Version in base suite: 3.6.2-2+deb12u2 Base version: openrefine_3.6.2-2+deb12u2 Target version: openrefine_3.6.2-2+deb12u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openrefine/openrefine_3.6.2-2+deb12u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openrefine/openrefine_3.6.2-2+deb12u3.dsc changelog | 10 ++ patches/CVE-2024-23833.patch | 56 ++++++++++++ patches/CVE-2024-47878.patch | 156 ++++++++++++++++++++++++++++++++++++ patches/CVE-2024-47880.patch | 40 +++++++++ patches/CVE-2024-47881.patch | 181 ++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2024-47882.patch | 33 +++++++ patches/CVE-2024-49760.patch | 54 ++++++++++++ patches/build.patch | 2 patches/gdata-extension.patch | 2 patches/log4j-api.patch | 2 patches/no-java-files.patch | 4 patches/series | 6 + 12 files changed, 541 insertions(+), 5 deletions(-) diff -Nru openrefine-3.6.2/debian/changelog openrefine-3.6.2/debian/changelog --- openrefine-3.6.2/debian/changelog 2023-10-04 13:02:45.000000000 +0000 +++ openrefine-3.6.2/debian/changelog 2025-09-27 22:52:50.000000000 +0000 @@ -1,3 +1,13 @@ +openrefine (3.6.2-2+deb12u3) bookworm; urgency=medium + + * Fix CVE-2024-23833, CVE-2024-47878, CVE-2024-47880, CVE-2024-47881, + CVE-2024-47882 and CVE-2024-49760. + OpenRefine is a free, open source tool for data processing. Users could be + tricked into opening malicious websites which then enabled attackers to run + arbitrary code on the server due to improper escaping or code restrictions. + + -- Markus Koschany Sun, 28 Sep 2025 00:52:50 +0200 + openrefine (3.6.2-2+deb12u2) bookworm; urgency=medium * Fix CVE-2023-41887 and CVE-2023-41886: diff -Nru openrefine-3.6.2/debian/patches/CVE-2024-23833.patch openrefine-3.6.2/debian/patches/CVE-2024-23833.patch --- openrefine-3.6.2/debian/patches/CVE-2024-23833.patch 1970-01-01 00:00:00.000000000 +0000 +++ openrefine-3.6.2/debian/patches/CVE-2024-23833.patch 2025-09-27 22:52:50.000000000 +0000 @@ -0,0 +1,56 @@ +From: Markus Koschany +Date: Sat, 27 Sep 2025 15:13:00 +0200 +Subject: CVE-2024-23833 + +Origin: https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a +Debian-Bug: https://bugs.debian.org/1064192 +--- + .../refine/extension/database/DatabaseConfiguration.java | 7 +++++++ + .../refine/extension/database/DatabaseConfigurationTest.java | 12 ++++++++++++ + 2 files changed, 19 insertions(+) + +diff --git a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java +index 3f0dd57..579ee00 100644 +--- a/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java ++++ b/extensions/database/src/com/google/refine/extension/database/DatabaseConfiguration.java +@@ -68,6 +68,13 @@ public class DatabaseConfiguration { + } + + public void setDatabaseHost(String databaseServer) { ++ // forbid setting settings inside the host parameter: ++ // https://dev.mysql.com/doc/connector-j/en/connector-j-reference-jdbc-url-format.html ++ if (databaseServer == null || ++ databaseServer.contains("(") || ++ databaseServer.contains("=")) { ++ throw new IllegalArgumentException("Invalid host supplied"); ++ } + this.databaseHost = databaseServer; + } + +diff --git a/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java b/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java +index 5a571e8..928aeac 100644 +--- a/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java ++++ b/extensions/database/tests/src/com/google/refine/extension/database/DatabaseConfigurationTest.java +@@ -1,5 +1,8 @@ + package com.google.refine.extension.database; + ++import static org.testng.Assert.assertEquals; ++import static org.testng.Assert.assertThrows; ++ + import org.testng.annotations.Test; + + import static org.testng.Assert.assertEquals; +@@ -18,4 +21,13 @@ public class DatabaseConfigurationTest { + // the database name is escaped, preventing the exploit + assertEquals(url, "jdbc:mysql://my.host/test%3FallowLoadLocalInfile=true%23"); + } ++ ++ @Test ++ public void testSetMaliciousHost() { ++ DatabaseConfiguration config = new DatabaseConfiguration(); ++ config.setDatabaseType("mysql"); ++ ++ assertThrows(IllegalArgumentException.class, ++ () -> config.setDatabaseHost("127.0.0.1:3306,(allowLoadLocalInfile=true,allowUrlInLocalInfile=true),127.0.0.1")); ++ } + } diff -Nru openrefine-3.6.2/debian/patches/CVE-2024-47878.patch openrefine-3.6.2/debian/patches/CVE-2024-47878.patch --- openrefine-3.6.2/debian/patches/CVE-2024-47878.patch 1970-01-01 00:00:00.000000000 +0000 +++ openrefine-3.6.2/debian/patches/CVE-2024-47878.patch 2025-09-27 22:52:50.000000000 +0000 @@ -0,0 +1,156 @@ +From: Markus Koschany +Date: Sat, 27 Sep 2025 15:15:58 +0200 +Subject: CVE-2024-47878 + +Origin: https://github.com/OpenRefine/OpenRefine/commit/37b375478eca41b8948b104bf6790ebf659a88cb +Bug-Debian: https://bugs.debian.org/1086041 +--- + extensions/gdata/module/MOD-INF/controller.js | 21 +----- + extensions/gdata/module/authorized.vt | 6 +- + .../refine/extension/gdata/AuthorizedCommand.java | 88 ++++++++++++++++++++++ + 3 files changed, 94 insertions(+), 21 deletions(-) + create mode 100644 extensions/gdata/src/com/google/refine/extension/gdata/AuthorizedCommand.java + +diff --git a/extensions/gdata/module/MOD-INF/controller.js b/extensions/gdata/module/MOD-INF/controller.js +index fc6ff96..549c6be 100644 +--- a/extensions/gdata/module/MOD-INF/controller.js ++++ b/extensions/gdata/module/MOD-INF/controller.js +@@ -101,23 +101,10 @@ function process(path, request, response) { + + send(request, response, "authorize.vt", context); + } else if (path == "authorized") { +- var context = {}; +- context.state = request.getParameter("state"); +- +- (function() { +- if (Packages.com.google.refine.extension.gdata.TokenCookie.getToken(request) !== null) { +- return; +- } +- var tokenAndExpiresInSeconds = Packages.com.google.refine.extension.gdata.GoogleAPIExtension.getTokenFromCode(module,request); +- if (tokenAndExpiresInSeconds) { +- var tokenInfo = tokenAndExpiresInSeconds.split(","); +- Packages.com.google.refine.extension.gdata.TokenCookie.setToken(request, response, tokenInfo[0], tokenInfo[1]); +- return; +- } +- Packages.com.google.refine.extension.gdata.TokenCookie.deleteToken(request, response); +- })(); +- +- send(request, response, "authorized.vt", context); ++ // it's a command but we handle it manually here, so as to preserve the URL ++ var command = new Packages.com.google.refine.extension.gdata.AuthorizedCommand(module); ++ command.doGet(request, response); ++ butterfly.responded(); + } else if (path == "/" || path == "") { + var context = {}; + context.version = version; +diff --git a/extensions/gdata/module/authorized.vt b/extensions/gdata/module/authorized.vt +index 67ed3f5..3c16371 100644 +--- a/extensions/gdata/module/authorized.vt ++++ b/extensions/gdata/module/authorized.vt +@@ -40,10 +40,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +