From ad75b34de0a013d70ba813dbf1a95bdf0c3590466f297ed60beeb0681773b2d7 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Thu, 8 Sep 2022 12:21:37 +0000 Subject: [PATCH] Accepting request 1001681 from GNOME:Apps OBS-URL: https://build.opensuse.org/request/show/1001681 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/log4net?expand=0&rev=20 --- log4net-fix-CVE-2018-1285.patch | 27 +++++++++++++++++++++++++++ log4net.changes | 6 ++++++ log4net.spec | 7 +++++-- 3 files changed, 38 insertions(+), 2 deletions(-) create mode 100644 log4net-fix-CVE-2018-1285.patch diff --git a/log4net-fix-CVE-2018-1285.patch b/log4net-fix-CVE-2018-1285.patch new file mode 100644 index 0000000..6603dec --- /dev/null +++ b/log4net-fix-CVE-2018-1285.patch @@ -0,0 +1,27 @@ +From d0b4b0157d4af36b23c24a23739c47925c3bd8d7 Mon Sep 17 00:00:00 2001 +From: Dominik Psenner +Date: Tue, 12 Sep 2017 09:15:08 +0200 +Subject: [PATCH] XmlConfigurator: do longer allow dtd processing across all + platforms (LOG4NET-575) + +This patch fixes a security vulnerabiliy reported by Karthik Balasundaram. The security +vulnerability was found in the way how log4net parses xml configuration files where it +allowed to process XML External Entity Processing. An attacker could use this as an +attack vector if he could modify the XML configuration file. +--- + src/Config/XmlConfigurator.cs | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Index: log4net-1.2.10/log4net-1.2.10/src/Config/XmlConfigurator.cs +=================================================================== +--- log4net-1.2.10.orig/log4net-1.2.10/src/Config/XmlConfigurator.cs ++++ log4net-1.2.10/log4net-1.2.10/src/Config/XmlConfigurator.cs +@@ -621,7 +621,7 @@ namespace log4net.Config + #elif NET_2_0 + // Allow the DTD to specify entity includes + XmlReaderSettings settings = new XmlReaderSettings(); +- settings.ProhibitDtd = false; ++ settings.ProhibitDtd = true; + + // Create a reader over the input stream + XmlReader xmlReader = XmlReader.Create(configStream, settings); diff --git a/log4net.changes b/log4net.changes index 964cb55..e4fd987 100644 --- a/log4net.changes +++ b/log4net.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Sep 7 02:34:56 UTC 2022 - Yifan Jiang + +- Add patch to fix CVE-2018-1285 (bsc#1172193): + * log4net-fix-CVE-2018-1285.patch + ------------------------------------------------------------------- Mon Mar 19 09:21:53 UTC 2018 - dimstar@opensuse.org diff --git a/log4net.spec b/log4net.spec index 198527a..2757559 100644 --- a/log4net.spec +++ b/log4net.spec @@ -1,7 +1,7 @@ # # spec file for package log4net # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -26,6 +26,8 @@ URL: http://logging.apache.org/log4net/ Source: incubating-log4net-1.2.10.zip Source1: log4net.key Source2: log4net.pc +# PATCH-FIX-UPSTREAM log4net-fix-CVE-2018-1285.patch bsc#1172193 yfjiang@suse.com -- Fix the vulnerability by not allowing dtd processing +Patch1: log4net-fix-CVE-2018-1285.patch BuildRequires: mono-basic BuildRequires: mono-data-sqlite BuildRequires: mono-devel @@ -41,6 +43,7 @@ framework to the .NET runtime %prep %setup -q -c +%patch1 -p1 sed -i "s|@VERSION@|%{version}|" %{SOURCE2} #=============================================================================