diff -Nru jabref-3.8.2+ds/debian/changelog jabref-3.8.2+ds/debian/changelog --- jabref-3.8.2+ds/debian/changelog 2018-08-26 21:50:27.000000000 +0000 +++ jabref-3.8.2+ds/debian/changelog 2019-02-26 12:28:54.000000000 +0000 @@ -1,3 +1,57 @@ +jabref (3.8.2+ds-12~18.04) bionic; urgency=medium + + * Backport for OpenJDK 11. LP: #1814133. + + -- Matthias Klose Tue, 26 Feb 2019 13:28:54 +0100 + +jabref (3.8.2+ds-12) unstable; urgency=high + + * Add patch from upstream commit to fix CVE-2018-1000652: XML External + Entity attack. + Thanks to Moritz Muehlenhoff for the bug report. (Closes: #921772) + + -- gregor herrmann Sat, 09 Feb 2019 00:54:59 +0100 + +jabref (3.8.2+ds-11) unstable; urgency=medium + + * Add build dependency on libicu4j-java. + Thanks to Santiago Vila for the bug report. (Closes: #918440) + * Update years of packaging copyright. + * Declare compliance with Debian Policy 4.3.0. + + -- gregor herrmann Sun, 06 Jan 2019 02:59:35 +0100 + +jabref (3.8.2+ds-10) unstable; urgency=medium + + * Build depend on librelaxng-datatype-java and add its jar to the + classpath in debian/xjc.sh. (Closes: #915806) + * Remove trailing whitespace from debian/*. + * Add a lintian override (empty directory in source tree). + * Add minimal headers to two patches. + + -- gregor herrmann Sat, 08 Dec 2018 15:45:44 +0100 + +jabref (3.8.2+ds-9) unstable; urgency=medium + + * Invoke xjc from jaxb-xjc and drop build-dep on openjdk-8 + * Add build-dep on libxml-commons-resolver1.1-java + * Replace mysql-connector JDBC driver with mariadb-client-java + + -- tony mancill Wed, 07 Nov 2018 18:27:39 -0800 + +jabref (3.8.2+ds-8) unstable; urgency=medium + + * Add runtime dep on jaxb and update wrapper script for openjdk 11 + (Closes: #912221, LP: #1799106) + * Include openjdk-8-jdk as a build-dep for the xjc binary (removed + in openjdk-11) and patch build.gradle to compile using jaxb-api. + Note that this package still uses default-jdk for the compilation + itself. It cannot depend solely on openjdk-8-jdk, as Debian's + gradle fails to run on that JDK. (Addresses FTBFS) + * Bump Standards-Version to 4.2.1. + + -- tony mancill Wed, 31 Oct 2018 17:30:24 -0700 + jabref (3.8.2+ds-7) unstable; urgency=medium * Add build-dep on libjsonp-java to builds against antlr4 version 4.6 @@ -416,7 +470,7 @@ * Edit jabref wrapper script to resolve libjgoodies-common-java jar. Add libjgoodies-common-java to Depends. (Closes: #614506) - * Change "looks" in wrapper script to "jgoodies-looks" + * Change "looks" in wrapper script to "jgoodies-looks" -- tony mancill Mon, 21 Feb 2011 20:04:55 -0800 @@ -445,10 +499,10 @@ * Set Standards-Version to 3.9.1 (no changes). [ tony mancill ] - * delete 05_antlr.patch + * delete 05_antlr.patch * add 05_antlrv32.patch: include new BstParser/Lexer classes generated by antlr 3.2. (Closes: #591124) - * Update README.source with information regarding regeneration of + * Update README.source with information regarding regeneration of BstParser and BstLexer classes. -- tony mancill Tue, 03 Aug 2010 19:41:44 -0700 @@ -520,7 +574,7 @@ get re-generated on each build. * Install reportbug presubj file via dh_bugfiles. * debian/copyright: update formatting and list of third-party copyright - holders. + holders. [ tony mancill ] * Add PreviewPanel patch to remove dependency on DocumentPrinter class. @@ -808,7 +862,7 @@ jabref (2.1-3) unstable; urgency=low * Change menu section to "Apps/Databases" and remove lintian override. - "Apps/Data Management" was premature, thanks to Frank Küster and + "Apps/Data Management" was premature, thanks to Frank Küster and Bill Allombert for pointing this out (cf. #386320). -- gregor herrmann Mon, 11 Sep 2006 21:12:37 +0200 @@ -852,7 +906,7 @@ * Add icon to menu entry, thanks to LI Daobing for the idea (closes: #380604). * Remove references to the libraries Commons Logging and Commons HTTP Client - from debian/copyright, as they are not included in the upstream tarball + from debian/copyright, as they are not included in the upstream tarball any more. -- gregor herrmann Mon, 31 Jul 2006 16:37:47 +0200 @@ -917,7 +971,7 @@ jabref (2.0.1-2) unstable; urgency=low * Update to Standards-Version: 3.7.0 (no changes required). - * Moved debhelper from Build-Depends-Indep to Build-Depends + * Moved debhelper from Build-Depends-Indep to Build-Depends in debian/control. -- gregor herrmann Mon, 1 May 2006 14:44:02 +0200 @@ -965,4 +1019,3 @@ * Initial release Closes: #205392 -- gregor herrmann Thu, 1 Sep 2005 23:18:00 +0200 - diff -Nru jabref-3.8.2+ds/debian/control jabref-3.8.2+ds/debian/control --- jabref-3.8.2+ds/debian/control 2018-08-26 21:50:27.000000000 +0000 +++ jabref-3.8.2+ds/debian/control 2019-02-08 23:54:59.000000000 +0000 @@ -18,6 +18,7 @@ libcommons-lang3-java, libcommons-logging-java, libglazedlists-java, + libicu4j-java, libjava-string-similarity-java, libjaxb-api-java, libjaxb-java, @@ -29,17 +30,19 @@ libjsonp-java, liblog4j2-java (>= 2.10.0-2) | liblog4j2-java (<< 2.10), libmicroba-java, - libmysql-java, - libpdfbox-java (<< 1:2), + libmariadb-java, + libpdfbox-java, libpostgresql-jdbc-java (>= 9.4.1212), + librelaxng-datatype-java, libreoffice-java-common, libscram-java, libspin-java, - libswingx-java (<< 1:1.6.4), + libswingx-java, libunirest-java-java, + libxml-commons-resolver1.1-java, default-jdk, ure (>= 5.0~) -Standards-Version: 4.1.4 +Standards-Version: 4.3.0 Vcs-Browser: https://salsa.debian.org/java-team/jabref Vcs-Git: https://salsa.debian.org/java-team/jabref.git Homepage: https://www.jabref.org/ @@ -61,6 +64,7 @@ libhttpclient-java, libhttpmime-java, libjava-string-similarity-java, + libjaxb-java, libjempbox-java, libjgoodies-common-java (>= 1.8.1), libjgoodies-forms-java (>= 1.9.0), @@ -77,7 +81,7 @@ libunirest-java-java Recommends: xdg-utils, libreoffice-writer, - libmysql-java, + libmariadb-java, libpostgresql-jdbc-java (>= 9.4.1212) Suggests: gv | postscript-viewer, xpdf | pdf-viewer diff -Nru jabref-3.8.2+ds/debian/copyright jabref-3.8.2+ds/debian/copyright --- jabref-3.8.2+ds/debian/copyright 2018-08-26 21:50:27.000000000 +0000 +++ jabref-3.8.2+ds/debian/copyright 2019-02-08 23:54:59.000000000 +0000 @@ -48,8 +48,8 @@ License: GPL-2+ Files: debian/* -Copyright: 2005-2018, gregor herrmann - 2005-2018, tony mancill +Copyright: 2005-2019, gregor herrmann + 2005-2019, tony mancill License: Expat Files: debian/patches/001_koppor_debian.patch diff -Nru jabref-3.8.2+ds/debian/jabref-wrapper jabref-3.8.2+ds/debian/jabref-wrapper --- jabref-3.8.2+ds/debian/jabref-wrapper 2018-08-26 21:50:27.000000000 +0000 +++ jabref-3.8.2+ds/debian/jabref-wrapper 2019-02-08 23:54:59.000000000 +0000 @@ -6,11 +6,16 @@ # We need a java8 runtime (at least) find_java_runtime java8 -JAVA_VERSION=$(run_java -version 2>&1 | grep ' version ' | awk '{print $3}') -if ! ( echo "$JAVA_VERSION" | grep -q '1.8.0' ) ; then +MAJOR_JAVA_VERSION=$(run_java -version 2>&1 | grep ' version ' | awk '{print $3}' | cut -f1 -d'.' | cut -c2-) +if ( test $MAJOR_JAVA_VERSION -ge 9 ) ; then # We need some options to start this version on openjdk9 and later # See http://discourse.jabref.org/t/cannot-start-jabref-3-7-3-6-using-java-9-on-ubuntu-16-04/361/8 - JABREF_JAVA_OPTS=${JABREF_JAVA_OPTS-"--add-modules=java.se.ee --add-opens=java.desktop/java.awt=ALL-UNNAMED"} + JABREF_JAVA_OPTS=${JABREF_JAVA_OPTS-"--add-opens=java.desktop/java.awt=ALL-UNNAMED"} + + # But java.se.ee only works for Java 9 and Java 10 + if ( test $MAJOR_JAVA_VERSION -lt 11 ) ; then + JABREF_JAVA_OPTS="${JABREF_JAVA_OPTS} --add-modules=java.se.ee" + fi fi find_jars \ @@ -32,6 +37,7 @@ httpcore-nio \ httpmime \ java-string-similarity \ + jaxb-runtime \ jempbox \ jgoodies-common \ jgoodies-forms \ @@ -44,7 +50,7 @@ log4j-core \ log4j-jcl \ microba \ - mysql-connector-java \ + mariadb-java-client \ pdfbox \ postgresql \ ridl \ diff -Nru jabref-3.8.2+ds/debian/patches/010_gradle_build.patch jabref-3.8.2+ds/debian/patches/010_gradle_build.patch --- jabref-3.8.2+ds/debian/patches/010_gradle_build.patch 2018-08-26 21:50:27.000000000 +0000 +++ jabref-3.8.2+ds/debian/patches/010_gradle_build.patch 2019-02-08 23:54:59.000000000 +0000 @@ -64,7 +64,19 @@ compile 'com.jgoodies:jgoodies-common:1.8.1' compile 'com.jgoodies:jgoodies-forms:1.9.0' compile 'com.jgoodies:jgoodies-looks:2.7.0' -@@ -118,8 +127,8 @@ +@@ -97,9 +106,8 @@ + antlr4 'org.antlr:antlr4:4.6' + compile 'org.antlr:antlr4-runtime:4.6' + +- // VersionEye states that 6.0.5 is the most recent version, but http://dev.mysql.com/downloads/connector/j/ shows that as "Development Release" +- compile 'mysql:mysql-connector-java:5.1.40' +- ++ // debian would like to drop mysql-connector-java ++ compile 'org.mariadb.jdbc:mariadb-java-client:2.3.0' + compile 'org.postgresql:postgresql:9.4.1210' + + compile 'net.java.dev.glazedlists:glazedlists_java15:1.9.1' +@@ -118,8 +126,8 @@ compile 'org.apache.logging.log4j:log4j-jcl:2.7' compile 'org.apache.logging.log4j:log4j-api:2.7' compile 'org.apache.logging.log4j:log4j-core:2.7' @@ -75,7 +87,7 @@ testCompile 'junit:junit:4.12' testCompile 'org.mockito:mockito-core:2.6.2' -@@ -257,11 +266,12 @@ +@@ -257,11 +265,12 @@ tasks.withType(Test) { reports.html.destination = file("${reporting.baseDir}/${name}") @@ -91,7 +103,7 @@ jacocoTestReport { reports { xml.enabled = true // coveralls plugin depends on xml format report -@@ -299,6 +309,7 @@ +@@ -299,6 +308,7 @@ } }) } @@ -99,7 +111,7 @@ /* * Changes project.version to VERSION--snapshot--DATE--GIT_HASH -@@ -333,6 +344,7 @@ +@@ -333,6 +343,7 @@ project.version += "--snapshot--" + infoString } @@ -107,7 +119,7 @@ // has to be defined AFTER 'dev' things to have the correct project.version task media(type: com.install4j.gradle.Install4jTask, dependsOn: "releaseJar") { projectFile = file('jabref.install4j') -@@ -391,3 +403,4 @@ +@@ -391,3 +402,4 @@ // See https://github.com/andrewgaul/modernizer-maven-plugin for more information on modernizer failOnViolations = false } diff -Nru jabref-3.8.2+ds/debian/patches/070_jdk9_swing.patch jabref-3.8.2+ds/debian/patches/070_jdk9_swing.patch --- jabref-3.8.2+ds/debian/patches/070_jdk9_swing.patch 2018-08-26 21:50:27.000000000 +0000 +++ jabref-3.8.2+ds/debian/patches/070_jdk9_swing.patch 2019-02-08 23:54:59.000000000 +0000 @@ -1,3 +1,7 @@ +Description: Add JDK9 swing patch +Origin: vendor +Author: tony mancill + --- a/src/main/java/net/sf/jabref/gui/FindUnlinkedFilesDialog.java +++ b/src/main/java/net/sf/jabref/gui/FindUnlinkedFilesDialog.java @@ -398,8 +398,10 @@ public class FindUnlinkedFilesDialog ext diff -Nru jabref-3.8.2+ds/debian/patches/080_jdk11_jaxb.patch jabref-3.8.2+ds/debian/patches/080_jdk11_jaxb.patch --- jabref-3.8.2+ds/debian/patches/080_jdk11_jaxb.patch 1970-01-01 00:00:00.000000000 +0000 +++ jabref-3.8.2+ds/debian/patches/080_jdk11_jaxb.patch 2019-02-08 23:54:59.000000000 +0000 @@ -0,0 +1,14 @@ +Description: patch build.gradle to compile using jaxb-api +Origin: vendor +Author: tony mancill + +--- a/build.gradle ++++ b/build.gradle +@@ -128,6 +128,7 @@ + compile 'org.apache.logging.log4j:log4j-core:2.7' + //compile 'org.xmlunit:xmlunit-core:2.3.0' + //compile 'org.xmlunit:xmlunit-matchers:2.3.0' ++ compile 'javax.xml.bind:jaxb-api:2.3.0' + + testCompile 'junit:junit:4.12' + testCompile 'org.mockito:mockito-core:2.6.2' diff -Nru jabref-3.8.2+ds/debian/patches/090_mariadb.patch jabref-3.8.2+ds/debian/patches/090_mariadb.patch --- jabref-3.8.2+ds/debian/patches/090_mariadb.patch 1970-01-01 00:00:00.000000000 +0000 +++ jabref-3.8.2+ds/debian/patches/090_mariadb.patch 2019-02-08 23:54:59.000000000 +0000 @@ -0,0 +1,15 @@ +Description: update jabref to use mariadb driver for MySQL connections +Author: tony mancill +Forwarded: not-needed + +--- a/src/main/java/net/sf/jabref/shared/DBMSType.java ++++ b/src/main/java/net/sf/jabref/shared/DBMSType.java +@@ -10,7 +10,7 @@ + + MYSQL( + "MySQL", +- "com.mysql.jdbc.Driver", ++ "org.mariadb.jdbc.Driver", + "jdbc:mysql://%s:%d/%s", 3306), + ORACLE( + "Oracle", diff -Nru jabref-3.8.2+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch jabref-3.8.2+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch --- jabref-3.8.2+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch 1970-01-01 00:00:00.000000000 +0000 +++ jabref-3.8.2+ds/debian/patches/100_CVE-2018-1000652_XXE-vulnerability.patch 2019-02-08 23:54:59.000000000 +0000 @@ -0,0 +1,81 @@ +From 89f855d76713b4cd25ac0830c719cd61c511851e Mon Sep 17 00:00:00 2001 +From: Nick +Date: Mon, 30 Jul 2018 16:06:07 +0000 +Subject: [PATCH] Fix importer vulnerability (#4240) + +* Fix importer vulnerability +Fixed issue #4229 where importer was vulnerable to XXE attacks by +disabling DTDs along with adding warning to logger if features are +unavailable. fixes #4229 + +Bugs-Debian: https://bugs.debian.org/921772 +Bug: https://github.com/JabRef/jabref/issues/4229 + +--- a/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java ++++ b/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java +@@ -6,12 +6,15 @@ + + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; ++import javax.xml.parsers.ParserConfigurationException; + + import net.sf.jabref.logic.importer.Importer; + import net.sf.jabref.logic.importer.ParserResult; + import net.sf.jabref.logic.msbib.MSBibDatabase; + import net.sf.jabref.logic.util.FileExtensions; + ++import org.apache.commons.logging.Log; ++import org.apache.commons.logging.LogFactory; + import org.w3c.dom.Document; + import org.xml.sax.InputSource; + +@@ -23,6 +26,10 @@ + */ + public class MsBibImporter extends Importer { + ++ private static final Log LOGGER = LogFactory.getLog(MsBibImporter.class); ++ private static final String DISABLEDTD = "http://apache.org/xml/features/disallow-doctype-decl"; ++ private static final String DISABLEEXTERNALDTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; ++ + @Override + public boolean isRecognizedFormat(BufferedReader reader) throws IOException { + Objects.requireNonNull(reader); +@@ -34,7 +41,7 @@ + */ + Document docin; + try { +- DocumentBuilder dbuild = DocumentBuilderFactory.newInstance().newDocumentBuilder(); ++ DocumentBuilder dbuild = makeSafeDocBuilderFactory(DocumentBuilderFactory.newInstance()).newDocumentBuilder(); + docin = dbuild.parse(new InputSource(reader)); + } catch (Exception e) { + return false; +@@ -65,4 +72,29 @@ + return "Importer for the MS Office 2007 XML bibliography format."; + } + ++ /** ++ * DocumentBuilderFactory makes a XXE safe Builder factory from dBuild. If not supported by current ++ * XML then returns original builder given and logs error. ++ * @param dBuild | DocumentBuilderFactory to be made XXE safe. ++ * @return If supported, XXE safe DocumentBuilderFactory. Else, returns original builder given ++ */ ++ private DocumentBuilderFactory makeSafeDocBuilderFactory(DocumentBuilderFactory dBuild) { ++ String feature = null; ++ ++ try { ++ feature = DISABLEDTD; ++ dBuild.setFeature(feature, true); ++ ++ feature = DISABLEEXTERNALDTD; ++ dBuild.setFeature(feature, false); ++ ++ dBuild.setXIncludeAware(false); ++ dBuild.setExpandEntityReferences(false); ++ ++ } catch (ParserConfigurationException e) { ++ LOGGER.warn("Builder not fully configured. Feature:'" + feature + "' is probably not supported by current XML processor.", e); ++ } ++ ++ return dBuild; ++ } + } diff -Nru jabref-3.8.2+ds/debian/patches/series jabref-3.8.2+ds/debian/patches/series --- jabref-3.8.2+ds/debian/patches/series 2018-08-26 21:50:27.000000000 +0000 +++ jabref-3.8.2+ds/debian/patches/series 2019-02-08 23:54:59.000000000 +0000 @@ -5,3 +5,6 @@ 050_unirest_json.patch 060_0664_perms.patch 070_jdk9_swing.patch +080_jdk11_jaxb.patch +090_mariadb.patch +100_CVE-2018-1000652_XXE-vulnerability.patch diff -Nru jabref-3.8.2+ds/debian/README.Debian jabref-3.8.2+ds/debian/README.Debian --- jabref-3.8.2+ds/debian/README.Debian 2018-08-26 21:50:27.000000000 +0000 +++ jabref-3.8.2+ds/debian/README.Debian 2019-02-08 23:54:59.000000000 +0000 @@ -11,7 +11,7 @@ The debian version of JabRef is close to the official version. The only differences are the following: - - The dialog for merging entries (https://help.jabref.org/en/MergeEntries) + - The dialog for merging entries (https://help.jabref.org/en/MergeEntries) does not support syntax highlighting - The Debian version uses the microba date picker - The live update functionality for PostgreSQL has been removed diff -Nru jabref-3.8.2+ds/debian/source/lintian-overrides jabref-3.8.2+ds/debian/source/lintian-overrides --- jabref-3.8.2+ds/debian/source/lintian-overrides 1970-01-01 00:00:00.000000000 +0000 +++ jabref-3.8.2+ds/debian/source/lintian-overrides 2019-02-08 23:54:59.000000000 +0000 @@ -0,0 +1,2 @@ +# this is a side effect of creating the +ds version +jabref source: source-contains-empty-directory src/main/java/osx/macadapter/ diff -Nru jabref-3.8.2+ds/debian/xjc.sh jabref-3.8.2+ds/debian/xjc.sh --- jabref-3.8.2+ds/debian/xjc.sh 2018-08-26 21:50:27.000000000 +0000 +++ jabref-3.8.2+ds/debian/xjc.sh 2019-02-08 23:54:59.000000000 +0000 @@ -2,7 +2,7 @@ # # generate Java bindings for XML schemas used in JabRef -XJC=/usr/bin/xjc +XJC="java -cp /usr/share/java/jaxb-xjc.jar:/usr/share/java/jaxb-runtime.jar:/usr/share/java/xml-resolver.jar:/usr/share/java/relaxngDatatype.jar com.sun.tools.xjc.XJCFacade" DEST=src/main/gen $XJC -d $DEST \