Codebase list libxstream-java / 9b91e41
Backported the fix for CVE-2016-3674 Emmanuel Bourg 8 years ago
3 changed file(s) with 360 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+8
-0
debian/changelog less more
0 libxstream-java (1.4.7-2+deb8u1) jessie-security; urgency=high
1
2 * Security update:
3 - CVE-2016-3674: XML external entity injection vulnerability
4 (Closes: #819455)
5
6 -- Emmanuel Bourg <ebourg@apache.org> Tue, 29 Mar 2016 13:54:56 +0200
7
08 libxstream-java (1.4.7-2) unstable; urgency=medium
19
210 * Depend on libcglib3-java instead of libcglib-java
+351
-0
debian/patches/CVE-2016-3674.patch less more
0 Description: CVE-2016-3674: XML external entity injection vulnerability
1 Origin: backport, https://github.com/x-stream/xstream/commit/c9b121a
2 https://github.com/x-stream/xstream/commit/25c6704
3 https://github.com/x-stream/xstream/commit/87172cf
4 https://github.com/x-stream/xstream/commit/7c77ac0
5 https://github.com/x-stream/xstream/commit/7183131
6 https://github.com/x-stream/xstream/commit/812a0fa
7 https://github.com/x-stream/xstream/commit/6438b65
8 Bug: https://github.com/x-stream/xstream/issues/25
9 Bug-Debian: https://bugs.debian.org/819455
10 --- a/xstream/src/java/com/thoughtworks/xstream/io/xml/BEAStaxDriver.java
11 +++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/BEAStaxDriver.java
12 @@ -62,7 +62,9 @@
13 }
14
15 protected XMLInputFactory createInputFactory() {
16 - return new MXParserFactory();
17 + XMLInputFactory instance = new MXParserFactory();
18 + instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
19 + return instance;
20 }
21
22 protected XMLOutputFactory createOutputFactory() {
23 --- a/xstream/src/java/com/thoughtworks/xstream/io/xml/Dom4JDriver.java
24 +++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/Dom4JDriver.java
25 @@ -26,6 +26,7 @@
26 import org.dom4j.io.OutputFormat;
27 import org.dom4j.io.SAXReader;
28 import org.dom4j.io.XMLWriter;
29 +import org.xml.sax.SAXException;
30
31 import com.thoughtworks.xstream.io.HierarchicalStreamReader;
32 import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
33 @@ -89,8 +90,7 @@
34
35 public HierarchicalStreamReader createReader(Reader text) {
36 try {
37 - SAXReader reader = new SAXReader();
38 - Document document = reader.read(text);
39 + Document document = createReader().read(text);
40 return new Dom4JReader(document, getNameCoder());
41 } catch (DocumentException e) {
42 throw new StreamException(e);
43 @@ -99,8 +99,7 @@
44
45 public HierarchicalStreamReader createReader(InputStream in) {
46 try {
47 - SAXReader reader = new SAXReader();
48 - Document document = reader.read(in);
49 + Document document = createReader().read(in);
50 return new Dom4JReader(document, getNameCoder());
51 } catch (DocumentException e) {
52 throw new StreamException(e);
53 @@ -112,8 +111,7 @@
54 */
55 public HierarchicalStreamReader createReader(URL in) {
56 try {
57 - SAXReader reader = new SAXReader();
58 - Document document = reader.read(in);
59 + Document document = createReader().read(in);
60 return new Dom4JReader(document, getNameCoder());
61 } catch (DocumentException e) {
62 throw new StreamException(e);
63 @@ -125,8 +123,7 @@
64 */
65 public HierarchicalStreamReader createReader(File in) {
66 try {
67 - SAXReader reader = new SAXReader();
68 - Document document = reader.read(in);
69 + Document document = createReader().read(in);
70 return new Dom4JReader(document, getNameCoder());
71 } catch (DocumentException e) {
72 throw new StreamException(e);
73 @@ -148,4 +145,21 @@
74 final Writer writer = new OutputStreamWriter(out);
75 return createWriter(writer);
76 }
77 +
78 + /**
79 + * Create and initialize the SAX reader.
80 + *
81 + * @return the SAX reader instance.
82 + * @throws DocumentException if DOCTYPE processing cannot be disabled
83 + * @since upcoming
84 + */
85 + protected SAXReader createReader() throws DocumentException {
86 + SAXReader reader = new SAXReader();
87 + try {
88 + reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
89 + } catch (SAXException e) {
90 + throw new DocumentException("Cannot disable DOCTYPE processing", e);
91 + }
92 + return reader;
93 + }
94 }
95 --- a/xstream/src/java/com/thoughtworks/xstream/io/xml/DomDriver.java
96 +++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/DomDriver.java
97 @@ -39,7 +39,7 @@
98 public class DomDriver extends AbstractXmlDriver {
99
100 private final String encoding;
101 - private final DocumentBuilderFactory documentBuilderFactory;
102 + private DocumentBuilderFactory documentBuilderFactory;
103
104 /**
105 * Construct a DomDriver.
106 @@ -61,7 +61,6 @@
107 */
108 public DomDriver(String encoding, NameCoder nameCoder) {
109 super(nameCoder);
110 - documentBuilderFactory = DocumentBuilderFactory.newInstance();
111 this.encoding = encoding;
112 }
113
114 @@ -91,6 +90,13 @@
115
116 private HierarchicalStreamReader createReader(InputSource source) {
117 try {
118 + if (documentBuilderFactory == null) {
119 + synchronized (this) {
120 + if (documentBuilderFactory == null) {
121 + documentBuilderFactory = createDocumentBuilderFactory();
122 + }
123 + }
124 + }
125 DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
126 if (encoding != null) {
127 source.setEncoding(encoding);
128 @@ -121,4 +127,20 @@
129 throw new StreamException(e);
130 }
131 }
132 +
133 + /**
134 + * Create the DocumentBuilderFactory instance.
135 + *
136 + * @return the new instance
137 + * @since upcoming
138 + */
139 + protected DocumentBuilderFactory createDocumentBuilderFactory() {
140 + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
141 + try {
142 + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
143 + } catch (ParserConfigurationException e) {
144 + throw new StreamException(e);
145 + }
146 + return factory;
147 + }
148 }
149 --- a/xstream/src/java/com/thoughtworks/xstream/io/xml/JDom2Driver.java
150 +++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/JDom2Driver.java
151 @@ -47,7 +47,7 @@
152
153 public HierarchicalStreamReader createReader(Reader reader) {
154 try {
155 - SAXBuilder builder = new SAXBuilder();
156 + SAXBuilder builder = createBuilder();
157 Document document = builder.build(reader);
158 return new JDom2Reader(document, getNameCoder());
159 } catch (IOException e) {
160 @@ -59,7 +59,7 @@
161
162 public HierarchicalStreamReader createReader(InputStream in) {
163 try {
164 - SAXBuilder builder = new SAXBuilder();
165 + SAXBuilder builder = createBuilder();
166 Document document = builder.build(in);
167 return new JDom2Reader(document, getNameCoder());
168 } catch (IOException e) {
169 @@ -71,7 +71,7 @@
170
171 public HierarchicalStreamReader createReader(URL in) {
172 try {
173 - SAXBuilder builder = new SAXBuilder();
174 + SAXBuilder builder = createBuilder();
175 Document document = builder.build(in);
176 return new JDom2Reader(document, getNameCoder());
177 } catch (IOException e) {
178 @@ -83,7 +83,7 @@
179
180 public HierarchicalStreamReader createReader(File in) {
181 try {
182 - SAXBuilder builder = new SAXBuilder();
183 + SAXBuilder builder = createBuilder();
184 Document document = builder.build(in);
185 return new JDom2Reader(document, getNameCoder());
186 } catch (IOException e) {
187 @@ -100,5 +100,17 @@
188 public HierarchicalStreamWriter createWriter(OutputStream out) {
189 return new PrettyPrintWriter(new OutputStreamWriter(out));
190 }
191 +
192 + /**
193 + * Create and initialize the SAX builder.
194 + *
195 + * @return the SAX builder instance.
196 + * @since upcoming
197 + */
198 + protected SAXBuilder createBuilder() {
199 + SAXBuilder builder = new SAXBuilder();
200 + builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
201 + return builder;
202 + }
203 }
204
205 --- a/xstream/src/java/com/thoughtworks/xstream/io/xml/JDomDriver.java
206 +++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/JDomDriver.java
207 @@ -55,7 +55,7 @@
208
209 public HierarchicalStreamReader createReader(Reader reader) {
210 try {
211 - SAXBuilder builder = new SAXBuilder();
212 + SAXBuilder builder = createBuilder();
213 Document document = builder.build(reader);
214 return new JDomReader(document, getNameCoder());
215 } catch (IOException e) {
216 @@ -67,7 +67,7 @@
217
218 public HierarchicalStreamReader createReader(InputStream in) {
219 try {
220 - SAXBuilder builder = new SAXBuilder();
221 + SAXBuilder builder = createBuilder();
222 Document document = builder.build(in);
223 return new JDomReader(document, getNameCoder());
224 } catch (IOException e) {
225 @@ -79,7 +79,7 @@
226
227 public HierarchicalStreamReader createReader(URL in) {
228 try {
229 - SAXBuilder builder = new SAXBuilder();
230 + SAXBuilder builder = createBuilder();
231 Document document = builder.build(in);
232 return new JDomReader(document, getNameCoder());
233 } catch (IOException e) {
234 @@ -91,7 +91,7 @@
235
236 public HierarchicalStreamReader createReader(File in) {
237 try {
238 - SAXBuilder builder = new SAXBuilder();
239 + SAXBuilder builder = createBuilder();
240 Document document = builder.build(in);
241 return new JDomReader(document, getNameCoder());
242 } catch (IOException e) {
243 @@ -109,5 +109,17 @@
244 return new PrettyPrintWriter(new OutputStreamWriter(out));
245 }
246
247 + /**
248 + * Create and initialize the SAX builder.
249 + *
250 + * @return the SAX builder instance.
251 + * @since upcoming
252 + */
253 + protected SAXBuilder createBuilder() {
254 + SAXBuilder builder = new SAXBuilder();
255 + builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
256 + return builder;
257 + }
258 +
259 }
260
261 --- a/xstream/src/java/com/thoughtworks/xstream/io/xml/SjsxpDriver.java
262 +++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/SjsxpDriver.java
263 @@ -58,7 +58,9 @@
264 protected XMLInputFactory createInputFactory() {
265 Exception exception = null;
266 try {
267 - return (XMLInputFactory)Class.forName("com.sun.xml.internal.stream.XMLInputFactoryImpl").newInstance();
268 + XMLInputFactory instance = (XMLInputFactory)Class.forName("com.sun.xml.internal.stream.XMLInputFactoryImpl").newInstance();
269 + instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
270 + return instance;
271 } catch (InstantiationException e) {
272 exception = e;
273 } catch (IllegalAccessException e) {
274 --- a/xstream/src/java/com/thoughtworks/xstream/io/xml/StandardStaxDriver.java
275 +++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/StandardStaxDriver.java
276 @@ -75,7 +75,9 @@
277 try {
278 Class staxInputFactory = JVM.getStaxInputFactory();
279 if (staxInputFactory != null) {
280 - return (XMLInputFactory)staxInputFactory.newInstance();
281 + XMLInputFactory instance = (XMLInputFactory)staxInputFactory.newInstance();
282 + instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
283 + return instance;
284 } else {
285 throw new StreamException("Java runtime has no standard XMLInputFactory implementation.", exception);
286 }
287 --- a/xstream/src/java/com/thoughtworks/xstream/io/xml/StaxDriver.java
288 +++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/StaxDriver.java
289 @@ -238,7 +238,9 @@
290 * @since 1.4
291 */
292 protected XMLInputFactory createInputFactory() {
293 - return XMLInputFactory.newInstance();
294 + XMLInputFactory instance = XMLInputFactory.newInstance();
295 + instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
296 + return instance;
297 }
298
299 /**
300 --- a/xstream/src/java/com/thoughtworks/xstream/io/xml/WstxDriver.java
301 +++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/WstxDriver.java
302 @@ -62,7 +62,9 @@
303 }
304
305 protected XMLInputFactory createInputFactory() {
306 - return new WstxInputFactory();
307 + XMLInputFactory instance = new WstxInputFactory();
308 + instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
309 + return instance;
310 }
311
312 protected XMLOutputFactory createOutputFactory() {
313 --- a/xstream/src/java/com/thoughtworks/xstream/io/xml/XomDriver.java
314 +++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/XomDriver.java
315 @@ -79,7 +79,7 @@
316
317 public HierarchicalStreamReader createReader(Reader text) {
318 try {
319 - Document document = builder.build(text);
320 + Document document = getBuilder().build(text);
321 return new XomReader(document, getNameCoder());
322 } catch (ValidityException e) {
323 throw new StreamException(e);
324 @@ -92,7 +92,7 @@
325
326 public HierarchicalStreamReader createReader(InputStream in) {
327 try {
328 - Document document = builder.build(in);
329 + Document document = getBuilder().build(in);
330 return new XomReader(document, getNameCoder());
331 } catch (ValidityException e) {
332 throw new StreamException(e);
333 @@ -105,7 +105,7 @@
334
335 public HierarchicalStreamReader createReader(URL in) {
336 try {
337 - Document document = builder.build(in.toExternalForm());
338 + Document document = getBuilder().build(in.toExternalForm());
339 return new XomReader(document, getNameCoder());
340 } catch (ValidityException e) {
341 throw new StreamException(e);
342 @@ -118,7 +118,7 @@
343
344 public HierarchicalStreamReader createReader(File in) {
345 try {
346 - Document document = builder.build(in);
347 + Document document = getBuilder().build(in);
348 return new XomReader(document, getNameCoder());
349 } catch (ValidityException e) {
350 throw new StreamException(e);
+1
-0
debian/patches/series less more
0 CVE-2016-3674.patch