Accepting request 1001681 from GNOME:Apps

OBS-URL: https://build.opensuse.org/request/show/1001681 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/log4net?expand=0&rev=20
2022-09-08 12:21:37 +00:00 · 2022-09-08 12:21:37 +00:00 · ad75b34de0
commit ad75b34de0
parent ed374fdd0f
3 changed files with 38 additions and 2 deletions
--- a/log4net-fix-CVE-2018-1285.patch
+++ b/log4net-fix-CVE-2018-1285.patch
@ -0,0 +1,27 @@
+From d0b4b0157d4af36b23c24a23739c47925c3bd8d7 Mon Sep 17 00:00:00 2001
+From: Dominik Psenner <dpsenner@apache.org>
+Date: Tue, 12 Sep 2017 09:15:08 +0200
+Subject: [PATCH] XmlConfigurator: do longer allow dtd processing across all
+ platforms (LOG4NET-575)
+
+This patch fixes a security vulnerabiliy reported by Karthik Balasundaram. The security
+vulnerability was found in the way how log4net parses xml configuration files where it
+allowed to process XML External Entity Processing. An attacker could use this as an
+attack vector if he could modify the XML configuration file.
+---
+ src/Config/XmlConfigurator.cs | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: log4net-1.2.10/log4net-1.2.10/src/Config/XmlConfigurator.cs
+===================================================================
+--- log4net-1.2.10.orig/log4net-1.2.10/src/Config/XmlConfigurator.cs
+++ log4net-1.2.10/log4net-1.2.10/src/Config/XmlConfigurator.cs
+@@ -621,7 +621,7 @@ namespace log4net.Config
+ #elif NET_2_0
+ 					// Allow the DTD to specify entity includes
+ 					XmlReaderSettings settings = new XmlReaderSettings();
+-					settings.ProhibitDtd = false;
+					settings.ProhibitDtd = true;
+ 
+ 					// Create a reader over the input stream
+ 					XmlReader xmlReader = XmlReader.Create(configStream, settings);
--- a/log4net.changes
+++ b/log4net.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Sep  7 02:34:56 UTC 2022 - Yifan Jiang <yfjiang@suse.com>
+
+- Add patch to fix CVE-2018-1285 (bsc#1172193):
+  * log4net-fix-CVE-2018-1285.patch
+
 -------------------------------------------------------------------
 Mon Mar 19 09:21:53 UTC 2018 - dimstar@opensuse.org

--- a/log4net.spec
+++ b/log4net.spec
@ -1,7 +1,7 @@
 #
 # spec file for package log4net
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.

-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #


@ -26,6 +26,8 @@ URL:            http://logging.apache.org/log4net/
 Source:         incubating-log4net-1.2.10.zip
 Source1:        log4net.key
 Source2:        log4net.pc
+# PATCH-FIX-UPSTREAM log4net-fix-CVE-2018-1285.patch bsc#1172193 yfjiang@suse.com -- Fix the vulnerability by not allowing dtd processing
+Patch1:         log4net-fix-CVE-2018-1285.patch
 BuildRequires:  mono-basic
 BuildRequires:  mono-data-sqlite
 BuildRequires:  mono-devel
@ -41,6 +43,7 @@ framework to the .NET runtime

 %prep
 %setup -q -c
+%patch1 -p1
 sed -i "s|@VERSION@|%{version}|" %{SOURCE2}
 #=============================================================================