Fix CVE-2020-11988
(cherry picked from commit 1a0e583e01f087e43298b7d9714fcaebd8da43a2)
This commit is contained in:
starlet-dx
openeuler-sync-bot
parent
88d894b8ad
commit
e0c4e9227b
77
CVE-2020-11988.patch
Normal file
77
CVE-2020-11988.patch
Normal file
@ -0,0 +1,77 @@
|
||||
From 57393912eb87b994c7fed39ddf30fb778a275183 Mon Sep 17 00:00:00 2001
|
||||
From: Simon Steiner <ssteiner@apache.org>
|
||||
Date: Tue, 2 Jun 2020 13:18:41 +0000
|
||||
Subject: [PATCH] XGC-122: Dont load DTDs in XMP
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/commons/trunk@1878394 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
.../org/apache/xmlgraphics/xmp/XMPParser.java | 3 +++
|
||||
.../xmlgraphics/xmp/XMPParserTestCase.java | 19 +++++++++++++++++++
|
||||
2 files changed, 22 insertions(+)
|
||||
|
||||
diff --git a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
|
||||
index 5e7d8b6..e907e89 100644
|
||||
--- a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
|
||||
+++ b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
|
||||
@@ -21,6 +21,7 @@
|
||||
|
||||
import java.net.URL;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.transform.Source;
|
||||
import javax.xml.transform.Transformer;
|
||||
import javax.xml.transform.TransformerException;
|
||||
@@ -54,6 +55,8 @@ public static Metadata parseXMP(URL url) throws TransformerException {
|
||||
*/
|
||||
public static Metadata parseXMP(Source src) throws TransformerException {
|
||||
TransformerFactory tFactory = TransformerFactory.newInstance();
|
||||
+ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = tFactory.newTransformer();
|
||||
XMPHandler handler = createXMPHandler();
|
||||
SAXResult res = new SAXResult(handler);
|
||||
diff --git a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
|
||||
index 6519de6..3250d08 100644
|
||||
--- a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
|
||||
+++ b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
|
||||
@@ -19,16 +19,21 @@
|
||||
|
||||
package org.apache.xmlgraphics.xmp;
|
||||
|
||||
+import java.io.StringReader;
|
||||
import java.net.URL;
|
||||
import java.util.Calendar;
|
||||
import java.util.Date;
|
||||
import java.util.TimeZone;
|
||||
|
||||
+import javax.xml.transform.TransformerException;
|
||||
+import javax.xml.transform.stream.StreamSource;
|
||||
+
|
||||
import org.junit.Test;
|
||||
|
||||
import static org.junit.Assert.assertEquals;
|
||||
import static org.junit.Assert.assertNotNull;
|
||||
import static org.junit.Assert.assertNull;
|
||||
+import static org.junit.Assert.assertTrue;
|
||||
|
||||
import org.apache.xmlgraphics.xmp.schemas.DublinCoreAdapter;
|
||||
import org.apache.xmlgraphics.xmp.schemas.DublinCoreSchema;
|
||||
@@ -189,4 +194,18 @@ public void testParseEmptyValues() throws Exception {
|
||||
assertNull(title); //Empty value treated same as not existant
|
||||
}
|
||||
|
||||
+ @Test
|
||||
+ public void testExternalDTD() {
|
||||
+ String payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
|
||||
+ + "<!DOCTYPE root [\n<!ENTITY % remote SYSTEM \"http://127.0.0.1:9999/eval.xml\">\n%remote;]>\n"
|
||||
+ + "<root></root>";
|
||||
+ StreamSource streamSource = new StreamSource(new StringReader(payload));
|
||||
+ String msg = "";
|
||||
+ try {
|
||||
+ XMPParser.parseXMP(streamSource);
|
||||
+ } catch (TransformerException e) {
|
||||
+ msg = e.getMessage();
|
||||
+ }
|
||||
+ assertTrue(msg, msg.contains("access is not allowed"));
|
||||
+ }
|
||||
}
|
||||
@ -1,12 +1,15 @@
|
||||
Name: xmlgraphics-commons
|
||||
Version: 2.2
|
||||
Release: 3
|
||||
Release: 4
|
||||
Summary: A library that consists of several reusable components
|
||||
License: ASL 2.0
|
||||
URL: http://xmlgraphics.apache.org/
|
||||
Source0: http://archive.apache.org/dist/xmlgraphics/commons/source/xmlgraphics-commons-%{version}-src.tar.gz
|
||||
BuildArch: noarch
|
||||
|
||||
#https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183
|
||||
Patch0: CVE-2020-11988.patch
|
||||
|
||||
BuildRequires: maven-local, mvn(commons-io:commons-io), mvn(commons-logging:commons-logging), mvn(junit:junit)
|
||||
BuildRequires: mvn(org.apache.felix:maven-bundle-plugin), mvn(org.mockito:mockito-core), mvn(xml-resolver:xml-resolver)
|
||||
Provides: %{name}-javadoc%{?_isa} %{name}-javadoc
|
||||
@ -56,5 +59,8 @@ find -name "*.jar" -delete
|
||||
%{_javadocdir}/%{name}/*
|
||||
|
||||
%changelog
|
||||
* Sun Apr 24 2022 yaoxin <yaoxin30@h-partners.com> - 2.2-4
|
||||
- Fix CVE-2020-11988
|
||||
|
||||
* Fri Dec 6 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.2-3
|
||||
- Package init
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user