[xalan-j2] Add patch to fix remote code execution vulnerability
Mikolaj Izdebski
mizdebsk at fedoraproject.org
Thu Mar 27 09:11:47 UTC 2014
commit a4caac49eb2bd8a769a28b4e03e476641acaea9d
Author: Mikolaj Izdebski <mizdebsk at redhat.com>
Date: Thu Mar 27 10:02:28 2014 +0100
Add patch to fix remote code execution vulnerability
- Resolves: CVE-2014-0107
xalan-j2-CVE-2014-0107.patch | 148 ++++++++++++++++++++++++++++++++++++++++++
xalan-j2.spec | 11 +++-
2 files changed, 158 insertions(+), 1 deletions(-)
---
diff --git a/xalan-j2-CVE-2014-0107.patch b/xalan-j2-CVE-2014-0107.patch
new file mode 100644
index 0000000..3358f60
--- /dev/null
+++ b/xalan-j2-CVE-2014-0107.patch
@@ -0,0 +1,148 @@
+diff --git a/src/org/apache/xalan/processor/TransformerFactoryImpl.java b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
+index 1298943..96a5e58 100644
+--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java
++++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
+@@ -335,6 +335,10 @@ public class TransformerFactoryImpl extends SAXTransformerFactory
+ reader = XMLReaderFactory.createXMLReader();
+ }
+
++ if(m_isSecureProcessing)
++ {
++ reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
++ }
+ // Need to set options!
+ reader.setContentHandler(handler);
+ reader.parse(isource);
+diff --git a/src/org/apache/xalan/processor/XSLTElementProcessor.java b/src/org/apache/xalan/processor/XSLTElementProcessor.java
+index b946743..17b7395 100644
+--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java
++++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java
+@@ -338,17 +338,31 @@ public class XSLTElementProcessor extends ElemTemplateElement
+ }
+ else
+ {
+- // Can we switch the order here:
+-
+- boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
+- attributes.getQName(i), attributes.getValue(i),
+- target);
+-
+- // Now we only add the element if it passed a validation check
+- if (success)
+- processedDefs.add(attrDef);
+- else
+- errorDefs.add(attrDef);
++ //handle secure processing
++ if(handler.getStylesheetProcessor()==null)
++ System.out.println("stylesheet processor null");
++ if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())
++ {
++ //foreign attributes are not allowed in secure processing mode
++ // Then barf, because this element does not allow this attribute.
++ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\""
++ //+ " attribute is not allowed on the " + rawName
++ // + " element!", null);
++ }
++ else
++ {
++
++
++ boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
++ attributes.getQName(i), attributes.getValue(i),
++ target);
++
++ // Now we only add the element if it passed a validation check
++ if (success)
++ processedDefs.add(attrDef);
++ else
++ errorDefs.add(attrDef);
++ }
+ }
+ }
+
+diff --git a/src/org/apache/xalan/transformer/TransformerImpl.java b/src/org/apache/xalan/transformer/TransformerImpl.java
+index dd0d4d9..0906d24 100644
+--- a/src/org/apache/xalan/transformer/TransformerImpl.java
++++ b/src/org/apache/xalan/transformer/TransformerImpl.java
+@@ -438,7 +438,9 @@ public class TransformerImpl extends Transformer
+ try
+ {
+ if (sroot.getExtensions() != null)
+- m_extensionsTable = new ExtensionsTable(sroot);
++ //only load extensions if secureProcessing is disabled
++ if(!sroot.isSecureProcessing())
++ m_extensionsTable = new ExtensionsTable(sroot);
+ }
+ catch (javax.xml.transform.TransformerException te)
+ {te.printStackTrace();}
+diff --git a/src/org/apache/xpath/functions/FuncSystemProperty.java b/src/org/apache/xpath/functions/FuncSystemProperty.java
+index 4bea356..78ac980 100644
+--- a/src/org/apache/xpath/functions/FuncSystemProperty.java
++++ b/src/org/apache/xpath/functions/FuncSystemProperty.java
+@@ -58,7 +58,7 @@ public class FuncSystemProperty extends FunctionOneArg
+
+ String fullName = m_arg0.execute(xctxt).str();
+ int indexOfNSSep = fullName.indexOf(':');
+- String result;
++ String result = null;
+ String propName = "";
+
+ // List of properties where the name of the
+@@ -98,14 +98,20 @@ public class FuncSystemProperty extends FunctionOneArg
+
+ try
+ {
+- result = System.getProperty(propName);
+-
+- if (null == result)
+- {
+-
+- // result = System.getenv(propName);
+- return XString.EMPTYSTRING;
+- }
++ //if secure procession is enabled only handle required properties do not not map any valid system property
++ if(!xctxt.isSecureProcessing())
++ {
++ result = System.getProperty(propName);
++ }
++ else
++ {
++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
++ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName);
++ }
++ if (null == result)
++ {
++ return XString.EMPTYSTRING;
++ }
+ }
+ catch (SecurityException se)
+ {
+@@ -120,14 +126,20 @@ public class FuncSystemProperty extends FunctionOneArg
+ {
+ try
+ {
+- result = System.getProperty(fullName);
+-
+- if (null == result)
+- {
+-
+- // result = System.getenv(fullName);
+- return XString.EMPTYSTRING;
+- }
++ //if secure procession is enabled only handle required properties do not not map any valid system property
++ if(!xctxt.isSecureProcessing())
++ {
++ result = System.getProperty(fullName);
++ }
++ else
++ {
++ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
++ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName);
++ }
++ if (null == result)
++ {
++ return XString.EMPTYSTRING;
++ }
+ }
+ catch (SecurityException se)
+ {
diff --git a/xalan-j2.spec b/xalan-j2.spec
index 6e0122e..97e1097 100644
--- a/xalan-j2.spec
+++ b/xalan-j2.spec
@@ -32,7 +32,7 @@
Name: xalan-j2
Version: 2.7.1
-Release: 21%{?dist}
+Release: 22%{?dist}
Epoch: 0
Summary: Java XSLT processor
# src/org/apache/xpath/domapi/XPathStylesheetDOM3Exception.java is W3C
@@ -47,6 +47,10 @@ Patch0: %{name}-noxsltcdeps.patch
# Fix the serializer JAR filename in xalan-j2's MANIFEST.MF
# https://bugzilla.redhat.com/show_bug.cgi?id=718738
Patch1: %{name}-serializerJARname.patch
+# Fix CVE-2014-0107: insufficient constraints in secure processing
+# feature (oCERT-2014-002). Generated form upstream revisions 1581058
+# and 1581426.
+Patch2: %{name}-CVE-2014-0107.patch
URL: http://xalan.apache.org/
Group: Development/Libraries
@@ -116,6 +120,7 @@ Demonstrations and samples for %{name}.
%setup -q -n xalan-j_%{cvs_version}
%patch0 -p0
%patch1 -p0
+%patch2 -p1
# Remove all binary libs, except ones needed to build docs and N/A elsewhere.
for j in $(find . -name "*.jar"); do
mv $j $j.no
@@ -244,6 +249,10 @@ update-alternatives --install %{_javadir}/jaxp_transform_impl.jar \
%{_datadir}/%{name}
%changelog
+* Thu Mar 27 2014 Mikolaj Izdebski <mizdebsk at redhat.com> - 0:2.7.1-22
+- Add patch to fix remote code execution vulnerability
+- Resolves: CVE-2014-0107
+
* Mon Aug 19 2013 Mikolaj Izdebski <mizdebsk at redhat.com> - 0:2.7.1-21
- Move depmaps to appropriate packages
- Resolves: rhbz#998594
More information about the scm-commits
mailing list