Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Felix Natter fnatter at gmx.net
Sat Mar 24 10:32:12 UTC 2018 

Markus Koschany <apo at debian.org> writes:

> Am 22.03.2018 um 20:52 schrieb Felix Natter:
>> Markus Koschany <apo at debian.org> writes:
>> 
>>> Package: freeplane
>>> X-Debbugs-CC: team at security.debian.org
>>> X-Debbugs-CC: fnatter at gmx.net
>>> Severity: important
>>> Tags: security
>>>
>>> Hi,
>> 
>> hello Markus,
>> 
>>> the following vulnerability was published for freeplane. Apparently only
>>> stretch/jessie/wheezy might be affected.
>> 
>> Thank you for paying attention to this, I completely overlooked this!
>

Hi Markus,

> Thanks for your reply!
>
>> 
>>> @Felix
>>> Can you tell us more about this vulnerability? There only seems to be a
>>> reference in freeplane's wiki.
>> 
>> I think it is very well explained here:
>> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>> 
>> In short: External identities are "includes" for XML documents that can
>> be specified in DTDs.
>> 
>> Here is the commit that should fix it:
>> https://github.com/freeplane/freeplane/commit/a5dce7f9f
>
> That's what we were looking for.
>
> [...]
>
>
>> I can confirm that the the fix is in 1.5.20 and 1.6.1, so it's true that
>> wheezy, jessie and stretch are affected.
>> 
>> Shall I add the patch in git branches from the debian/X tags here?
>> https://anonscm.debian.org/cgit/pkg-java/freeplane.git
>> Or did you want to do this, Markus?
>
> Please prepare updates for Jessie and Stretch if time permits and I will
> upload the fix either as a security update, provided the security team
> agrees, or as a point-update. I will take care of Wheezy myself.

Since I am hiking this weekend, would it be possible to do this as the
first thing on the Easter weekend (next Friday)? I also need to fix the
knopflerfish RC bug (#893221), I will look into that this morning.

BTW: I *think* the patch should apply without major problems (the XML
persistence hasn't changed much). But on the ant build systems (< 1.5)
the sources are in <bundle>/src/** instead of <bundle>/src/main/java/**,
so you can apply there with -p4 or something (and ignore the unmatched part
for freeplane_plugin_script [1]). That part ([1]) can be applied
manually.
I will checkout the respective tag (debian/1.3.12-1, debian/1.5.18-1),
create a branch from there ("jessie-security1", "stretch-security1"),
import the patch, create a new changelog entry (will read about that)
and test, ok?

[1] freeplane_plugin_script/src/main/java/org/freeplane/plugin/script/ScriptingRegistration.java

Cheers and Best Regards,
-- 
Felix Natter
debian/rules!

More information about the pkg-java-maintainers mailing list