Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Felix Natter fnatter at gmx.net
Thu Mar 22 19:52:51 UTC 2018


Markus Koschany <apo at debian.org> writes:

> Package: freeplane
> X-Debbugs-CC: team at security.debian.org
> X-Debbugs-CC: fnatter at gmx.net
> Severity: important
> Tags: security
>
> Hi,

hello Markus,

> the following vulnerability was published for freeplane. Apparently only
> stretch/jessie/wheezy might be affected.

Thank you for paying attention to this, I completely overlooked this!

> @Felix
> Can you tell us more about this vulnerability? There only seems to be a
> reference in freeplane's wiki.

I think it is very well explained here:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

In short: External identities are "includes" for XML documents that can
be specified in DTDs.

Here is the commit that should fix it:
https://github.com/freeplane/freeplane/commit/a5dce7f9f

> https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser
>
> CVE-2018-1000069[0]:
> | FreePlane version 1.5.9 and earlier contains a XML External Entity
> | (XXE) vulnerability in XML Parser in mindmap loader that can result in
> | stealing data from victim's machine. This attack appears to require
> | the vicim to open a specially crafted mind map file. This
> | vulnerability appears to have been fixed in 1.6+.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-1000069
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000069
>
> Please adjust the affected versions in the BTS as needed.

I can confirm that the the fix is in 1.5.20 and 1.6.1, so it's true that
wheezy, jessie and stretch are affected.

Shall I add the patch in git branches from the debian/X tags here?
https://anonscm.debian.org/cgit/pkg-java/freeplane.git
Or did you want to do this, Markus?

I will read more about security updates on the weekend.

Cheers and Best Regards,
-- 
Felix Natter
debian/rules!



More information about the pkg-java-maintainers mailing list