Ubuntu
libcommons-fileupload-java package

Sync libcommons-fileupload-java 1.3-2.1 (universe) from Debian unstable (main)

Bug #1253847 reported by Artur Rona
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libcommons-fileupload-java (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Please sync libcommons-fileupload-java 1.3-2.1 (universe) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * SECURITY UPDATE: arbitrary file overwrite via poison null byte
    - debian/patches/CVE-2013-2186.patch: properly validate repository in
      src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java.
    - CVE-2013-2186

Debian has merged Ubuntu changes.

Changelog entries since current trusty version 1.3-2ubuntu1:

libcommons-fileupload-java (1.3-2.1) unstable; urgency=low

  * Non-maintainer upload.
  * Add CVE-2013-2186.patch patch.
    CVE-2013-2186: Arbitrary file upload via deserialization. Properly
    validate repository in src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java.
    Thanks to Marc Deslauriers <email address hidden> for
    providing the debdiff. (Closes: #726601)

 -- Salvatore Bonaccorso <email address hidden> Fri, 15 Nov 2013 15:04:17 +0100

CVE References

Revision history for this message
Daniel Holbach (dholbach) wrote :

This fails to build for me on amd64 trusty:

Running org.apache.commons.fileupload.MultipartStreamTest
Tests run: 2, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0 sec

Results :

Failed tests: decodeUtf8Base64Encoded(org.apache.commons.fileupload.util.mime.MimeUtilityTestCase): expected:< h[?! ???]u !!!> but was:< h[?! ???]u !!!>
  decodeUtf8QuotedPrintableEncoded(org.apache.commons.fileupload.util.mime.MimeUtilityTestCase): expected:< h[?! ???]u !!!> but was:< h[?! ???]u !!!>

Tests run: 67, Failures: 2, Errors: 0, Skipped: 0

[INFO] ------------------------------------------------------------------------
[ERROR] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] There are test failures.

Please refer to /tmp/buildd/libcommons-fileupload-java-1.3/target/surefire-reports for the individual test results.
[INFO] ------------------------------------------------------------------------
[INFO] For more information, run Maven with the -e switch
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 5 seconds
[INFO] Finished at: Fri Nov 22 06:56:26 UTC 2013
[INFO] Final Memory: 17M/210M
[INFO] ------------------------------------------------------------------------
make: *** [mvn-build] Error 1

Changed in libcommons-fileupload-java (Ubuntu):
status: New → Incomplete
Revision history for this message
Artur Rona (ari-tczew) wrote :

Yeah, that's right. I was trying to build another .dsc file. However, there is not so much benefit in Debian, so I'm not going to investigate where's the problem. I'm unsubscribing ubuntu-sponsors for now.

Feel free someone to fix it.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Looks like 1.3-3 builds fine. Synced.

Changed in libcommons-fileupload-java (Ubuntu):
status: Incomplete → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This bug was fixed in the package libcommons-fileupload-java - 1.3-3
Sponsored for Artur Rona (ari-tczew)

---------------
libcommons-fileupload-java (1.3-3) unstable; urgency=low

  * Set the project.build.sourceEncoding property to fix a test failure
    (Closes: #730970)
  * Removed the Servlet and the Portlet APIs from the runtime dependencies
    since they are provided by the Servlet container.
  * Install the upstream changelog
  * debian/control:
    - Standards-Version updated to 3.9.5 (no changes)
    - Use canonical URLs for the Vcs-* fields
  * Switch to debhelper level 9

 -- Emmanuel Bourg <email address hidden> Tue, 03 Dec 2013 08:35:15 +0100

libcommons-fileupload-java (1.3-2.1) unstable; urgency=low

  * Non-maintainer upload.
  * Add CVE-2013-2186.patch patch.
    CVE-2013-2186: Arbitrary file upload via deserialization. Properly validate
    repository in org.apache.commons.fileupload.disk.DiskFileItem.
    Thanks to Marc Deslauriers <email address hidden> for
    providing the debdiff. (Closes: #726601)

 -- Salvatore Bonaccorso <email address hidden> Fri, 15 Nov 2013 15:04:17 +0100

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.