Debian Bug report logs -
#921772
CVE-2018-1000652
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#921772; Package jabref.
(Fri, 08 Feb 2019 22:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 08 Feb 2019 22:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: jabref
Severity: grave
Tags: security
This was assigned CVE-2018-1000652:
https://github.com/JabRef/jabref/issues/4229
https://github.com/JabRef/jabref/commit/89f855d76713b4cd25ac0830c719cd61c511851e
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#921772; Package jabref.
(Sat, 09 Feb 2019 00:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 09 Feb 2019 00:15:03 GMT) (full text, mbox, link).
Message #10 received at 921772@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, 08 Feb 2019 23:37:20 +0100, Moritz Muehlenhoff wrote:
> This was assigned CVE-2018-1000652:
> https://github.com/JabRef/jabref/issues/4229
> https://github.com/JabRef/jabref/commit/89f855d76713b4cd25ac0830c719cd61c511851e
Thanks Moritz.
I've added a slightly adjusted and trimmed-down version of the of
upstream commit to git.
Which fails to build with
/build/jabref-3.8.2+ds/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java:16: error: package org.slf4j does not exist
import org.slf4j.Logger;
^
/build/jabref-3.8.2+ds/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java:17: error: package org.slf4j does not exist
import org.slf4j.LoggerFactory;
^
/build/jabref-3.8.2+ds/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java:29: error: cannot find symbol
private static final Logger LOGGER = LoggerFactory.getLogger(MsBibImporter.class);
^
symbol: class Logger
location: class MsBibImporter
Seems like we either need a new build dependency, or remove the
logging part, or rewrite it … I'd be grateful for help from Java
experts :)
Cheers,
gregor
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`- NP: Eagles
[signature.asc (application/pgp-signature, inline)]
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#921772.
(Sat, 09 Feb 2019 00:15:05 GMT) (full text, mbox, link).
Message #13 received at 921772-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #921772 in jabref reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/java-team/jabref/commit/3252637a5d4ca4f93591ce9ac8d5a0d8458930e6
------------------------------------------------------------------------
Add patch from upstream commit to fix CVE-2018-1000652: XML External Entity attack.
Closes: #921772
Thanks: Moritz Muehlenhoff for the bug report.
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/921772
Added tag(s) pending.
Request was from gregor herrmann <>
to 921772-submitter@bugs.debian.org.
(Sat, 09 Feb 2019 00:15:05 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 09 Feb 2019 04:09:02 GMT) (full text, mbox, link).
Marked as found in versions jabref/3.8.2+ds-11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 09 Feb 2019 04:09:03 GMT) (full text, mbox, link).
Marked as found in versions jabref/3.8.1+ds-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 09 Feb 2019 04:09:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#921772; Package jabref.
(Sat, 09 Feb 2019 17:51:09 GMT) (full text, mbox, link).
Acknowledgement sent
to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 09 Feb 2019 17:51:09 GMT) (full text, mbox, link).
Message #28 received at 921772@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sat, Feb 09, 2019 at 01:11:52AM +0100, gregor herrmann wrote:
> On Fri, 08 Feb 2019 23:37:20 +0100, Moritz Muehlenhoff wrote:
>
> > This was assigned CVE-2018-1000652:
> > https://github.com/JabRef/jabref/issues/4229
> > https://github.com/JabRef/jabref/commit/89f855d76713b4cd25ac0830c719cd61c511851e
<--snip-->
> private static final Logger LOGGER = LoggerFactory.getLogger(MsBibImporter.class);
> ^
> symbol: class Logger
> location: class MsBibImporter
>
>
> Seems like we either need a new build dependency, or remove the
> logging part, or rewrite it … I'd be grateful for help from Java
> experts :)
Hi Gregor,
Thank you for doing this. I guess upstream switched out the logging
implementation in their patch. I'll push an updated patch this weekend.
Cheers,
tony
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#921772; Package jabref.
(Sat, 09 Feb 2019 18:30:02 GMT) (full text, mbox, link).
Acknowledgement sent
to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 09 Feb 2019 18:30:03 GMT) (full text, mbox, link).
Message #33 received at 921772@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sat, 09 Feb 2019 09:47:08 -0800, tony mancill wrote:
> > Seems like we either need a new build dependency, or remove the
> > logging part, or rewrite it … I'd be grateful for help from Java
> > experts :)
> Thank you for doing this. I guess upstream switched out the logging
> implementation in their patch. I'll push an updated patch this weekend.
Great, thanks Tony!
Cheers,
gregor
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`- NP: Leonard Cohen: I Can't Forget
[signature.asc (application/pgp-signature, inline)]
Reply sent
to gregor herrmann <gregoa@debian.org>:
You have taken responsibility.
(Sat, 09 Feb 2019 20:45:14 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 09 Feb 2019 20:45:14 GMT) (full text, mbox, link).
Message #38 received at 921772-close@bugs.debian.org (full text, mbox, reply):
Source: jabref
Source-Version: 3.8.2+ds-12
We believe that the bug you reported is fixed in the latest version of
jabref, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 921772@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated jabref package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 09 Feb 2019 00:54:59 +0100
Source: jabref
Architecture: source
Version: 3.8.2+ds-12
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Closes: 921772
Changes:
jabref (3.8.2+ds-12) unstable; urgency=high
.
* Add patch from upstream commit to fix CVE-2018-1000652: XML External
Entity attack.
Thanks to Moritz Muehlenhoff for the bug report. (Closes: #921772)
Checksums-Sha1:
2f6ef783e4cba8ef54d395ec270071a62598b60d 2762 jabref_3.8.2+ds-12.dsc
f04e60130e303c21d419cb4639bc7d063a5a366e 50152 jabref_3.8.2+ds-12.debian.tar.xz
3f38bbb32d22cf84aeae2ae105fc5305b8eac0af 15816 jabref_3.8.2+ds-12_amd64.buildinfo
Checksums-Sha256:
cf4c81f5bf0034222833f555a9dedcb6cabca9eab51f55eb80192c6e39d8d762 2762 jabref_3.8.2+ds-12.dsc
0b69a1ed3f918554aa5147d6bb45c2dca8c19a0154967e041ca396bc17625eb0 50152 jabref_3.8.2+ds-12.debian.tar.xz
7020013fe6700dd6c3f4173003c9a83e5380917f24b080931ee454d55ec60c4b 15816 jabref_3.8.2+ds-12_amd64.buildinfo
Files:
253c5b6ee1d208c7f86a444bf9c4c980 2762 tex optional jabref_3.8.2+ds-12.dsc
91b365a3c979c16801e573f0e41e7862 50152 tex optional jabref_3.8.2+ds-12.debian.tar.xz
be34fe1ed3a5a5d9b3940087cdc329fc 15816 tex optional jabref_3.8.2+ds-12_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAlxfLW0UHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpZZ9BAAhArMIHWnd5QL0AxfXamnzoBec9Fp
c3675kMgoqpg9mG4RfiU9WcLA4ZgbGN4bmtXbeBgSRmz/gobDHfqXABiV301QfEm
LjJZ/X+RulvD39BjRbxU0IyZZKldWT0I2LjYeBHafYxDugtq+J8MjSnnR4HqQmC7
H2mOIeQUcr9ZZRoXI8X3y3+3LQxMfZ4AmPpPjAQ4mkYBrvlvIvpLyUSOJcDWViJQ
JSyGomQCG3RBNssjldSfvvwUJFZMoz91+IjA0FaOW+ia/wp1H8krIDiXyfIbZlsl
vWgUaAVjQTha8OudynQ7HRwTkWqKct78T8WP4jFk2pMjg2KTWmEQukEpBsYt/3P4
Ni7lZW4NtXe5p6zowUt0ws0lE8dP5ONc91QZ3C1nkTpo6s4p8rr/9uh4UBkpUd2O
9We281CfhtAZTDSOVuTa48g575vnz9rQfv8cucz9JDIzDkLZ9QgODMHrqjOuhWrk
P1fozs1ooP7vq//FLumqkBDRnxd491J05o4aFTCtOQN2ysme8Lgz55wancIURCR+
ZtImxzvEiG9s1crF27cAfkIPSr5kY+qPFTTQexYMVO1ZaUdgP8LsFDOiG9lvqihK
3yJFuPjHD9Mg98syxZDZ6KUvvzx1sn0oKkMRS1AouNKHfFU07hMsdvdZT7JSHz/g
asJTn/MmPTUM8lU=
=V+op
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#921772; Package jabref.
(Fri, 12 Apr 2019 05:21:12 GMT) (full text, mbox, link).
Acknowledgement sent
to tony mancill <tmancill@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 12 Apr 2019 05:21:12 GMT) (full text, mbox, link).
Message #43 received at 921772@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, Feb 08, 2019 at 11:37:20PM +0100, Moritz Muehlenhoff wrote:
> Package: jabref
> Severity: grave
> Tags: security
>
> This was assigned CVE-2018-1000652:
> https://github.com/JabRef/jabref/issues/4229
> https://github.com/JabRef/jabref/commit/89f855d76713b4cd25ac0830c719cd61c511851e
Hello Moritz,
Attached is a debdiff to address this CVE in stretch. Please let me
know how/whether you'd like to proceed. (I could prepare an upload for
stretch-pu instead if that's preferable.)
I have built the binary and tested locally and everything appears to be
working as expected.
Thanks to Gregor putting this together.
Cheers,
tony
[jabref_3.8.1+ds-3+deb9u1.dsc.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#921772; Package jabref.
(Fri, 12 Apr 2019 06:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 12 Apr 2019 06:45:03 GMT) (full text, mbox, link).
Message #48 received at 921772@bugs.debian.org (full text, mbox, reply):
Hi Tony,
On Thu, Apr 11, 2019 at 10:20:32PM -0700, tony mancill wrote:
> On Fri, Feb 08, 2019 at 11:37:20PM +0100, Moritz Muehlenhoff wrote:
> > Package: jabref
> > Severity: grave
> > Tags: security
> >
> > This was assigned CVE-2018-1000652:
> > https://github.com/JabRef/jabref/issues/4229
> > https://github.com/JabRef/jabref/commit/89f855d76713b4cd25ac0830c719cd61c511851e
>
> Hello Moritz,
>
> Attached is a debdiff to address this CVE in stretch. Please let me
> know how/whether you'd like to proceed. (I could prepare an upload for
> stretch-pu instead if that's preferable.)
>
>
> I have built the binary and tested locally and everything appears to be
> working as expected.
>
> Thanks to Gregor putting this together.
The issue does not warrant a DSA/an update via security[1]. Can you
fix it trough the upcoming point release?
Regards,
Salvatore
[1] https://security-tracker.debian.org/tracker/CVE-2018-1000652
Reply sent
to gregor herrmann <gregoa@debian.org>:
You have taken responsibility.
(Mon, 15 Apr 2019 10:51:11 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 15 Apr 2019 10:51:12 GMT) (full text, mbox, link).
Message #53 received at 921772-close@bugs.debian.org (full text, mbox, reply):
Source: jabref
Source-Version: 3.8.1+ds-3+deb9u1
We believe that the bug you reported is fixed in the latest version of
jabref, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 921772@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
gregor herrmann <gregoa@debian.org> (supplier of updated jabref package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Feb 2019 20:25:26 +0100
Source: jabref
Binary: jabref
Architecture: source
Version: 3.8.1+ds-3+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: gregor herrmann <gregoa@debian.org>
Description:
jabref - graphical frontend to manage BibTeX and BibLaTeX databases
Closes: 921772
Changes:
jabref (3.8.1+ds-3+deb9u1) stretch; urgency=medium
.
[ gregor herrmann & tony mancill ]
* Add patch from upstream commit to fix CVE-2018-1000652: XML External
Entity attack.
Thanks to Moritz Muehlenhoff for the bug report. (Closes: #921772)
Checksums-Sha1:
0c99beafca298d3e33cbb2622bdd77a3288f3421 2687 jabref_3.8.1+ds-3+deb9u1.dsc
402c666fdac33f2010480f9b7fa50d0d4b7dae8b 46968 jabref_3.8.1+ds-3+deb9u1.debian.tar.xz
f33d5c897674baccf64937b7ba97c6b238409265 17056 jabref_3.8.1+ds-3+deb9u1_amd64.buildinfo
Checksums-Sha256:
0702d0818d255004c630b03e2ec8e5ae54a0567f450b6ffd12efa08b85c3a7fe 2687 jabref_3.8.1+ds-3+deb9u1.dsc
64fe6dc86b0a3fc935643984f7c7cc21185ab036ac4bdbb5e8023d5385d0230b 46968 jabref_3.8.1+ds-3+deb9u1.debian.tar.xz
4eb5fb999d302e3730f125482046e1ba6bd563acef3f15748f58d6e7608c35df 17056 jabref_3.8.1+ds-3+deb9u1_amd64.buildinfo
Files:
cb7a0f25172d6b787b7e1732532ee5ac 2687 tex optional jabref_3.8.1+ds-3+deb9u1.dsc
a1555d07ddd7a1eab2cadcf8b37d5bbc 46968 tex optional jabref_3.8.1+ds-3+deb9u1.debian.tar.xz
c5bf02ce3d4de71439f732f111cce1b1 17056 tex optional jabref_3.8.1+ds-3+deb9u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAlyziZsUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpa48Q/9GUWzL/AbCc65IyiydFMHLD9dgfjd
66KfAOBsDSgMwyJrylZUWnD9NViD51ggssvh7zaiN9BhKeVP8ESD8f+y2VKFk9+2
FasAAwWA4EcTnLN8LnwiuStbTYZUi4txT0nLFT7GOzJ9E0e7aC6+K/MEwfpk6qn0
7Bliu8zNOcJuNgkJR9ebzYLOdmOfR1Il/NfkfCaN4EMnJeI6YGLIppN0jWAPbpbO
LL3OVaJhnF9eH2YTn0GhRMZBnynz8lL9JkS6YUvF0nNoYg0CBgfyNJakXwyPpLCD
u+O8w+nxY3MyJVfhF50SfuOlyezxC/DbC5S7v3Tg3SHAmxYY8AjVRw3AAXMJGYjM
Zmy6FBvjiHFWy/tBJcEN9g/dbB9bqyHmCqvasYot92dANC6inAT1gmjLzQLM++S/
rNThdb44OQxSw0ZcVwSSqkUf9wjXG2/c6QBMcg4KteGg5jtr01N5iMpM+JKsM0FZ
UGsG6IC5sIgKqnHD/oJjkgNuB9dnZ5bQRs5NHdKLFB6Mj33bgN+6YMWKc+TfYz7H
Ahh8ExC7a2n+iaWMEUzj17GV5P4EcFkM3IXVDu/4pWt43Wc1HTi9V2en/VUNqGa+
idB79OFuy7aiNHuPfzJuupYpoMPY+/ZuzOPIm6hV9jAGEbNggwMvwcIaNnrcpGwU
RMXt9gI9y2KEgM0=
=2+xn
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 14 May 2019 07:28:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:12:51 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon