Bug 719318 (CVE-2020-10683)

Summary:	<dev-java/dom4j-2.1.3: XML External Entity (XEE) vulnerability in default SAX parser (CVE-2020-10683)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	minor	CC:	fordfrog, gentoo, glsamaker, java
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=722256 https://bugs.gentoo.org/show_bug.cgi?id=790521 https://github.com/gentoo/gentoo/pull/21319
Whiteboard:	B4 [glsa? cleanup cve]
Package list:		Runtime testing required:	---
Bug Depends on:	790692, 796995, 802609, 822918, 822921, 827967
Bug Blocks:	790554

Description Sam James archtester

2020-04-24 22:35:05 UTC

Description:
"XML External Entity vulnerability in default SAX parser"

Patches:
* https://github.com/dom4j/dom4j/commit/1707bf3d898a8ada3b213acb0e3b38f16eaae73d
* https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658

Comment 1 Sam James archtester

2020-07-27 16:56:59 UTC

*** Bug 720728 has been marked as a duplicate of this bug. ***

Comment 2 Sam James archtester

2020-07-27 16:57:39 UTC

CVE-2020-10683 (https://nvd.nist.gov/vuln/detail/CVE-2020-10683):
  dom4j before 2.1.3 allows external DTDs and External Entities by default,
  which might enable XXE attacks. However, there is popular external
  documentation from OWASP showing how to enable the safe, non-default
  behavior in any application that uses dom4j.

Comment 3 Volkmar W. Pogatzki 2021-05-16 18:29:52 UTC

*** Bug 790521 has been marked as a duplicate of this bug. ***

Comment 4 John Helmert III archtester

2021-05-18 23:48:19 UTC

Ping, blocker fixed

Comment 5 Miroslav Šulc gentoo-dev

2021-05-19 07:03:32 UTC

we still only have unpatched version 1.6.1. work on bump to the latest dom4j is in progress...

Comment 6 Volkmar W. Pogatzki 2021-06-19 17:20:11 UTC

(In reply to Miroslav Šulc from comment #5)
> we still only have unpatched version 1.6.1. work on bump to the latest dom4j
> is in progress...

dom4j-2.1.3 (https://github.com/dom4j/dom4j/tree/version-2.1.3) depends 
on jaxb-api (https://github.com/gentoo/gentoo/pull/21319).

This however cannot be used before there isn't a solution for using java modules.
See https://github.com/gentoo/gentoo/pull/21326#pullrequestreview-687829925

Comment 7 Larry the Git Cow gentoo-dev

2021-07-17 12:09:10 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdefd7b25414d9e57612fb8b43c28e7e6e65ce4d

commit fdefd7b25414d9e57612fb8b43c28e7e6e65ce4d
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-05-17 13:24:31 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-07-17 12:09:03 +0000

    dev-java/dom4j: bump to 2.1.3 (CVE-2020-10683)
    
    Bug: https://bugs.gentoo.org/719318
    rewritten with java-pkg-simple.eclass
    introducing "jaxen" USE flag
    
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/21319
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/dom4j/Manifest                            |  2 +
 dev-java/dom4j/dom4j-2.1.3.ebuild                  | 75 ++++++++++++++++++++++
 .../dom4j-2.1.3-xpp3-add-removeAttribute.patch     | 47 ++++++++++++++
 dev-java/dom4j/metadata.xml                        |  3 +
 4 files changed, 127 insertions(+)

Comment 8 Miroslav Šulc gentoo-dev

2021-07-17 12:13:32 UTC

this can go stable. all tests pass, packages depending on dom4j-2.1.3 emerge fine, so it should be safe to stabilize. thanks to vaukai for the great work!

Comment 9 NATTkA bot gentoo-dev

2021-07-17 12:16:31 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-java/dom4j-2.1.3
>   depend amd64 dev profile default/linux/amd64/17.0/x32 (2 total)
>     dev-java/jaxb-api:2
>   depend amd64 stable profile default/linux/amd64/17.1 (26 total)
>     dev-java/jaxb-api:2
>   rdepend amd64 dev profile default/linux/amd64/17.0/x32 (2 total)
>     dev-java/jaxb-api:2
>   rdepend amd64 stable profile default/linux/amd64/17.1 (26 total)
>     dev-java/jaxb-api:2

Comment 10 NATTkA bot gentoo-dev

2021-07-17 12:24:31 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-java/jaxb-api-2.3.3
>   depend amd64 dev profile default/linux/amd64/17.0/x32 (2 total)
>     dev-java/jakarta-activation-api:1
>   depend amd64 stable profile default/linux/amd64/17.1 (26 total)
>     dev-java/jakarta-activation-api:1
>   rdepend amd64 dev profile default/linux/amd64/17.0/x32 (2 total)
>     dev-java/jakarta-activation-api:1
>   rdepend amd64 stable profile default/linux/amd64/17.1 (26 total)
>     dev-java/jakarta-activation-api:1

Comment 11 NATTkA bot gentoo-dev

2021-08-08 09:48:36 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-java/jaxb-api-2.3.3
>   depend amd64 dev profile default/linux/amd64/17.0/x32 (2 total)
>     dev-java/jakarta-activation-api:1
>   depend amd64 stable profile default/linux/amd64/17.1 (26 total)
>     dev-java/jakarta-activation-api:1
>   rdepend amd64 dev profile default/linux/amd64/17.0/x32 (2 total)
>     dev-java/jakarta-activation-api:1
>   rdepend amd64 stable profile default/linux/amd64/17.1 (26 total)
>     dev-java/jakarta-activation-api:1

Comment 12 NATTkA bot gentoo-dev

2021-08-08 10:00:44 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-java/jaxb-api-2.3.3
>   depend amd64 dev profile default/linux/amd64/17.0/x32 (2 total)
>     dev-java/jakarta-activation-api:1
>   depend amd64 stable profile default/linux/amd64/17.1 (26 total)
>     dev-java/jakarta-activation-api:1
>   rdepend amd64 dev profile default/linux/amd64/17.0/x32 (2 total)
>     dev-java/jakarta-activation-api:1
>   rdepend amd64 stable profile default/linux/amd64/17.1 (26 total)
>     dev-java/jakarta-activation-api:1

Comment 13 Miroslav Šulc gentoo-dev

2021-10-20 15:23:19 UTC

do we need to create a separate stabilization bug or is it fine to use this one for stabilization?

Comment 14 John Helmert III archtester

2021-10-20 18:37:31 UTC

We're already rolling here, so it's fine to let it finish

Comment 15 Jakov Smolić archtester

2021-11-07 16:56:03 UTC

amd64 done

Comment 16 Agostino Sarubbo gentoo-dev

2021-11-10 07:05:46 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please vote.

Comment 17 NATTkA bot gentoo-dev

2021-11-10 07:09:18 UTC Comment hidden (obsolete)

Keywords are not fully specified and arches are not CC-ed for the following packages:

- =dev-java/dom4j-2.1.3
- =dev-java/jakarta-activation-api-2.0.1-r1

Comment 18 NATTkA bot gentoo-dev

2021-11-10 08:37:06 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-java/dom4j-2.1.3
>   depend arm64 stable profile default/linux/arm64/17.0 (23 total)
>     dev-java/testng:0

Comment 19 NATTkA bot gentoo-dev

2021-11-10 08:49:13 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-java/testng-6.9.10
>   depend arm64 stable profile default/linux/arm64/17.0 (23 total)
>     dev-java/guice:4
>     dev-java/jcommander:0
>     dev-java/snakeyaml:0
>   rdepend arm64 stable profile default/linux/arm64/17.0 (23 total)
>     dev-java/guice:4
>     dev-java/jcommander:0
>     dev-java/snakeyaml:0
> dev-java/bsh-2.0_beta6-r1
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     dev-java/bsf:2.3
>   rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     dev-java/bsf:2.3

Comment 20 NATTkA bot gentoo-dev

2021-11-10 10:57:06 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-java/testng-6.9.10
>   depend ppc64 stable profile default/linux/ppc64/17.0 (14 total)
>     dev-java/guice:4
>     dev-java/jcommander:0
>     dev-java/snakeyaml:0
>   rdepend ppc64 stable profile default/linux/ppc64/17.0 (14 total)
>     dev-java/guice:4
>     dev-java/jcommander:0
>     dev-java/snakeyaml:0
> dev-java/snakeyaml-1.28-r1
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=dev-java/joda-time-2.10.10:0
>     >=dev-java/velocity-1.7:0
> dev-java/bsf-2.4.0-r2
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     dev-java/jacl:0
>     dev-java/jython:2.7
>   rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     dev-java/jacl:0
>     dev-java/jython:2.7
> dev-java/guice-4.1
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=dev-java/asm-5:4
>     dev-java/aopalliance:1
>     dev-java/guava:20
>     dev-java/javax-inject:0
>   rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=dev-java/asm-5:4
>     dev-java/aopalliance:1
>     dev-java/guava:20
>     dev-java/javax-inject:0

Comment 21 NATTkA bot gentoo-dev

2021-11-10 11:29:09 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-java/guice-4.1
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=dev-java/asm-5:4
>     dev-java/aopalliance:1
>     dev-java/guava:20
>     dev-java/javax-inject:0
>   rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=dev-java/asm-5:4
>     dev-java/aopalliance:1
>     dev-java/guava:20
>     dev-java/javax-inject:0
>   depend ppc64 stable profile default/linux/ppc64/17.0 (14 total)
>     dev-java/guava:20
>   rdepend ppc64 stable profile default/linux/ppc64/17.0 (14 total)
>     dev-java/guava:20
> dev-java/snakeyaml-1.28-r1
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=dev-java/joda-time-2.10.10:0
>     >=dev-java/velocity-1.7:0
>   depend ppc64 stable profile default/linux/ppc64/17.0 (14 total)
>     >=dev-java/velocity-1.7:0
> dev-java/bsf-2.4.0-r2
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     dev-java/jacl:0
>     dev-java/jython:2.7
>   rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     dev-java/jacl:0
>     dev-java/jython:2.7

Comment 22 NATTkA bot gentoo-dev

2021-11-10 11:53:12 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-java/snakeyaml-1.28-r1
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=dev-java/joda-time-2.10.10:0
>     >=dev-java/velocity-1.7:0
>   depend ppc64 stable profile default/linux/ppc64/17.0 (14 total)
>     >=dev-java/velocity-1.7:0
> dev-java/bsf-2.4.0-r2
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     dev-java/jacl:0
>     dev-java/jython:2.7
>   rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     dev-java/jacl:0
>     dev-java/jython:2.7
> dev-java/guava-20.0
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     dev-java/animal-sniffer-annotations:0
>     dev-java/error-prone-annotations:0
>     dev-java/j2objc-annotations:0
>     dev-java/jsr305:0
>   rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     dev-java/animal-sniffer-annotations:0
>     dev-java/error-prone-annotations:0
>     dev-java/jsr305:0
>   depend ppc64 stable profile default/linux/ppc64/17.0 (14 total)
>     dev-java/animal-sniffer-annotations:0
>     dev-java/error-prone-annotations:0
>     dev-java/j2objc-annotations:0
>   rdepend ppc64 stable profile default/linux/ppc64/17.0 (14 total)
>     dev-java/animal-sniffer-annotations:0
>     dev-java/error-prone-annotations:0

Comment 23 NATTkA bot gentoo-dev

2021-11-10 12:33:27 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-java/joda-time-2.10.10-r1
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     dev-java/joda-convert:0
>   rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     dev-java/joda-convert:0
> dev-java/velocity-2.3
>   bdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     dev-java/javacc:0
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=dev-java/slf4j-simple-1.7.30:0
>     dev-db/hsqldb:0
> dev-java/jython-2.7.0-r2
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     dev-java/antlr:3
>     dev-java/commons-compress:0
>     dev-java/icu4j:52
>     dev-java/jffi:1.2
>     dev-java/jline:2
>     dev-java/jnr-constants:0
>     dev-java/jnr-netdb:1.0
>     dev-java/jnr-posix:3.0
>     dev-java/netty-transport:0
>     dev-java/stringtemplate:0
>     java-virtuals/script-api:0
>   rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     dev-java/antlr:3
>     dev-java/commons-compress:0
>     dev-java/icu4j:52
>     dev-java/jffi:1.2
>     dev-java/jline:2
>     dev-java/jnr-constants:0
>     dev-java/jnr-netdb:1.0
>     dev-java/jnr-posix:3.0
>     dev-java/netty-transport:0
>     dev-java/stringtemplate:0
>     java-virtuals/script-api:0

Comment 24 NATTkA bot gentoo-dev

2021-11-10 13:25:01 UTC Comment hidden (obsolete)

Unable to check for sanity:

> invalid package spec: dev-java/javacc5.0-r3

Comment 25 NATTkA bot gentoo-dev

2021-11-10 13:33:03 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: dev-java/javac-5.0-r3

Comment 26 NATTkA bot gentoo-dev

2021-11-10 13:49:19 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-java/jython-2.7.0-r2
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     dev-java/antlr:3
>     dev-java/commons-compress:0
>     dev-java/icu4j:52
>     dev-java/jffi:1.2
>     dev-java/jline:2
>     dev-java/jnr-constants:0
>     dev-java/jnr-netdb:1.0
>     dev-java/jnr-posix:3.0
>     dev-java/netty-transport:0
>     dev-java/stringtemplate:0
>     java-virtuals/script-api:0
>   rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     dev-java/antlr:3
>     dev-java/commons-compress:0
>     dev-java/icu4j:52
>     dev-java/jffi:1.2
>     dev-java/jline:2
>     dev-java/jnr-constants:0
>     dev-java/jnr-netdb:1.0
>     dev-java/jnr-posix:3.0
>     dev-java/netty-transport:0
>     dev-java/stringtemplate:0
>     java-virtuals/script-api:0

Comment 27 NATTkA bot gentoo-dev

2021-11-21 05:01:17 UTC Comment hidden (obsolete)

Sanity check failed:

> dev-java/dom4j-2.1.3
>   depend arm64 stable profile default/linux/arm64/17.0 (8 total)
>     dev-java/testng:0
>   depend arm64 dev profile default/linux/arm64/17.0/hardened/selinux (1 total)
>     dev-java/testng:0

Comment 28 NATTkA bot gentoo-dev

2021-11-21 09:13:04 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 29 NATTkA bot gentoo-dev

2021-11-21 17:05:16 UTC Comment hidden (obsolete)

Unable to check for sanity:

> dependent bug #822933 has errors

Comment 30 NATTkA bot gentoo-dev

2021-11-21 17:09:20 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 31 NATTkA bot gentoo-dev

2021-11-21 17:28:59 UTC

Resetting sanity check; package list is empty or all packages are done.

Comment 32 John Helmert III archtester

2021-12-01 23:19:47 UTC

Hm, seems we still need to stabilize for arm64 and ppc64