||||||
|
index 1298943..96a5e58 100644
|
||||||
|
--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java
|
||||||
|
+++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
|
||||||
|
@@ -335,6 +335,10 @@ public class TransformerFactoryImpl extends SAXTransformerFactory
|
||||||
|
reader = XMLReaderFactory.createXMLReader();
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if(m_isSecureProcessing)
|
||||||
|
+ {
|
||||||
|
+ reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
|
||||||
|
+ }
|
||||||
|
// Need to set options!
|
||||||
|
reader.setContentHandler(handler);
|
||||||
|
reader.parse(isource);
|
||||||
|
diff --git a/src/org/apache/xalan/processor/XSLTElementProcessor.java b/src/org/apache/xalan/processor/XSLTElementProcessor.java
|
||||||
|
index b946743..17b7395 100644
|
||||||
|
--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java
|
||||||
|
+++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java
|
||||||
|
@@ -338,17 +338,31 @@ public class XSLTElementProcessor extends ElemTemplateElement
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
- // Can we switch the order here:
|
||||||
|
-
|
||||||
|
- boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
|
||||||
|
- attributes.getQName(i), attributes.getValue(i),
|
||||||
|
- target);
|
||||||
|
-
|
||||||
|
- // Now we only add the element if it passed a validation check
|
||||||
|
- if (success)
|
||||||
|
- processedDefs.add(attrDef);
|
||||||
|
- else
|
||||||
|
- errorDefs.add(attrDef);
|
||||||
|
+ //handle secure processing
|
||||||
|
+ if(handler.getStylesheetProcessor()==null)
|
||||||
|
+ System.out.println("stylesheet processor null");
|
||||||
|
+ if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())
|
||||||
|
+ {
|
||||||
|
+ //foreign attributes are not allowed in secure processing mode
|
||||||
|
+ // Then barf, because this element does not allow this attribute.
|
||||||
|
+ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\""
|
||||||
|
+ //+ " attribute is not allowed on the " + rawName
|
||||||
|
+ // + " element!", null);
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+ boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
|
||||||
|
+ attributes.getQName(i), attributes.getValue(i),
|
||||||
|
+ target);
|
||||||
|
+
|
||||||
|
+ // Now we only add the element if it passed a validation check
|
||||||
|
+ if (success)
|
||||||
|
+ processedDefs.add(attrDef);
|
||||||
|
+ else
|
||||||
|
+ errorDefs.add(attrDef);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/src/org/apache/xalan/transformer/TransformerImpl.java b/src/org/apache/xalan/transformer/TransformerImpl.java
|
||||||
|
index dd0d4d9..0906d24 100644
|
||||||
|
--- a/src/org/apache/xalan/transformer/TransformerImpl.java
|
||||||
|
+++ b/src/org/apache/xalan/transformer/TransformerImpl.java
|
||||||
|
@@ -438,7 +438,9 @@ public class TransformerImpl extends Transformer
|
||||||
|
try
|
||||||
|
{
|
||||||
|
if (sroot.getExtensions() != null)
|
||||||
|
- m_extensionsTable = new ExtensionsTable(sroot);
|
||||||
|
+ //only load extensions if secureProcessing is disabled
|
||||||
|
+ if(!sroot.isSecureProcessing())
|
||||||
|
+ m_extensionsTable = new ExtensionsTable(sroot);
|
||||||
|
}
|
||||||
|
catch (javax.xml.transform.TransformerException te)
|
||||||
|
{te.printStackTrace();}
|
||||||
|
diff --git a/src/org/apache/xpath/functions/FuncSystemProperty.java b/src/org/apache/xpath/functions/FuncSystemProperty.java
|
||||||
|
index 4bea356..78ac980 100644
|
||||||
|
--- a/src/org/apache/xpath/functions/FuncSystemProperty.java
|
||||||
|
+++ b/src/org/apache/xpath/functions/FuncSystemProperty.java
|
||||||
|
@@ -58,7 +58,7 @@ public class FuncSystemProperty extends FunctionOneArg
|
||||||
|
|
||||||
|
String fullName = m_arg0.execute(xctxt).str();
|
||||||
|
int indexOfNSSep = fullName.indexOf(':');
|
||||||
|
- String result;
|
||||||
|
+ String result = null;
|
||||||
|
String propName = "";
|
||||||
|
|
||||||
|
// List of properties where the name of the
|
||||||
|
@@ -98,14 +98,20 @@ public class FuncSystemProperty extends FunctionOneArg
|
||||||
|
|
||||||
|
try
|
||||||
|
{
|
||||||
|
- result = System.getProperty(propName);
|
||||||
|
-
|
||||||
|
- if (null == result)
|
||||||
|
- {
|
||||||
|
-
|
||||||
|
- // result = System.getenv(propName);
|
||||||
|
- return XString.EMPTYSTRING;
|
||||||
|
- }
|
||||||
|
+ //if secure procession is enabled only handle required properties do not not map any valid system property
|
||||||
|
+ if(!xctxt.isSecureProcessing())
|
||||||
|
+ {
|
||||||
|
+ result = System.getProperty(propName);
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
|
||||||
|
+ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName);
|
||||||
|
+ }
|
||||||
|
+ if (null == result)
|
||||||
|
+ {
|
||||||
|
+ return XString.EMPTYSTRING;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
catch (SecurityException se)
|
||||||
|
{
|
||||||
|
@@ -120,14 +126,20 @@ public class FuncSystemProperty extends FunctionOneArg
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
- result = System.getProperty(fullName);
|
||||||
|
-
|
||||||
|
- if (null == result)
|
||||||
|
- {
|
||||||
|
-
|
||||||
|
- // result = System.getenv(fullName);
|
||||||
|
- return XString.EMPTYSTRING;
|
||||||
|
- }
|
||||||
|
+ //if secure procession is enabled only handle required properties do not not map any valid system property
|
||||||
|
+ if(!xctxt.isSecureProcessing())
|
||||||
|
+ {
|
||||||
|
+ result = System.getProperty(fullName);
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
|
||||||
|
+ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName);
|
||||||
|
+ }
|
||||||
|
+ if (null == result)
|
||||||
|
+ {
|
||||||
|
+ return XString.EMPTYSTRING;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
catch (SecurityException se)
|
||||||
|
{
|
@ -32,7 +32,7 @@
|
|||||||
|
|
||||||
Name: xalan-j2
|
Name: xalan-j2
|
||||||
Version: 2.7.1
|
Version: 2.7.1
|
||||||
Release: 21%{?dist}
|
Release: 22%{?dist}
|
||||||
Epoch: 0
|
Epoch: 0
|
||||||
Summary: Java XSLT processor
|
Summary: Java XSLT processor
|
||||||
# src/org/apache/xpath/domapi/XPathStylesheetDOM3Exception.java is W3C
|
# src/org/apache/xpath/domapi/XPathStylesheetDOM3Exception.java is W3C
|
||||||
@ -47,6 +47,10 @@ Patch0: %{name}-noxsltcdeps.patch
|
|||||||
# Fix the serializer JAR filename in xalan-j2's MANIFEST.MF
|
# Fix the serializer JAR filename in xalan-j2's MANIFEST.MF
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=718738
|
# https://bugzilla.redhat.com/show_bug.cgi?id=718738
|
||||||
Patch1: %{name}-serializerJARname.patch
|
Patch1: %{name}-serializerJARname.patch
|
||||||
|
# Fix CVE-2014-0107: insufficient constraints in secure processing
|
||||||
|
# feature (oCERT-2014-002). Generated form upstream revisions 1581058
|
||||||
|
# and 1581426.
|
||||||
|
Patch2: %{name}-CVE-2014-0107.patch
|
||||||
URL: http://xalan.apache.org/
|
URL: http://xalan.apache.org/
|
||||||
Group: Development/Libraries
|
Group: Development/Libraries
|
||||||
|
|
||||||
@ -116,6 +120,7 @@ Demonstrations and samples for %{name}.
|
|||||||
%setup -q -n xalan-j_%{cvs_version}
|
%setup -q -n xalan-j_%{cvs_version}
|
||||||
%patch0 -p0
|
%patch0 -p0
|
||||||
%patch1 -p0
|
%patch1 -p0
|
||||||
|
%patch2 -p1
|
||||||
# Remove all binary libs, except ones needed to build docs and N/A elsewhere.
|
# Remove all binary libs, except ones needed to build docs and N/A elsewhere.
|
||||||
for j in $(find . -name "*.jar"); do
|
for j in $(find . -name "*.jar"); do
|
||||||
mv $j $j.no
|
mv $j $j.no
|
||||||
@ -244,6 +249,10 @@ update-alternatives --install %{_javadir}/jaxp_transform_impl.jar \
|
|||||||
%{_datadir}/%{name}
|
%{_datadir}/%{name}
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Mar 27 2014 Mikolaj Izdebski <mizdebsk@redhat.com> - 0:2.7.1-22
|
||||||
|
- Add patch to fix remote code execution vulnerability
|
||||||
|
- Resolves: CVE-2014-0107
|
||||||
|
|
||||||
* Mon Aug 19 2013 Mikolaj Izdebski <mizdebsk@redhat.com> - 0:2.7.1-21
|
* Mon Aug 19 2013 Mikolaj Izdebski <mizdebsk@redhat.com> - 0:2.7.1-21
|
||||||
- Move depmaps to appropriate packages
|
- Move depmaps to appropriate packages
|
||||||
- Resolves: rhbz#998594
|
- Resolves: rhbz#998594
|
||||||
|
Loading…
Reference in New Issue
Block a user