Sync libcommons-fileupload-java 1.3-2.1 (universe) from Debian unstable (main)

Bug #1253847 reported by Artur Rona on 2013-11-22
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libcommons-fileupload-java (Ubuntu)
Undecided
Unassigned

Bug Description

Please sync libcommons-fileupload-java 1.3-2.1 (universe) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: arbitrary file overwrite via poison null byte
    - debian/patches/CVE-2013-2186.patch: properly validate repository in
      src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java.
    - CVE-2013-2186

Debian has merged Ubuntu changes.

Changelog entries since current trusty version 1.3-2ubuntu1:

libcommons-fileupload-java (1.3-2.1) unstable; urgency=low

  * Non-maintainer upload.
  * Add CVE-2013-2186.patch patch.
    CVE-2013-2186: Arbitrary file upload via deserialization. Properly
    validate repository in src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java.
    Thanks to Marc Deslauriers <email address hidden> for
    providing the debdiff. (Closes: #726601)

 -- Salvatore Bonaccorso <email address hidden> Fri, 15 Nov 2013 15:04:17 +0100

CVE References

Daniel Holbach (dholbach) wrote :

This fails to build for me on amd64 trusty:

Running org.apache.commons.fileupload.MultipartStreamTest
Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0 sec

Results :

Failed tests: decodeUtf8Base64Encoded(org.apache.commons.fileupload.util.mime.MimeUtilityTestCase): expected:< h[?! ???]u !!!> but was:< h[?! ???]u !!!>
  decodeUtf8QuotedPrintableEncoded(org.apache.commons.fileupload.util.mime.MimeUtilityTestCase): expected:< h[?! ???]u !!!> but was:< h[?! ???]u !!!>

Tests run: 67, Failures: 2, Errors: 0, Skipped: 0

[INFO] ------------------------------------------------------------------------
[ERROR] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] There are test failures.

Please refer to /tmp/buildd/libcommons-fileupload-java-1.3/target/surefire-reports for the individual test results.
[INFO] ------------------------------------------------------------------------
[INFO] For more information, run Maven with the -e switch
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 5 seconds
[INFO] Finished at: Fri Nov 22 06:56:26 UTC 2013
[INFO] Final Memory: 17M/210M
[INFO] ------------------------------------------------------------------------
make: *** [mvn-build] Error 1

Changed in libcommons-fileupload-java (Ubuntu):
status: New → Incomplete
Artur Rona (ari-tczew) wrote :

Yeah, that's right. I was trying to build another .dsc file. However, there is not so much benefit in Debian, so I'm not going to investigate where's the problem. I'm unsubscribing ubuntu-sponsors for now.

Feel free someone to fix it.

Marc Deslauriers (mdeslaur) wrote :

Looks like 1.3-3 builds fine. Synced.

Changed in libcommons-fileupload-java (Ubuntu):
status: Incomplete → Fix Released
Marc Deslauriers (mdeslaur) wrote :

This bug was fixed in the package libcommons-fileupload-java - 1.3-3
Sponsored for Artur Rona (ari-tczew)

---------------
libcommons-fileupload-java (1.3-3) unstable; urgency=low

  * Set the project.build.sourceEncoding property to fix a test failure
    (Closes: #730970)
  * Removed the Servlet and the Portlet APIs from the runtime dependencies
    since they are provided by the Servlet container.
  * Install the upstream changelog
  * debian/control:
    - Standards-Version updated to 3.9.5 (no changes)
    - Use canonical URLs for the Vcs-* fields
  * Switch to debhelper level 9

 -- Emmanuel Bourg <email address hidden> Tue, 03 Dec 2013 08:35:15 +0100

libcommons-fileupload-java (1.3-2.1) unstable; urgency=low

  * Non-maintainer upload.
  * Add CVE-2013-2186.patch patch.
    CVE-2013-2186: Arbitrary file upload via deserialization. Properly validate
    repository in org.apache.commons.fileupload.disk.DiskFileItem.
    Thanks to Marc Deslauriers <email address hidden> for
    providing the debdiff. (Closes: #726601)

 -- Salvatore Bonaccorso <email address hidden> Fri, 15 Nov 2013 15:04:17 +0100

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers