packages/xmlgraphics-commons
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2020-11988

Browse Source 
(cherry picked from commit 1a0e583e01f087e43298b7d9714fcaebd8da43a2)
This commit is contained in:
starlet-dx 2022-04-24 14:26:44 +08:00 committed by openeuler-sync-bot
parent 88d894b8ad
commit e0c4e9227b
2 changed files with 84 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
CVE-2020-11988.patch Normal file
View File

@ -0,0 +1,77 @@
From 57393912eb87b994c7fed39ddf30fb778a275183 Mon Sep 17 00:00:00 2001
From: Simon Steiner <ssteiner@apache.org>
Date: Tue, 2 Jun 2020 13:18:41 +0000
Subject: [PATCH] XGC-122: Dont load DTDs in XMP
git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/commons/trunk@1878394 13f79535-47bb-0310-9956-ffa450edef68
---
.../org/apache/xmlgraphics/xmp/XMPParser.java | 3 +++
.../xmlgraphics/xmp/XMPParserTestCase.java | 19 +++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
index 5e7d8b6..e907e89 100644
--- a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
+++ b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
@@ -21,6 +21,7 @@
import java.net.URL;
+import javax.xml.XMLConstants;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
@@ -54,6 +55,8 @@ public static Metadata parseXMP(URL url) throws TransformerException {
*/
public static Metadata parseXMP(Source src) throws TransformerException {
TransformerFactory tFactory = TransformerFactory.newInstance();
+ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = tFactory.newTransformer();
XMPHandler handler = createXMPHandler();
SAXResult res = new SAXResult(handler);
diff --git a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
index 6519de6..3250d08 100644
--- a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
+++ b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
@@ -19,16 +19,21 @@
package org.apache.xmlgraphics.xmp;
+import java.io.StringReader;
import java.net.URL;
import java.util.Calendar;
import java.util.Date;
import java.util.TimeZone;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.stream.StreamSource;
+
import org.junit.Test;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
import org.apache.xmlgraphics.xmp.schemas.DublinCoreAdapter;
import org.apache.xmlgraphics.xmp.schemas.DublinCoreSchema;
@@ -189,4 +194,18 @@ public void testParseEmptyValues() throws Exception {
assertNull(title); //Empty value treated same as not existant
}
+ @Test
+ public void testExternalDTD() {
+ String payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+ + "<!DOCTYPE root [\n<!ENTITY % remote SYSTEM \"http://127.0.0.1:9999/eval.xml\">\n%remote;]>\n"
+ + "<root></root>";
+ StreamSource streamSource = new StreamSource(new StringReader(payload));
+ String msg = "";
+ try {
+ XMPParser.parseXMP(streamSource);
+ } catch (TransformerException e) {
+ msg = e.getMessage();
+ }
+ assertTrue(msg, msg.contains("access is not allowed"));
+ }
}

8
xmlgraphics-commons.spec
View File

@ -1,12 +1,15 @@
Name: xmlgraphics-commons Name: xmlgraphics-commons
Version: 2.2 Version: 2.2
Release: 3 Release: 4
Summary: A library that consists of several reusable components Summary: A library that consists of several reusable components
License: ASL 2.0 License: ASL 2.0
URL: http://xmlgraphics.apache.org/ URL: http://xmlgraphics.apache.org/
Source0: http://archive.apache.org/dist/xmlgraphics/commons/source/xmlgraphics-commons-%{version}-src.tar.gz Source0: http://archive.apache.org/dist/xmlgraphics/commons/source/xmlgraphics-commons-%{version}-src.tar.gz
BuildArch: noarch BuildArch: noarch
#https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183
Patch0: CVE-2020-11988.patch
BuildRequires: maven-local, mvn(commons-io:commons-io), mvn(commons-logging:commons-logging), mvn(junit:junit) BuildRequires: maven-local, mvn(commons-io:commons-io), mvn(commons-logging:commons-logging), mvn(junit:junit)
BuildRequires: mvn(org.apache.felix:maven-bundle-plugin), mvn(org.mockito:mockito-core), mvn(xml-resolver:xml-resolver) BuildRequires: mvn(org.apache.felix:maven-bundle-plugin), mvn(org.mockito:mockito-core), mvn(xml-resolver:xml-resolver)
Provides: %{name}-javadoc%{?_isa} %{name}-javadoc Provides: %{name}-javadoc%{?_isa} %{name}-javadoc
@ -56,5 +59,8 @@ find -name "*.jar" -delete
%{_javadocdir}/%{name}/* %{_javadocdir}/%{name}/*
%changelog %changelog
* Sun Apr 24 2022 yaoxin <yaoxin30@h-partners.com> - 2.2-4
- Fix CVE-2020-11988
* Fri Dec 6 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.2-3 * Fri Dec 6 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.2-3
- Package init - Package init