Version in base suite: 3.6.2-2

Base version: openrefine_3.6.2-2
Target version: openrefine_3.6.2-2+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openrefine/openrefine_3.6.2-2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openrefine/openrefine_3.6.2-2+deb12u1.dsc

 changelog                    |   10 ++++++++++
 patches/CVE-2023-37476.patch |   24 ++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 35 insertions(+)

diff -Nru openrefine-3.6.2/debian/changelog openrefine-3.6.2/debian/changelog
--- openrefine-3.6.2/debian/changelog	2023-04-05 18:20:17.000000000 +0000
+++ openrefine-3.6.2/debian/changelog	2023-09-07 19:22:17.000000000 +0000
@@ -1,3 +1,13 @@
+openrefine (3.6.2-2+deb12u1) bookworm; urgency=medium
+
+  * Fix CVE-2023-37476:
+    OpenRefine is a free, open source tool for data processing. A carefully
+    crafted malicious OpenRefine project tar file can be used to trigger
+    arbitrary code execution in the context of the OpenRefine process if a user
+    can be convinced to import it. (Closes: #1041422)
+
+ -- Markus Koschany <apo@debian.org>  Thu, 07 Sep 2023 21:22:17 +0200
+
 openrefine (3.6.2-2) unstable; urgency=medium
 
   * Depend on libjoda-time-java and liboro-java.
diff -Nru openrefine-3.6.2/debian/patches/CVE-2023-37476.patch openrefine-3.6.2/debian/patches/CVE-2023-37476.patch
--- openrefine-3.6.2/debian/patches/CVE-2023-37476.patch	1970-01-01 00:00:00.000000000 +0000
+++ openrefine-3.6.2/debian/patches/CVE-2023-37476.patch	2023-09-07 19:22:17.000000000 +0000
@@ -0,0 +1,24 @@
+From: Markus Koschany <apo@debian.org>
+Date: Thu, 17 Aug 2023 21:33:50 +0200
+Subject: CVE-2023-37476
+
+Bug-Debian: https://bugs.debian.org/1041422
+Origin: https://github.com/OpenRefine/OpenRefine/commit/c40c84d8170c4d61c6a0926531b552a50caa5651
+---
+ main/src/com/google/refine/io/FileProjectManager.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/main/src/com/google/refine/io/FileProjectManager.java b/main/src/com/google/refine/io/FileProjectManager.java
+index 09197f7..c913199 100644
+--- a/main/src/com/google/refine/io/FileProjectManager.java
++++ b/main/src/com/google/refine/io/FileProjectManager.java
+@@ -167,6 +167,9 @@ public class FileProjectManager extends ProjectManager  {
+ 
+         while ((tarEntry = tin.getNextTarEntry()) != null) {
+             File destEntry = new File(destDir, tarEntry.getName());
++            if (!destEntry.toPath().normalize().startsWith(destDir.toPath().normalize())) {
++                throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed.");
++            }
+             File parent = destEntry.getParentFile();
+ 
+             if (!parent.exists()) {
diff -Nru openrefine-3.6.2/debian/patches/series openrefine-3.6.2/debian/patches/series
--- openrefine-3.6.2/debian/patches/series	2023-04-05 18:20:17.000000000 +0000
+++ openrefine-3.6.2/debian/patches/series	2023-09-07 19:22:17.000000000 +0000
@@ -4,3 +4,4 @@
 log4j-api.patch
 no-java-files.patch
 gdata-extension.patch
+CVE-2023-37476.patch