diff --git a/SOURCES/0001-SOLR-11477-Disallow-resolving-of-external-entities-i.patch b/SOURCES/0001-SOLR-11477-Disallow-resolving-of-external-entities-i.patch new file mode 100644 index 0000000..8ed8ff0 --- /dev/null +++ b/SOURCES/0001-SOLR-11477-Disallow-resolving-of-external-entities-i.patch @@ -0,0 +1,119 @@ +From 76061859fd810a448992516a5ed66508de7bc152 Mon Sep 17 00:00:00 2001 +From: Christine Poerschke +Date: Fri, 13 Oct 2017 12:46:58 +0100 +Subject: [PATCH] SOLR-11477: Disallow resolving of external entities in Lucene + +--- + .../apache/lucene/queryparser/xml/CoreParser.java | 65 +++++++++++++++++++--- + 1 file changed, 56 insertions(+), 9 deletions(-) + +diff --git a/queryparser/src/java/org/apache/lucene/queryparser/xml/CoreParser.java b/queryparser/src/java/org/apache/lucene/queryparser/xml/CoreParser.java +index 81c6b36..4e70aef 100644 +--- a/queryparser/src/java/org/apache/lucene/queryparser/xml/CoreParser.java ++++ b/queryparser/src/java/org/apache/lucene/queryparser/xml/CoreParser.java +@@ -6,10 +6,18 @@ import org.apache.lucene.queryparser.xml.builders.*; + import org.apache.lucene.search.Query; + import org.w3c.dom.Document; + import org.w3c.dom.Element; ++import org.xml.sax.EntityResolver; ++import org.xml.sax.ErrorHandler; ++import org.xml.sax.InputSource; ++import org.xml.sax.SAXException; + ++ ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; ++import javax.xml.parsers.ParserConfigurationException; + import java.io.InputStream; ++import java.util.Locale; + + /* + * Licensed to the Apache Software Foundation (ASF) under one or more +@@ -117,6 +125,10 @@ public class CoreParser implements QueryBuilder { + queryFactory.addBuilder("SpanNot", snot); + } + ++ /** ++ * Parses the given stream as XML file and returns a {@link Query}. ++ * By default this disallows external entities for security reasons. ++ */ + public Query parse(InputStream xmlStream) throws ParserException { + return getQuery(parseXML(xmlStream).getDocumentElement()); + } +@@ -129,23 +141,48 @@ public class CoreParser implements QueryBuilder { + filterFactory.addBuilder(nodeName, builder); + } + +- private static Document parseXML(InputStream pXmlFile) throws ParserException { +- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); +- DocumentBuilder db = null; ++ /** ++ * Returns a SAX {@link EntityResolver} to be used by {@link DocumentBuilder}. ++ * By default this returns {@link #DISALLOW_EXTERNAL_ENTITY_RESOLVER}, which disallows the ++ * expansion of external entities (for security reasons). To restore legacy behavior, ++ * override this method to return {@code null}. ++ */ ++ protected EntityResolver getEntityResolver() { ++ return DISALLOW_EXTERNAL_ENTITY_RESOLVER; ++ } ++ ++ /** ++ * Subclass and override to return a SAX {@link ErrorHandler} to be used by {@link DocumentBuilder}. ++ * By default this returns {@code null} so no error handler is used. ++ * This method can be used to redirect XML parse errors/warnings to a custom logger. ++ */ ++ protected ErrorHandler getErrorHandler() { ++ return null; ++ } ++ ++ private Document parseXML(InputStream pXmlFile) throws ParserException { ++ final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); ++ dbf.setValidating(false); + try { +- db = dbf.newDocumentBuilder(); ++ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); ++ } catch (ParserConfigurationException e) { ++ // ignore since all implementations are required to support the ++ // {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} feature + } +- catch (Exception se) { +- throw new ParserException("XML Parser configuration error", se); ++ final DocumentBuilder db; ++ try { ++ db = dbf.newDocumentBuilder(); ++ } catch (Exception se) { ++ throw new ParserException("XML Parser configuration error.", se); + } +- org.w3c.dom.Document doc = null; + try { +- doc = db.parse(pXmlFile); ++ db.setEntityResolver(getEntityResolver()); ++ db.setErrorHandler(getErrorHandler()); ++ return db.parse(pXmlFile); + } + catch (Exception se) { + throw new ParserException("Error parsing XML stream:" + se, se); + } +- return doc; + } + + +@@ -153,4 +190,14 @@ public class CoreParser implements QueryBuilder { + public Query getQuery(Element e) throws ParserException { + return queryFactory.getQuery(e); + } ++ ++ public static final EntityResolver DISALLOW_EXTERNAL_ENTITY_RESOLVER = new EntityResolver() { ++ @Override ++ public InputSource resolveEntity(String publicId, String systemId) throws SAXException { ++ throw new SAXException(String.format(Locale.ENGLISH, ++ "External Entity resolving unsupported: publicId=\"%s\" systemId=\"%s\"", ++ publicId, systemId)); ++ } ++ }; ++ + } +-- +2.13.6 + diff --git a/SPECS/lucene.spec b/SPECS/lucene.spec index e163edc..f0246e3 100644 --- a/SPECS/lucene.spec +++ b/SPECS/lucene.spec @@ -35,7 +35,7 @@ Summary: High-performance, full-featured text search engine Name: %{?scl_prefix}%{pkg_name} Version: 4.8.0 -Release: 6.8%{?dist} +Release: 6.9%{?dist} Epoch: 0 License: ASL 2.0 URL: http://lucene.apache.org/ @@ -50,6 +50,7 @@ Source5: ivy-conf.xml Patch0: 0001-disable-ivy-settings.patch Patch1: 0001-dependency-generation.patch +Patch2: 0001-SOLR-11477-Disallow-resolving-of-external-entities-i.patch BuildRequires: git BuildRequires: %{?scl_prefix}ant @@ -216,6 +217,7 @@ set -e -x %setup -q -n %{pkg_name}-%{version} %patch0 -p1 %patch1 -p1 +%patch2 -p1 %else %autosetup -n %{pkg_name}-%{version} -S git %endif @@ -367,6 +369,9 @@ set -e -x %doc LICENSE.txt %changelog +* Fri Oct 27 2017 Michael Simacek - 0:4.8.0-6.9 +- Backport fix for CVE-2017-12629 + * Wed Nov 16 2016 Mat Booth - 0:4.8.0-6.8 - Be more strict with versions in require-bundle directives - Resolves: rhbz#1395709