[xmlrpc3/f14] Resolve RH744364, CVE-2011-3600 - XML-RPC SAX parser information disclosure
Jeff Johnston
jjohnstn at fedoraproject.org
Tue Oct 11 22:30:26 UTC 2011
commit 0aeb403c3b4066082c3c5a0b3a3fbbf85bbc07aa
Author: Jeff Johnston <jjohnstn at redhat.com>
Date: Tue Oct 11 18:29:16 2011 -0400
Resolve RH744364, CVE-2011-3600 - XML-RPC SAX parser information disclosure
xmlrpc3-CVE-2011-3600.patch | 55 +++++++++++++++++++++++++++++++++++++++++++
xmlrpc3.spec | 9 ++++++-
2 files changed, 63 insertions(+), 1 deletions(-)
---
diff --git a/xmlrpc3-CVE-2011-3600.patch b/xmlrpc3-CVE-2011-3600.patch
new file mode 100644
index 0000000..bfd2d08
--- /dev/null
+++ b/xmlrpc3-CVE-2011-3600.patch
@@ -0,0 +1,55 @@
+diff -up ./common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java.fix ./common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java
+--- ./common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java.fix 2011-10-07 18:26:38.000000000 -0400
++++ ./common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java 2011-10-07 18:26:21.000000000 -0400
+@@ -16,6 +16,20 @@ public class SAXParsers {
+ spf = SAXParserFactory.newInstance();
+ spf.setNamespaceAware(true);
+ spf.setValidating(false);
++ try {
++ spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
++ } catch (javax.xml.parsers.ParserConfigurationException e) {
++ // Ignore it
++ } catch (org.xml.sax.SAXException e) {
++ // Ignore it
++ }
++ try {
++ spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
++ } catch (javax.xml.parsers.ParserConfigurationException e) {
++ // Ignore it
++ } catch (org.xml.sax.SAXException e) {
++ // Ignore it
++ }
+ }
+
+ /** Creates a new instance of {@link XMLReader}.
+diff -up ./pom.xml.fix ./pom.xml
+--- ./pom.xml.fix 2011-10-07 18:17:04.000000000 -0400
++++ ./pom.xml 2011-10-07 18:18:52.000000000 -0400
+@@ -173,6 +173,10 @@
+ <name>Ken Weiner</name>
+ <email>kweiner at gmail.com</email>
+ </contributor>
++ <contributor>
++ <name>Johan Hôgre</name>
++ <email>johan.hagre at home.se</email>
++ </contributor>
+ </contributors>
+ <scm>
+ <connection>scm:svn:scm:svn:https://svn.apache.org/repos/asf/webservices/xmlrpc/tags/XMLRPC_3_0</connection>
+diff -up ./src/changes/changes.xml.fix ./src/changes/changes.xml
+--- ./src/changes/changes.xml.fix 2011-10-07 18:22:58.000000000 -0400
++++ ./src/changes/changes.xml 2011-10-07 18:22:40.000000000 -0400
+@@ -65,6 +65,13 @@
+ due-to-email="Catalin.Hritcu at gmail.com" issue="XMLRPC-109">
+ Fixed an invalid FAQ example.
+ </action>
++ </action>
++ <action dev="jochen" type="fix" due-to="Johan Hôgre"
++ due-to-email="johan.hagre at home.se">
++ Fixed a potential security hole: The client has been able to
++ include server side resources
++ into the request by using external entities.
++ </action>
+ </release>
+ <release version="3.0rc1" date="27-Jul-2006">
+ <action dev="jochen" type="fix" due-to="Alan Burlison"
diff --git a/xmlrpc3.spec b/xmlrpc3.spec
index ecc8a21..f6d05d2 100644
--- a/xmlrpc3.spec
+++ b/xmlrpc3.spec
@@ -33,7 +33,7 @@
Name: xmlrpc3
Version: 3.0
-Release: 5%{?dist}
+Release: 6%{?dist}
Summary: Java XML-RPC implementation
License: ASL 2.0
Group: Development/Libraries
@@ -56,6 +56,7 @@ Patch2: %{name}-common-addosgimanifest.patch
%else
Patch3: %{name}-ant-osgimanifests.patch
%endif
+Patch4: %{name}-CVE-2011-3600.patch
BuildRequires: dos2unix
%if %{with_maven}
@@ -173,6 +174,8 @@ tar jxf %{SOURCE3}
%patch3
%endif
+%patch4
+
export MAVEN_REPO_LOCAL=$(pwd)/.m2/repository
rm -rf $MAVEN_REPO_LOCAL
mkdir -p $MAVEN_REPO_LOCAL
@@ -358,6 +361,10 @@ rm -rf $RPM_BUILD_ROOT
%{_javadir}/%{name}-server-%{version}-sources.jar
%changelog
+* Tue Oct 11 2011 Jeff Johnston <jjohnstn at redhat.com> - 3.0-6
+- Backport security fix from 3.1.3
+- Resolves RH744364, CVE-2011-3600 - XML-RPC SAX parser information disclosure
+
* Wed Jul 21 2010 Stanislav Ochotnicky <sochotnicky at redhat.com> - 3.0-5
- Install maven depmaps and pom.xml files
More information about the scm-commits
mailing list