freeplane: CVE-2018-1000069 XXE vulnerability

Debian Bug report logs - #893663
freeplane: CVE-2018-1000069 XXE vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: submit@bugs.debian.org

Subject: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Wed, 21 Mar 2018 00:20:15 +0100

[Message part 1 (text/plain, inline)]

Package: freeplane
X-Debbugs-CC: team@security.debian.org
X-Debbugs-CC: fnatter@gmx.net
Severity: important
Tags: security

Hi,

the following vulnerability was published for freeplane. Apparently only
stretch/jessie/wheezy might be affected.

@Felix
Can you tell us more about this vulnerability? There only seems to be a
reference in freeplane's wiki.

https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser

CVE-2018-1000069[0]:
| FreePlane version 1.5.9 and earlier contains a XML External Entity
| (XXE) vulnerability in XML Parser in mindmap loader that can result in
| stealing data from victim's machine. This attack appears to require
| the vicim to open a specially crafted mind map file. This
| vulnerability appears to have been fixed in 1.6+.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-1000069
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000069

Please adjust the affected versions in the BTS as needed.

[signature.asc (application/pgp-signature, attachment)]

Message #12 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Markus Koschany <apo@debian.org>, 893663@bugs.debian.org

Subject: Re: Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Wed, 21 Mar 2018 07:09:53 +0100

For reference: the issue is linked from the security advisory page at
https://www.freeplane.org/wiki/index.php/Fixed_security_vulnerabilities
. Ahtough there is unfortunately no reference to the fixing commit
(which wuould have been good for downstreams to help), we know the
versions fixed are 1.5.20 and 1.6.1_17.

That might help identifying the required fix.

HTH,

Regards,
Salvatore

Message #19 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 893663@bugs.debian.org

Cc: Markus Koschany <apo@debian.org>

Subject: Re: Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Wed, 21 Mar 2018 11:33:43 +0100

Looking at the release-1.5.20 tag:

Security fix related to scripts and formulas
Security fix related to loading of mind map files
Change short cuts for MacOS to avoid collisions

The fix might be:

https://github.com/freeplane/freeplane/commit/a5dce7f9f4d29675fb256053aee3858bf8d76001

Regards,
Salvatore

Message #24 received at submit@bugs.debian.org (full text, mbox, reply):

From: Felix Natter <fnatter@gmx.net>

To: Markus Koschany <apo@debian.org>

Cc: submit@bugs.debian.org, 893663@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Thu, 22 Mar 2018 20:52:51 +0100

Markus Koschany <apo@debian.org> writes:

> Package: freeplane
> X-Debbugs-CC: team@security.debian.org
> X-Debbugs-CC: fnatter@gmx.net
> Severity: important
> Tags: security
>
> Hi,

hello Markus,

> the following vulnerability was published for freeplane. Apparently only
> stretch/jessie/wheezy might be affected.

Thank you for paying attention to this, I completely overlooked this!

> @Felix
> Can you tell us more about this vulnerability? There only seems to be a
> reference in freeplane's wiki.

I think it is very well explained here:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

In short: External identities are "includes" for XML documents that can
be specified in DTDs.

Here is the commit that should fix it:
https://github.com/freeplane/freeplane/commit/a5dce7f9f

> https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser
>
> CVE-2018-1000069[0]:
> | FreePlane version 1.5.9 and earlier contains a XML External Entity
> | (XXE) vulnerability in XML Parser in mindmap loader that can result in
> | stealing data from victim's machine. This attack appears to require
> | the vicim to open a specially crafted mind map file. This
> | vulnerability appears to have been fixed in 1.6+.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-1000069
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000069
>
> Please adjust the affected versions in the BTS as needed.

I can confirm that the the fix is in 1.5.20 and 1.6.1, so it's true that
wheezy, jessie and stretch are affected.

Shall I add the patch in git branches from the debian/X tags here?
https://anonscm.debian.org/cgit/pkg-java/freeplane.git
Or did you want to do this, Markus?

I will read more about security updates on the weekend.

Cheers and Best Regards,
-- 
Felix Natter
debian/rules!

Message #34 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Felix Natter <fnatter@gmx.net>

Cc: 893663@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Thu, 22 Mar 2018 23:39:06 +0100

[Message part 1 (text/plain, inline)]

Am 22.03.2018 um 20:52 schrieb Felix Natter:
> Markus Koschany <apo@debian.org> writes:
> 
>> Package: freeplane
>> X-Debbugs-CC: team@security.debian.org
>> X-Debbugs-CC: fnatter@gmx.net
>> Severity: important
>> Tags: security
>>
>> Hi,
> 
> hello Markus,
> 
>> the following vulnerability was published for freeplane. Apparently only
>> stretch/jessie/wheezy might be affected.
> 
> Thank you for paying attention to this, I completely overlooked this!


Thanks for your reply!

> 
>> @Felix
>> Can you tell us more about this vulnerability? There only seems to be a
>> reference in freeplane's wiki.
> 
> I think it is very well explained here:
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
> 
> In short: External identities are "includes" for XML documents that can
> be specified in DTDs.
> 
> Here is the commit that should fix it:
> https://github.com/freeplane/freeplane/commit/a5dce7f9f

That's what we were looking for.

[...]


> I can confirm that the the fix is in 1.5.20 and 1.6.1, so it's true that
> wheezy, jessie and stretch are affected.
> 
> Shall I add the patch in git branches from the debian/X tags here?
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git
> Or did you want to do this, Markus?

Please prepare updates for Jessie and Stretch if time permits and I will
upload the fix either as a security update, provided the security team
agrees, or as a point-update. I will take care of Wheezy myself.

> 
> I will read more about security updates on the weekend.
> 
> Cheers and Best Regards,

Cheers,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #39 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Felix Natter <fnatter@gmx.net>

To: Markus Koschany <apo@debian.org>

Cc: 893663@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Sat, 24 Mar 2018 11:32:12 +0100

Markus Koschany <apo@debian.org> writes:

> Am 22.03.2018 um 20:52 schrieb Felix Natter:
>> Markus Koschany <apo@debian.org> writes:
>> 
>>> Package: freeplane
>>> X-Debbugs-CC: team@security.debian.org
>>> X-Debbugs-CC: fnatter@gmx.net
>>> Severity: important
>>> Tags: security
>>>
>>> Hi,
>> 
>> hello Markus,
>> 
>>> the following vulnerability was published for freeplane. Apparently only
>>> stretch/jessie/wheezy might be affected.
>> 
>> Thank you for paying attention to this, I completely overlooked this!
>

Hi Markus,

> Thanks for your reply!
>
>> 
>>> @Felix
>>> Can you tell us more about this vulnerability? There only seems to be a
>>> reference in freeplane's wiki.
>> 
>> I think it is very well explained here:
>> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
>> 
>> In short: External identities are "includes" for XML documents that can
>> be specified in DTDs.
>> 
>> Here is the commit that should fix it:
>> https://github.com/freeplane/freeplane/commit/a5dce7f9f
>
> That's what we were looking for.
>
> [...]
>
>
>> I can confirm that the the fix is in 1.5.20 and 1.6.1, so it's true that
>> wheezy, jessie and stretch are affected.
>> 
>> Shall I add the patch in git branches from the debian/X tags here?
>> https://anonscm.debian.org/cgit/pkg-java/freeplane.git
>> Or did you want to do this, Markus?
>
> Please prepare updates for Jessie and Stretch if time permits and I will
> upload the fix either as a security update, provided the security team
> agrees, or as a point-update. I will take care of Wheezy myself.

Since I am hiking this weekend, would it be possible to do this as the
first thing on the Easter weekend (next Friday)? I also need to fix the
knopflerfish RC bug (#893221), I will look into that this morning.

BTW: I *think* the patch should apply without major problems (the XML
persistence hasn't changed much). But on the ant build systems (< 1.5)
the sources are in <bundle>/src/** instead of <bundle>/src/main/java/**,
so you can apply there with -p4 or something (and ignore the unmatched part
for freeplane_plugin_script [1]). That part ([1]) can be applied
manually.
I will checkout the respective tag (debian/1.3.12-1, debian/1.5.18-1),
create a branch from there ("jessie-security1", "stretch-security1"),
import the patch, create a new changelog entry (will read about that)
and test, ok?

[1] freeplane_plugin_script/src/main/java/org/freeplane/plugin/script/ScriptingRegistration.java

Cheers and Best Regards,
-- 
Felix Natter
debian/rules!

Message #44 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Felix Natter <fnatter@gmx.net>

Cc: 893663@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Sat, 24 Mar 2018 14:12:15 +0100

[Message part 1 (text/plain, inline)]

Am 24.03.2018 um 11:32 schrieb Felix Natter:
[...]

> Since I am hiking this weekend, would it be possible to do this as the
> first thing on the Easter weekend (next Friday)? I also need to fix the
> knopflerfish RC bug (#893221), I will look into that this morning.
> 
> BTW: I *think* the patch should apply without major problems (the XML
> persistence hasn't changed much). But on the ant build systems (< 1.5)
> the sources are in <bundle>/src/** instead of <bundle>/src/main/java/**,
> so you can apply there with -p4 or something (and ignore the unmatched part
> for freeplane_plugin_script [1]). That part ([1]) can be applied
> manually.
> I will checkout the respective tag (debian/1.3.12-1, debian/1.5.18-1),
> create a branch from there ("jessie-security1", "stretch-security1"),
> import the patch, create a new changelog entry (will read about that)
> and test, ok?
> 
> [1] freeplane_plugin_script/src/main/java/org/freeplane/plugin/script/ScriptingRegistration.java
> 
> Cheers and Best Regards,

That's absolutely fine with me. Have a nice weekend!

Cheers,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #51 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Felix Natter <fnatter@gmx.net>

To: Markus Koschany <apo@debian.org>

Cc: 893663@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Sun, 01 Apr 2018 16:23:14 +0200

hello Markus,

I have prepared the patched 1.5.18-1+deb9u1 for stretch
I hope I got the version number right? The changelog entry is probably
not correct either. Can you advice what to read?

I briefly tested saving+loading mindmaps.

Here it is:
https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069
(branch stretch-CVE-2018-1000069 in the freeplane alioth repo).

I am in the process of setting up a vbox instance for jessie to address
the other update.

Cheers and Best Regards,
-- 
Felix Natter
debian/rules!

Message #56 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Felix Natter <fnatter@gmx.net>

Cc: 893663@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Sun, 1 Apr 2018 17:17:48 +0200

[Message part 1 (text/plain, inline)]

Hi Felix,

Am 01.04.2018 um 16:23 schrieb Felix Natter:
> hello Markus,
> 
> I have prepared the patched 1.5.18-1+deb9u1 for stretch
> I hope I got the version number right? The changelog entry is probably
> not correct either. Can you advice what to read?
> 
> I briefly tested saving+loading mindmaps.
> 
> Here it is:
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069
> (branch stretch-CVE-2018-1000069 in the freeplane alioth repo).
> 
> I am in the process of setting up a vbox instance for jessie to address
> the other update.
> 
> Cheers and Best Regards,

The version is correct. I would write in your changelog:

Fix CVE-2018-1000069: Wojciech Reguła discovered that FreePlane was
affected by a XML External Entity (XXE) vulnerability in its mindmap
loader that could compromise a user's machine by opening a specially
crafted mind map file. (Closes: #893663)

Distribution should be stretch-security though and the urgency is high.
Similar for Jessie, jessie-security and the version is 1.3.12-1+deb8u1


Cheers,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #61 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Felix Natter <fnatter@gmx.net>

To: Markus Koschany <apo@debian.org>

Cc: 893663@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Sun, 01 Apr 2018 17:57:55 +0200

Markus Koschany <apo@debian.org> writes:

> Hi Felix,

hello Markus,

> Am 01.04.2018 um 16:23 schrieb Felix Natter:
>> hello Markus,
>> 
>> I have prepared the patched 1.5.18-1+deb9u1 for stretch
>> I hope I got the version number right? The changelog entry is probably
>> not correct either. Can you advice what to read?
>> 
>> I briefly tested saving+loading mindmaps.
>> 
>> Here it is:
>> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069
>> (branch stretch-CVE-2018-1000069 in the freeplane alioth repo).
>> 
>> I am in the process of setting up a vbox instance for jessie to address
>> the other update.
>> 
>> Cheers and Best Regards,
>
> The version is correct. I would write in your changelog:
>
> Fix CVE-2018-1000069: Wojciech Reguła discovered that FreePlane was
> affected by a XML External Entity (XXE) vulnerability in its mindmap
> loader that could compromise a user's machine by opening a specially
> crafted mind map file. (Closes: #893663)

Thanks, done.
BTW: Is it ok to close the bug with the stretch-security upload even if
the jessie-security upload is still pending?

What is there to do next?

> Distribution should be stretch-security though and the urgency is high.
> Similar for Jessie, jessie-security and the version is 1.3.12-1+deb8u1

I will do this soon, hopefully tomorrow.

Cheers and Best Regards,
-- 
Felix Natter
debian/rules!

Message #66 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Felix Natter <fnatter@gmx.net>

Cc: 893663@bugs.debian.org, Salvatore Bonaccorso <carnil@debian.org>

Subject: Re: Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Sun, 1 Apr 2018 18:04:27 +0200

[Message part 1 (text/plain, inline)]

Am 01.04.2018 um 17:57 schrieb Felix Natter:
[...]
> Thanks, done.
> BTW: Is it ok to close the bug with the stretch-security upload even if
> the jessie-security upload is still pending?

Yes, that's ok. You can close the bug with both uploads.

> What is there to do next?

As soon as the security team has approved the changes, I can upload your
packages to security-master.

>> Distribution should be stretch-security though and the urgency is high.
>> Similar for Jessie, jessie-security and the version is 1.3.12-1+deb8u1
> 
> I will do this soon, hopefully tomorrow.
> 
> Cheers and Best Regards,

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #71 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Felix Natter <fnatter@gmx.net>

Cc: Markus Koschany <apo@debian.org>, 893663@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Tue, 3 Apr 2018 10:36:26 +0200

[Message part 1 (text/plain, inline)]

Hi Felix,

On Sun, Apr 01, 2018 at 06:04:27PM +0200, Markus Koschany wrote:
> 
> 
> Am 01.04.2018 um 17:57 schrieb Felix Natter:
> [...]
> > Thanks, done.
> > BTW: Is it ok to close the bug with the stretch-security upload even if
> > the jessie-security upload is still pending?
> 
> Yes, that's ok. You can close the bug with both uploads.
> 
> > What is there to do next?
> 
> As soon as the security team has approved the changes, I can upload your
> packages to security-master.

Thanks for working on it, the issue is severe enought that it warrants
a DSA. Could you send the security team alias
(team@security.debian.org) debdiffs resulting from the build and
tested packages for a short review + ack?

Regards,
Salvatore

[signature.asc (application/pgp-signature, inline)]

Message #76 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Felix Natter <fnatter@gmx.net>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: Markus Koschany <apo@debian.org>, 893663@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Tue, 03 Apr 2018 21:24:53 +0200

[Message part 1 (text/plain, inline)]

Salvatore Bonaccorso <carnil@debian.org> writes:

> Hi Felix,

hello Salvatore,

> On Sun, Apr 01, 2018 at 06:04:27PM +0200, Markus Koschany wrote:
>> 
>> 
>> Am 01.04.2018 um 17:57 schrieb Felix Natter:
>> [...]
>> > Thanks, done.
>> > BTW: Is it ok to close the bug with the stretch-security upload even if
>> > the jessie-security upload is still pending?
>> 
>> Yes, that's ok. You can close the bug with both uploads.
>> 
>> > What is there to do next?
>> 
>> As soon as the security team has approved the changes, I can upload your
>> packages to security-master.
>
> Thanks for working on it, the issue is severe enought that it warrants
> a DSA. Could you send the security team alias
> (team@security.debian.org) debdiffs resulting from the build and
> tested packages for a short review + ack?

The stretch update is here (branch stretch-CVE-2018-1000069):
https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069&showmsg=1

This is tested:
- activation log message is seen
- Save and Load XML works

In what format would you like the "tested packages"? *.deb?

Here is the upstream commit:
https://github.com/freeplane/freeplane/commit/a5dce7f9f

The debdiff (for stretch-security) is attached.

I am still working on the jessie update, this could take until Saturday
(sorry for the delay).

Best Regards,
-- 
Felix Natter
debian/rules!

[stretch-CVE-2018-100006.debdiff (application/octet-stream, attachment)]

Message #81 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Felix Natter <fnatter@gmx.net>

To: 893663@bugs.debian.org, team@security.debian.org

Cc: Markus Koschany <apo@debian.org>, Salvatore Bonaccorso <carnil@debian.org>

Subject: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Fri, 06 Apr 2018 21:40:40 +0200

[Message part 1 (text/plain, inline)]

hello Security Team,

here are the CVE-2018-1000069 security updates for jessie and stretch:

[jessie]
https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-1000069
(jessie-CVE-2018-1000069 branch)

[stretch]
https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069
(stretch-CVE-2018-1000069 branch)

Both are tested:
- builds
- activation log message is seen
- Save and Load XML works

In what format would you like the "tested packages"? *.deb?

Here is the corrsponding upstream commit:
https://github.com/freeplane/freeplane/commit/a5dce7f9f

The debdiffs are attached.

@Markus: Did you already submit the update for wheezy?

Cheers and Best Regards,
-- 
Felix Natter
debian/rules!

[jessie-CVE-2018-1000069.debdiff (application/octet-stream, attachment)]

[stretch-CVE-2018-100006.debdiff (application/octet-stream, attachment)]

Message #86 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Felix Natter <fnatter@gmx.net>, 893663@bugs.debian.org

Cc: team@security.debian.org, Markus Koschany <apo@debian.org>

Subject: Re: Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Sat, 7 Apr 2018 07:03:48 +0200

Hi Felix,

On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote:
> hello Security Team,
> 
> here are the CVE-2018-1000069 security updates for jessie and stretch:
> 
> [jessie]
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-1000069
> (jessie-CVE-2018-1000069 branch)
> 
> [stretch]
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069
> (stretch-CVE-2018-1000069 branch)
> 
> Both are tested:
> - builds
> - activation log message is seen
> - Save and Load XML works
> 
> In what format would you like the "tested packages"? *.deb?
> 
> Here is the corrsponding upstream commit:
> https://github.com/freeplane/freeplane/commit/a5dce7f9f
> 
> The debdiffs are attached.

Thanks, I will try to review and ack those over this weekend. Thanks a
lot for your both work.

Reegarding the question:

Regarding: 

> In what format would you like the "tested packages"? *.deb?

That's not needed. We just have the requirement that the debdiff
should be the resulting one from the packages in the archive against
the built and tested packages, the later for obvious reason that we
want some assurance the packages have been tested to work.

The debdiff requirement (rather than only VCS commits) is to avoid
surprises on the actual result which will be uploaded to the archive
rather than just a series of commit in the packaging repos to be
reviewed.

Regards,
Salvatore

Message #91 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Felix Natter <fnatter@gmx.net>

Cc: 893663@bugs.debian.org, team@security.debian.org, Markus Koschany <apo@debian.org>

Subject: Re: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Mon, 9 Apr 2018 09:58:40 +0200

Hi Felix,

Sorry for the delay in getting back to you.

On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote:
> hello Security Team,
> 
> here are the CVE-2018-1000069 security updates for jessie and stretch:
> 
> [jessie]
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-1000069
> (jessie-CVE-2018-1000069 branch)
> 
> [stretch]
> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069
> (stretch-CVE-2018-1000069 branch)
> 
> Both are tested:
> - builds
> - activation log message is seen
> - Save and Load XML works
> 
> In what format would you like the "tested packages"? *.deb?
> 
> Here is the corrsponding upstream commit:
> https://github.com/freeplane/freeplane/commit/a5dce7f9f
> 
> The debdiffs are attached.

Debdiffs looks good to me. I just have a question, for the
jessie-debdiff: In the ScriptingRegistration.java was the removal of
the import of org.freeplane.n3.nanoxml.XMLParserFactory not done on
purpose?

Other than that, when above question commented on, feel free to upload
to security-master (AFICS you will need a sponsor, but guess Markus
will cime in here as well). Remember that both needs to be build with
-sa.

Regards,
Salvatore

Message #96 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Felix Natter <fnatter@gmx.net>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 893663@bugs.debian.org, team@security.debian.org, Markus Koschany <apo@debian.org>

Subject: Re: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Tue, 10 Apr 2018 20:33:22 +0200

Salvatore Bonaccorso <carnil@debian.org> writes:

> Hi Felix,

hello Salvatore,

> Sorry for the delay in getting back to you.
>
> On Fri, Apr 06, 2018 at 09:40:40PM +0200, Felix Natter wrote:
>> hello Security Team,
>> 
>> here are the CVE-2018-1000069 security updates for jessie and stretch:
>> 
>> [jessie]
>> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=jessie-CVE-2018-1000069
>> (jessie-CVE-2018-1000069 branch)
>> 
>> [stretch]
>> https://anonscm.debian.org/cgit/pkg-java/freeplane.git/log/?h=stretch-CVE-2018-1000069
>> (stretch-CVE-2018-1000069 branch)
>> 
>> Both are tested:
>> - builds
>> - activation log message is seen
>> - Save and Load XML works
>> 
>> In what format would you like the "tested packages"? *.deb?
>> 
>> Here is the corrsponding upstream commit:
>> https://github.com/freeplane/freeplane/commit/a5dce7f9f
>> 
>> The debdiffs are attached.
>
> Debdiffs looks good to me. I just have a question, for the
> jessie-debdiff: In the ScriptingRegistration.java was the removal of
> the import of org.freeplane.n3.nanoxml.XMLParserFactory not done on
> purpose?

Yes and no. On jessie the patch did not cleanly apply, so I would have
had to apply that change manually. Since removing the import has no
effect on the semantics of the program (as long as it still compiles), I
was too lazy. It should be ok.

> Other than that, when above question commented on, feel free to upload
> to security-master (AFICS you will need a sponsor, but guess Markus
> will cime in here as well). Remember that both needs to be build with
> -sa.

May I ask why the full source must be included?

@Markus: Would you be so kind to take care of uploading?

Cheers and Best Regards,
-- 
Felix Natter
debian/rules!

Message #101 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Felix Natter <fnatter@gmx.net>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 893663@bugs.debian.org, team@security.debian.org, Markus Koschany <apo@debian.org>

Subject: Re: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Wed, 11 Apr 2018 11:47:15 +0200

On Apr/10, Felix Natter wrote:
> Yes and no. On jessie the patch did not cleanly apply, so I would have
> had to apply that change manually. Since removing the import has no
> effect on the semantics of the program (as long as it still compiles),
> I was too lazy. It should be ok.

Let's leave it then.

For further contributions, however, please make sure you cleanly
retrofit any patch that doesn't apply as-is: this will reduce the
overhead and questions when reviewing on our side.

> May I ask why the full source must be included?

Because they will be new on security-master.

Cheers,

--Seb

Message #106 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Felix Natter <fnatter@gmx.net>

Cc: 893663@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#893663: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Wed, 11 Apr 2018 12:29:49 +0200

[Message part 1 (text/plain, inline)]

Hello,

I am currently in the process to upload freeplane to security master.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #111 received at 893663@bugs.debian.org (full text, mbox, reply):

From: Felix Natter <fnatter@gmx.net>

To: Sébastien Delafond <seb@debian.org>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 893663@bugs.debian.org, team@security.debian.org, Markus Koschany <apo@debian.org>

Subject: Re: freeplane: CVE-2018-1000069 XXE vulnerability

Date: Sat, 14 Apr 2018 09:46:49 +0200

Sébastien Delafond <seb@debian.org> writes:

> On Apr/10, Felix Natter wrote:
>> Yes and no. On jessie the patch did not cleanly apply, so I would have
>> had to apply that change manually. Since removing the import has no
>> effect on the semantics of the program (as long as it still compiles),
>> I was too lazy. It should be ok.
>
> Let's leave it then.
>
> For further contributions, however, please make sure you cleanly
> retrofit any patch that doesn't apply as-is: this will reduce the
> overhead and questions when reviewing on our side.

Ok, sure, I will do!

>> May I ask why the full source must be included?
>
> Because they will be new on security-master.

Ah, thanks for the explanation.

Cheers and Best Regards,
-- 
Felix Natter
debian/rules!

Message #116 received at 893663-close@bugs.debian.org (full text, mbox, reply):

From: Felix Natter <fnatter@gmx.net>

To: 893663-close@bugs.debian.org

Subject: Bug#893663: fixed in freeplane 1.5.18-1+deb9u1

Date: Sun, 22 Apr 2018 14:50:35 +0000

Source: freeplane
Source-Version: 1.5.18-1+deb9u1

We believe that the bug you reported is fixed in the latest version of
freeplane, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 893663@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Felix Natter <fnatter@gmx.net> (supplier of updated freeplane package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 01 Apr 2018 17:55:27 +0200
Source: freeplane
Binary: freeplane freeplane-scripting-api
Architecture: source all
Version: 1.5.18-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Felix Natter <fnatter@gmx.net>
Description:
 freeplane  - Java program for working with Mind Maps
 freeplane-scripting-api - Java program for working with Mind Maps (groovy scripting API)
Closes: 893663
Changes:
 freeplane (1.5.18-1+deb9u1) stretch-security; urgency=high
 .
   * Fix CVE-2018-1000069: Wojciech Reguła discovered that FreePlane was
     affected by a XML External Entity (XXE) vulnerability in its mindmap
     loader that could compromise a user's machine by opening a specially
     crafted mind map file. (Closes: #893663)
Checksums-Sha1:
 7fc64bd1219fef8773144310d03ac031617fb7cc 2763 freeplane_1.5.18-1+deb9u1.dsc
 8ae540e4fa09b7323c219a24cee23d531f24c90a 8976826 freeplane_1.5.18.orig.tar.gz
 0c912622bbd38083ecad9346aceba76ed69c10b7 25664 freeplane_1.5.18-1+deb9u1.debian.tar.xz
 315f7916ebb42f6e23b93cf02fedb3762e1ecf47 83382 freeplane-scripting-api_1.5.18-1+deb9u1_all.deb
 76a19eb8f93a1737c1ab7244c2aebe3fc18dd3c8 10611804 freeplane_1.5.18-1+deb9u1_all.deb
 371538da2d0f4a43a58d2dde3def93cb7508ca4c 16651 freeplane_1.5.18-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
 8eb42ed893d6ac804508c7c0bd46b7b059c85b432dfae7e52b5b332971f601c9 2763 freeplane_1.5.18-1+deb9u1.dsc
 d0eef445f228c798271a10e6c7ae7f64d04cebf90738445e0b5d955b0b2b391a 8976826 freeplane_1.5.18.orig.tar.gz
 f5dc1c5301b9aeca3868128bbcb7a91228480488f013266e4ba59acabc512c05 25664 freeplane_1.5.18-1+deb9u1.debian.tar.xz
 789e08ddfca64e9c7bfee36f19c6732f0ee22d3dc84d0450c3129ff814396d08 83382 freeplane-scripting-api_1.5.18-1+deb9u1_all.deb
 431a1f5600a20106ad5932aec71f1fbf567a37838259c763c019bfc198768f5a 10611804 freeplane_1.5.18-1+deb9u1_all.deb
 299a5f067eda7fb74c9cf08b551f4e21af60b880f985b410a41d80ffd1905d4b 16651 freeplane_1.5.18-1+deb9u1_amd64.buildinfo
Files:
 5b25f52cf1a08404fd9f5869634e7363 2763 editors extra freeplane_1.5.18-1+deb9u1.dsc
 26fe3c209a1c22e2a67990f066679edf 8976826 editors extra freeplane_1.5.18.orig.tar.gz
 594ba9b02ecc3debe35bc09e55eacd3c 25664 editors extra freeplane_1.5.18-1+deb9u1.debian.tar.xz
 29e1796804cb3414d81aad8acf44742e 83382 doc extra freeplane-scripting-api_1.5.18-1+deb9u1_all.deb
 a7736317fafb3344e7f9761e925e5927 10611804 editors extra freeplane_1.5.18-1+deb9u1_all.deb
 573a979036e65e38507c4f8619161539 16651 editors extra freeplane_1.5.18-1+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrN5lpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkyigP/1XZs6wa/Jxl3PFhfWHyjLqU6DX8NSeAlbi5
WvwCwqGsiJ3x3QeQJGKSsJ0J1/A+5g3yFfY8QmbzebmCXL7XqRsxZqcJxVIglfZs
oTpSwuhWclIYQ5n89O+puJknqrof8JBbvEegEg0twzUTh6GZ6miWZNNBDowXDpNb
w2G1PPog9NkM/IiD3J13dpDavU8jfAsGFlvieLHf7WA4pT9cvi0BaVw9OIcarlPL
31/LyUa+p6FAUI5rg/vDeuLZGP51Vi0JcRyGt6lDAHlKy7eicwDLc7GSoqfHEaiG
O1xgvY8CCF83yFeygWb55GYyl6CfrYFl1cbwDohLAtCo2kITOsbQYoYCc8kAMMaL
G3flHGjpyAFGw6KaICW0wLhP9cWxI+y8ePqwRfljRIXSb5bEXnCHPozMbIg/Qo3C
8ffjS30Q4k5Y08lxQrFvwamZSZi5GkWXR7jyjxyXD4fOfhmUptO6BygHxm8Bj6F/
TPcrjuJ+99S5NsHGe0LmSFaYmC+sldD/2PG+/2Kw1A6eeIph7yKiin5XpkoGIR7K
7B39iokZMLe5R1fVWh/p1Pm1TS8j3i5mCSVPc5oLx9asTKNqkV0GJH2kbna/v0SR
muqOU1MuWxxIZhPPOW+8OnCUA63Wdz7269FgRlCeG87xSfo97z/At9p9JCBLqXYH
7Dzb7XpJ
=RHkJ
-----END PGP SIGNATURE-----

Message #121 received at 893663-close@bugs.debian.org (full text, mbox, reply):

From: Felix Natter <fnatter@gmx.net>

To: 893663-close@bugs.debian.org

Subject: Bug#893663: fixed in freeplane 1.3.12-1+deb8u1

Date: Sun, 22 Apr 2018 14:53:16 +0000

Source: freeplane
Source-Version: 1.3.12-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
freeplane, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 893663@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Felix Natter <fnatter@gmx.net> (supplier of updated freeplane package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 06 Apr 2018 14:20:40 -0400
Source: freeplane
Binary: freeplane libjortho-freeplane-java
Architecture: source all
Version: 1.3.12-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Felix Natter <fnatter@gmx.net>
Description:
 freeplane  - Java program for working with Mind Maps
 libjortho-freeplane-java - Java spell-checking library
Closes: 893663
Changes:
 freeplane (1.3.12-1+deb8u1) jessie-security; urgency=high
 .
   * Fix CVE-2018-1000069: Wojciech Reguła discovered that FreePlane was
     affected by a XML External Entity (XXE) vulnerability in its mindmap
     loader that could compromise a user's machine by opening a specially
     crafted mind map file. (Closes: #893663)
Checksums-Sha1:
 c91f85f633f072865c7610864b7ede4de34dc037 2698 freeplane_1.3.12-1+deb8u1.dsc
 1f6ff61206efa607e8bcafcaf0e2e54599ad3de2 8491797 freeplane_1.3.12.orig.tar.gz
 a6fe53ea8869b55a5713a497c29cdc21b3532bd4 26552 freeplane_1.3.12-1+deb8u1.debian.tar.xz
 ce2448e373f9460caa3a0a1527877caacbf65d1a 8838852 freeplane_1.3.12-1+deb8u1_all.deb
 ab6e30336b31bc66c1a7c38086ca600446bc52a5 69162 libjortho-freeplane-java_1.3.12-1+deb8u1_all.deb
Checksums-Sha256:
 05051f5643049cbd0f4aca3bf17e8cf2d0843e0ab0bc575aeb8b72e21176c952 2698 freeplane_1.3.12-1+deb8u1.dsc
 cc69438c128248d2a0a4cad5dbb6629b8deee01ade5da7e1b5d8b194a9ba13e8 8491797 freeplane_1.3.12.orig.tar.gz
 e947a6d4df80d0fc1b372faf87b9b5c3bec3d672d39cfac4994e5a3e8bea0a9a 26552 freeplane_1.3.12-1+deb8u1.debian.tar.xz
 0bd802875e1c128a17ae0a4108789969c3b031b29c0376740fc1ebe6151aec3e 8838852 freeplane_1.3.12-1+deb8u1_all.deb
 f0a2f85a588ca945243d0809a54a3ba42f1dec4b53c34eecc3f9b375ddd2b518 69162 libjortho-freeplane-java_1.3.12-1+deb8u1_all.deb
Files:
 13f0d59593e2dca38bafa383608056c3 2698 editors extra freeplane_1.3.12-1+deb8u1.dsc
 56bd70a124fb42e333d28d029d7dd349 8491797 editors extra freeplane_1.3.12.orig.tar.gz
 4883e3f0cd155c76e69dd802ed0c36dd 26552 editors extra freeplane_1.3.12-1+deb8u1.debian.tar.xz
 cfdf25bc3bdf8ba71672175bfba89ea7 8838852 editors extra freeplane_1.3.12-1+deb8u1_all.deb
 2f3abd353401e199d991015f4be414c9 69162 java extra libjortho-freeplane-java_1.3.12-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlrN5S5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkU/sQAJ52h4fUqpJFDt/TQPKtTEznvw78//Od6vHt
HPFw4wTIgTn162/6rZ/Dm1EZuoLIKabYU7zvNPzZwjlIpgsOQYM89j7L+DdKJwxR
zPX4IuxgeEoFnD7O/ykD5zAoMZ1Ir0FvOJzjQhA/HmW0BTh4OwvjBGdRo6irpimJ
6QzscBdo0RGLJZGYMV0zA5WAeRSBi5HCTT2H4dNDrmjGNdqWv/alHXX4O7toRvo4
TMAtWfrzo++9jMMs07D/kI4+8716TE4UUiwNcfo8+uKieoiwb//PhYBlwSiXnWcu
TEgVD/u7JheOlEjbaSXf+pzTc4iU/on4dZz+3MsBhHs/EwTo2unTPckjxhDPsftn
DR6n8hf7bBcovuF3IrRLsNXYHNc1DPLfLtn+io93FZiuOcKxvMf5Mvv9T4FeuzjN
5wKRCDMHlBVH0oz+yR66wJ7MIjHjzzhljwkRlIv1YkGU/wOJ9avX/wfmx4eOYBp4
aEgXjwbSpZalSdDnV2IjvhTfs99YskIeCvbNVEqTpFR48DxUmcAEgl0hu72FkZTb
U9S0f+t58LrEHfTAH0yAb8Cs++s/8p9TcgKcBa6B04nxCaRk/Xy2hwew8wmsOhtt
Wgju/51xsjuiyZ61ePjcwTMiJiHOwEiZsbcytc4Ec9HlzGCysL9HvU2IjKddebWh
VTtw1VW7
=tr91
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.