fop: CVE-2017-5661: information disclosure vulnerability

Debian Bug report logs - #860567
fop: CVE-2017-5661: information disclosure vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: fop: CVE-2017-5661: information disclosure vulnerability

Date: Tue, 18 Apr 2017 20:28:41 +0200

Source: fop
Version: 1:1.0.dfsg-1
Severity: important
Tags: upstream security

Hi,

the following vulnerability was published for fop.

CVE-2017-5661[0]:
| In Apache FOP before 2.2, files lying on the filesystem of the server
| which uses FOP can be revealed to arbitrary users who send maliciously
| formed SVG files. The file types that can be shown depend on the user
| context in which the exploitable application is running. If the user
| is root a full compromise of the server - including confidential or
| sensitive files - would be possible. XXE can also be used to attack
| the availability of the server via denial of service as the references
| within a xml document can trivially trigger an amplification attack.

I was not able to verify that myself, but it is claimed to affect all
fop version from 1.0 up to 2.1.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-5661
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5661
[1] http://www.openwall.com/lists/oss-security/2017/04/18/2

Regards,
Salvatore

Message #10 received at 860567@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@orangeseeds.org>

To: Mathieu Malaterre <malat@debian.org>, Ola Lundqvist <ola@inguza.com>

Cc: fop@packages.debian.org, debian-lts@lists.debian.org, 860567@bugs.debian.org

Subject: Re: Wheezy update of fop?

Date: Wed, 26 Apr 2017 15:30:41 -0400

Control: forwarded -1 https://issues.apache.org/jira/browse/FOP-2668

On 2017-04-26 08:07:33, Mathieu Malaterre wrote:
> Hi Ola,
>
> On Sun, Apr 23, 2017 at 9:46 PM, Ola Lundqvist <ola@inguza.com> wrote:
>> Dear maintainer(s),
>>
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Wheezy version of fop:
>> https://security-tracker.debian.org/tracker/CVE-2017-5661
>>
>> Would you like to take care of this yourself?
>
> The CVE is very unclear to me. It seems I need to upload fop 2.2 in
> place of fop 2.1. Since we are in the middle of the freeze it does not
> make much sense to make such upload in sid right now.

I have found the upstream issue, for what it's worth. That may be
helpful to backport a patch in jessie / sid.

A.

-- 
La publicité est la dictature invisible de notre société.
                        - Jacques Ellul

Message #17 received at 860567@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@orangeseeds.org>

To: debian-lts@lists.debian.org

Cc: Mathieu Malaterre <malat@debian.org>, Ola Lundqvist <ola@inguza.com>, fop@packages.debian.org, 860567@bugs.debian.org

Subject: fop LTS update package ready for testing

Date: Wed, 26 Apr 2017 15:38:42 -0400

Hi,

After much digging, I believe I have found the relevant issue and
commits to fix the CVE-2017-5661 issue in fop. I have backported the
patch to our 1.0 release in LTS and it seems to compile fine. However, I
haven't performed any tests because I lack experience with that peculiar
infrastructure.

Therefore, here is the fop package ready for testing, as usual:

https://people.debian.org/~anarcat/debian/wheezy-lts/

Thanks for any feedback!

A.

-- 
Je viens d'un pays où engagé veut dire que tu t'es trouvé une job.
                        - Patrice Desbiens

Message #26 received at 860567-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 860567-close@bugs.debian.org

Subject: Bug#860567: fixed in fop 1:2.1-6

Date: Wed, 24 May 2017 15:04:51 +0000

Source: fop
Source-Version: 1:2.1-6

We believe that the bug you reported is fixed in the latest version of
fop, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860567@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated fop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 24 May 2017 15:53:03 +0200
Source: fop
Binary: fop libfop-java fop-doc
Architecture: source
Version: 1:2.1-6
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 fop        - XML formatter driven by XSL Formatting Objects (XSL-FO.) - app
 fop-doc    - XML formatter driven by XSL Formatting Objects (doc) - doc
 libfop-java - XML formatter driven by XSL Formatting Objects (XSL-FO.) - libs
Closes: 860567
Changes:
 fop (1:2.1-6) unstable; urgency=high
 .
   * Team upload.
   * Fixed CVE-2017-5661: Information disclosure vulnerability (Closes: #860567)
Checksums-Sha1:
 03aefdca9334b932835a978357671dd1f56bdbcd 2492 fop_2.1-6.dsc
 65808a7ffce63a0fa006dda4458a430bcae2de32 870416 fop_2.1-6.debian.tar.xz
 61765c1f3d45e63c47744cb64c86da2e74ac12dc 5310 fop_2.1-6_source.buildinfo
Checksums-Sha256:
 8dc1a44f7f621127061993970e69bdf49f16067a6c9a276e27144ccc36ef4f2e 2492 fop_2.1-6.dsc
 a59f86deb333458326e0e62600066d4b741923f29f9cc18714034a68d059f73f 870416 fop_2.1-6.debian.tar.xz
 b25d50a885c426a1bf2ce3d9a662b518518212ddf6351d3f3bb1df9d1eefd1b0 5310 fop_2.1-6_source.buildinfo
Files:
 5d5632ee47527572eff4bbbd61391fa1 2492 text optional fop_2.1-6.dsc
 efa740348a632d77994b33f43c4e6bdf 870416 text optional fop_2.1-6.debian.tar.xz
 c081d15c17868d4f7f0a00e5ca7cfe83 5310 text optional fop_2.1-6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAlklkWgSHGVib3VyZ0Bh
cGFjaGUub3JnAAoJEPUTxBnkudCsHRQQAMGpCn4Ctdxnhd6CKqCQngX0irXpPZBn
Ay0XGF60iCrGso5df10y2cu1/f8vvyublBXwKcMStn21UL1ydWM2ns4aaH4li+5i
xS8v+Lz7G6ekIlZlm0aFSHztoKhEwi/uIRF1JYS1yWv1IfBOK2rn3oh9W4hTrO9j
d8aIKxyXksmz9lOSf1RbbFrRFLcoWQEmHS08pbVMyNj6yWH5g2E1z3TGVCORKLKP
SZL8QWALq+2N8tF1CaAPLF/Rcvo2Xfqs/KF1JkpXhhFJj3yM4HNjZamc8li1a27l
4H3G+4XZYO2xdJ1lxK85kaNQlUtzXVM5OKcpFlWsTsRhaVREtGCGC1OQDMQBjGMY
nWv5bYBPV3a5v7o7KYNVDmsdwccKVX5++FwmJJbzb4qcE2FdnbG0NpocGKB17V4X
fxM0RIpYXEhvu1hFYmJSVL/5WuGI4hBt1adfsdVNp4JyBOpT0TrPmR62euqOyX62
ZxXNXDE3nAYTjA2TQ0Y278CtIT7BgvaILZ40dZZHFTIRn6Y/FdK44Oy2UT3snjB8
VeXw7YxjDfHbGS7xUNgFPSTgE+zzLz2ZrO2ZShemS9F2NjkENZ1I8J7fBLzPext1
9tMCzI9XBiBooqgZRmJTHsGXM7HEPWijoCU0YIv+KWKBwdnnh6/ZQWbKkyx5jRvx
pP+4h+BMzZOc
=H7Kp
-----END PGP SIGNATURE-----

Message #31 received at 860567-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>

To: 860567-close@bugs.debian.org

Subject: Bug#860567: fixed in fop 1:1.1.dfsg2-1+deb8u1

Date: Wed, 31 May 2017 01:02:08 +0000

Source: fop
Source-Version: 1:1.1.dfsg2-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
fop, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 860567@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated fop package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 24 May 2017 17:35:34 +0200
Source: fop
Binary: fop libfop-java fop-doc
Architecture: source all
Version: 1:1.1.dfsg2-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 fop        - XML formatter driven by XSL Formatting Objects (XSL-FO.)
 fop-doc    - XML formatter driven by XSL Formatting Objects (doc)
 libfop-java - XML formatter driven by XSL Formatting Objects (XSL-FO.)
Closes: 860567
Changes:
 fop (1:1.1.dfsg2-1+deb8u1) jessie-security; urgency=high
 .
   * Team upload.
   * Fixed CVE-2017-5661: Information disclosure vulnerability (Closes: #860567)
Checksums-Sha1:
 c8a766eb23c24297298d957e90d4ca76e895d4a6 2507 fop_1.1.dfsg2-1+deb8u1.dsc
 21c1bd4397974bd5ffaa4fe6fa351bfecd5c93b5 8753464 fop_1.1.dfsg2.orig.tar.xz
 c248ce9e8af758614e5f490eaed29c4c518c487a 842956 fop_1.1.dfsg2-1+deb8u1.debian.tar.xz
 fd8806ffd24ccfbb3e8194269dcdc31d1b57a016 21838 fop_1.1.dfsg2-1+deb8u1_all.deb
 a4774802e317238f8dd2c5e00fdee3405c1e273f 3198758 libfop-java_1.1.dfsg2-1+deb8u1_all.deb
 cd67a0f8b23bc1d63c62628b3d700149120d674e 2494910 fop-doc_1.1.dfsg2-1+deb8u1_all.deb
Checksums-Sha256:
 9e70fd85ce71f944a25e4130632e4f3c63fdf8ec826ccd5e4fe2eb2fc3c45cd7 2507 fop_1.1.dfsg2-1+deb8u1.dsc
 8918d5de3079058ecb1714659c025927527d99f474fe8c1322a1d8ce73ec63b5 8753464 fop_1.1.dfsg2.orig.tar.xz
 0bc6ede8422056c758691ddfd2d269daec5492ec724fe8fce14de0d6a5d6a0af 842956 fop_1.1.dfsg2-1+deb8u1.debian.tar.xz
 d30281ef217dc39b7fc90f6273f3f4b7e2f8e8ab97def685a7a980c693752b4c 21838 fop_1.1.dfsg2-1+deb8u1_all.deb
 e111dcca87688a968e162d9b6d0131cd24f969216aa6ff91511b4bb310b88060 3198758 libfop-java_1.1.dfsg2-1+deb8u1_all.deb
 0ffce8a62e2295bbd83317a41f1da75fe0146904b81634ad6a3d3b8b55b5e3fc 2494910 fop-doc_1.1.dfsg2-1+deb8u1_all.deb
Files:
 b8edc07af02e76937903f48b29442041 2507 text optional fop_1.1.dfsg2-1+deb8u1.dsc
 5cf795e96e558260cbfa65dfe12aa0ed 8753464 text optional fop_1.1.dfsg2.orig.tar.xz
 b3e267b233985f7eca0c6964f98f5349 842956 text optional fop_1.1.dfsg2-1+deb8u1.debian.tar.xz
 2b6c07b48404d39cfab5811acc7b1260 21838 text optional fop_1.1.dfsg2-1+deb8u1_all.deb
 417d18d9d7b09d7e58fd5cfed0e47377 3198758 java optional libfop-java_1.1.dfsg2-1+deb8u1_all.deb
 3dd4e0640946d9bcc5b8287d2160ce2c 2494910 doc optional fop-doc_1.1.dfsg2-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJZJhgwAAoJEPUTxBnkudCs+9EP/jnJ2LEgTfutyGLWUw6peqh0
0nEQxI0kqoXUz9A4TxI8EF44p1HV3sYn+aXO3TlW3cYUG/kyrcz/DvPojDhHEMPh
Xx2AySqaj3NHkboST4y2jQ0zGg9lmS0fjw7DcsegdrLBOSP/guBGK4sVpYtSnTGc
RV87y+lPb+Q/Wi2HxnlL6ZExXrEUgnjcANFND7uniMyyugC1T0pFnJ6INaOnz78r
Dmd6MWBVbDboOaKB/I3TvKkVtHDM8Qgpk84/JoDS56+Za4PIbef39EMgyojshyim
CVLpO6PTh+bIAokgp3ilmPrYbXypBE2YuuZOj7qRZeKqhNJU4Izyp0qUmH/U4dsb
yFu2fzIaR1p0OSi1705JIazJYXhHT0Yru/2EKMQeow3F6csCfKif/rTWBPCmJuJ0
iXhgHhMzFIJQ03pje2kEcd/WRnPSnEjoSC8ntBUci31ZLhSFzsQe5dC65yGxXooI
oMsz2mi3adxC5ua+IALWiKkvVI+tw728zgMm/LfdIiW3hNJs+IUyT53h7jLeDSQa
PnohT9TLhSEs9vwvKIYT7HfKo5+GQ0ojq6/okiiNe15vXTnNFbk43wGLjo5TSQ45
PIya3i3y8qcQKjlcdSejKjyDJo35yE9E7UVjzCb87KgUWk3bj5bz+WW4jb6WLkez
nVItxXnRe9gFoWhdwojX
=IYgZ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.