[resteasy] 01/03: Fix CVE-2014-7839: External entities expanded by DocumentProvider (Closes: #770544)

Mon Nov 24 22:37:54 GMT 2014

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch master
in repository resteasy.

commit b8d00cbeb708b62b733afdd45fa4cfa52e10d6b3
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Mon Nov 24 23:35:13 2014 +0100

    Fix CVE-2014-7839: External entities expanded by DocumentProvider (Closes: #770544)
---
 debian/changelog                  |  8 ++++++++
 debian/patches/CVE-2014-7839.diff | 18 ++++++++++++++++++
 debian/patches/series             |  1 +
 3 files changed, 27 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index db71c2b..cb9c7b9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+resteasy (3.0.6-2) UNRELEASED; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2014-7839: External entities expanded by DocumentProvider
+    (Closes: #770544)
+
+ -- Emmanuel Bourg <ebourg at apache.org>  Mon, 24 Nov 2014 23:10:47 +0100
+
 resteasy (3.0.6-1) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/patches/CVE-2014-7839.diff b/debian/patches/CVE-2014-7839.diff
new file mode 100644
index 0000000..9642634
--- /dev/null
+++ b/debian/patches/CVE-2014-7839.diff
@@ -0,0 +1,18 @@
+Description: Fix CVE-2014-7839: External entities expanded by DocumentProvider
+Origin: backport, https://github.com/ronsigal/Resteasy/commit/8b5d8cf
+                  https://github.com/ronsigal/Resteasy/commit/dfd2264
+Bug: https://issues.jboss.org/browse/RESTEASY-1130
+Bug-Debian: https://bugs.debian.org/770544
+--- a/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/providers/DocumentProvider.java
++++ b/jaxrs/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/providers/DocumentProvider.java
+@@ -71,6 +71,10 @@
+       try
+       {
+          documentBuilder.setExpandEntityReferences(expandEntityReferences);
++         documentBuilder.setFeature("http://xml.org/sax/features/external-general-entities", expandEntityReferences);
++         documentBuilder.setFeature("http://xml.org/sax/features/external-parameter-entities", expandEntityReferences);
++         documentBuilder.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
++         documentBuilder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+          return documentBuilder.newDocumentBuilder().parse(input);
+       }
+       catch (Exception e)
diff --git a/debian/patches/series b/debian/patches/series
index 194197c..6e15de3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 revert-to-jsr250-api.diff
+CVE-2014-7839.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/resteasy.git

