Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 719318 (CVE-2020-10683) - <dev-java/dom4j-2.1.3: XML External Entity (XEE) vulnerability in default SAX parser (CVE-2020-10683)
Summary: <dev-java/dom4j-2.1.3: XML External Entity (XEE) vulnerability in default SAX...
Status: IN_PROGRESS
Alias: CVE-2020-10683
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [stable cve]
Keywords: CC-ARCHES, PullRequest, STABLEREQ
: 720728 790521 (view as bug list)
Depends on: 802609 790692
Blocks: 790554
  Show dependency tree
 
Reported: 2020-04-24 22:35 UTC by Sam James
Modified: 2021-08-08 19:29 UTC (History)
6 users (show)

See Also:
Package list:
dev-java/dom4j-2.1.3 dev-java/jaxb-api-2.3.3 dev-java/jakarta-activation-api-2.0.1-r1 dev-java/jakarta-activation-api-1.2.2
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-04-24 22:35:05 UTC
Description:
"XML External Entity vulnerability in default SAX parser"

Patches:
* https://github.com/dom4j/dom4j/commit/1707bf3d898a8ada3b213acb0e3b38f16eaae73d
* https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
Comment 1 Sam James archtester gentoo-dev Security 2020-07-27 16:56:59 UTC
*** Bug 720728 has been marked as a duplicate of this bug. ***
Comment 2 Sam James archtester gentoo-dev Security 2020-07-27 16:57:39 UTC
CVE-2020-10683 (https://nvd.nist.gov/vuln/detail/CVE-2020-10683):
  dom4j before 2.1.3 allows external DTDs and External Entities by default,
  which might enable XXE attacks. However, there is popular external
  documentation from OWASP showing how to enable the safe, non-default
  behavior in any application that uses dom4j.
Comment 3 Volkmar W. Pogatzki 2021-05-16 18:29:52 UTC
*** Bug 790521 has been marked as a duplicate of this bug. ***
Comment 4 John Helmert III gentoo-dev Security 2021-05-18 23:48:19 UTC
Ping, blocker fixed
Comment 5 Miroslav Šulc gentoo-dev 2021-05-19 07:03:32 UTC
we still only have unpatched version 1.6.1. work on bump to the latest dom4j is in progress...
Comment 6 Volkmar W. Pogatzki 2021-06-19 17:20:11 UTC
(In reply to Miroslav Šulc from comment #5)
> we still only have unpatched version 1.6.1. work on bump to the latest dom4j
> is in progress...

dom4j-2.1.3 (https://github.com/dom4j/dom4j/tree/version-2.1.3) depends 
on jaxb-api (https://github.com/gentoo/gentoo/pull/21319).

This however cannot be used before there isn't a solution for using java modules.
See https://github.com/gentoo/gentoo/pull/21326#pullrequestreview-687829925
Comment 7 Larry the Git Cow gentoo-dev 2021-07-17 12:09:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdefd7b25414d9e57612fb8b43c28e7e6e65ce4d

commit fdefd7b25414d9e57612fb8b43c28e7e6e65ce4d
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-05-17 13:24:31 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-07-17 12:09:03 +0000

    dev-java/dom4j: bump to 2.1.3 (CVE-2020-10683)
    
    Bug: https://bugs.gentoo.org/719318
    rewritten with java-pkg-simple.eclass
    introducing "jaxen" USE flag
    
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/21319
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/dom4j/Manifest                            |  2 +
 dev-java/dom4j/dom4j-2.1.3.ebuild                  | 75 ++++++++++++++++++++++
 .../dom4j-2.1.3-xpp3-add-removeAttribute.patch     | 47 ++++++++++++++
 dev-java/dom4j/metadata.xml                        |  3 +
 4 files changed, 127 insertions(+)
Comment 8 Miroslav Šulc gentoo-dev 2021-07-17 12:13:32 UTC
this can go stable. all tests pass, packages depending on dom4j-2.1.3 emerge fine, so it should be safe to stabilize. thanks to vaukai for the great work!
Comment 9 NATTkA bot gentoo-dev 2021-07-17 12:16:31 UTC Comment hidden (obsolete)
Comment 10 NATTkA bot gentoo-dev 2021-07-17 12:24:31 UTC Comment hidden (obsolete)
Comment 11 NATTkA bot gentoo-dev 2021-08-08 09:48:36 UTC Comment hidden (obsolete)
Comment 12 NATTkA bot gentoo-dev 2021-08-08 10:00:44 UTC Comment hidden (obsolete)