Version in base suite: 2.5.1-1 Base version: hsqldb_2.5.1-1 Target version: hsqldb_2.5.1-1+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/h/hsqldb/hsqldb_2.5.1-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/h/hsqldb/hsqldb_2.5.1-1+deb11u1.dsc changelog | 17 ++++++++++++ patches/CVE-2022-41853.patch | 59 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 77 insertions(+) diff -Nru hsqldb-2.5.1/debian/changelog hsqldb-2.5.1/debian/changelog --- hsqldb-2.5.1/debian/changelog 2020-07-07 11:59:36.000000000 +0000 +++ hsqldb-2.5.1/debian/changelog 2023-01-10 21:07:42.000000000 +0000 @@ -1,3 +1,20 @@ +hsqldb (2.5.1-1+deb11u1) bullseye-security; urgency=high + + * Team upload. + * Fix CVE-2022-41853: + Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb + (HyperSQL DataBase) to process untrusted input may be vulnerable to a + remote code execution attack. By default it is allowed to call any static + method of any Java class in the classpath resulting in code execution. The + issue can be prevented by updating to 2.4.1-2+deb10u1 or by setting the + system property "hsqldb.method_class_names" to classes which are allowed to + be called. For example, System.setProperty("hsqldb.method_class_names", + "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From + version 2.4.1-2+deb10u1 all classes by default are not accessible except + those in java.lang.Math and need to be manually enabled. + + -- Markus Koschany Tue, 10 Jan 2023 22:07:42 +0100 + hsqldb (2.5.1-1) unstable; urgency=medium * New upstream version 2.5.1. diff -Nru hsqldb-2.5.1/debian/patches/CVE-2022-41853.patch hsqldb-2.5.1/debian/patches/CVE-2022-41853.patch --- hsqldb-2.5.1/debian/patches/CVE-2022-41853.patch 1970-01-01 00:00:00.000000000 +0000 +++ hsqldb-2.5.1/debian/patches/CVE-2022-41853.patch 2023-01-10 21:07:42.000000000 +0000 @@ -0,0 +1,59 @@ +From: Markus Koschany +Date: Wed, 7 Dec 2022 13:00:46 +0100 +Subject: CVE-2022-41853 + +Bug-Debian: https://bugs.debian.org/1023573 +Origin: https://sourceforge.net/p/hsqldb/svn/6614/ +--- + .../src/org/hsqldb/persist/HsqlDatabaseProperties.java | 18 +++++++----------- + 1 file changed, 7 insertions(+), 11 deletions(-) + +--- a/hsqldb/src/org/hsqldb/persist/HsqlDatabaseProperties.java ++++ b/hsqldb/src/org/hsqldb/persist/HsqlDatabaseProperties.java +@@ -51,28 +51,28 @@ import org.hsqldb.lib.StringUtil; + */ + public class HsqlDatabaseProperties extends HsqlProperties { + +- private static final String hsqldb_method_class_names = ++ public static final String hsqldb_method_class_names = + "hsqldb.method_class_names"; + public static final String textdb_allow_full_path = + "textdb.allow_full_path"; +- private static HashSet accessibleJavaMethodNames; ++ public static String methodClassNames; ++ private static final HashSet accessibleJavaMethodNames = new HashSet(); + private static boolean allowFullPath; + + static { + try { +- String prop = System.getProperty(hsqldb_method_class_names); ++ methodClassNames = System.getProperty(hsqldb_method_class_names); + +- if (prop != null) { +- accessibleJavaMethodNames = new HashSet(); ++ if (methodClassNames != null) { + +- String[] names = StringUtil.split(prop, ";"); ++ String[] names = StringUtil.split(methodClassNames, ";"); + + for (int i = 0; i < names.length; i++) { + accessibleJavaMethodNames.add(names[i]); + } + } + +- prop = System.getProperty(textdb_allow_full_path); ++ String prop = System.getProperty(textdb_allow_full_path); + + if (prop != null) { + if (Boolean.valueOf(prop)) { +@@ -97,10 +97,6 @@ public class HsqlDatabaseProperties exte + */ + public static boolean supportsJavaMethod(String name) { + +- if (accessibleJavaMethodNames == null) { +- return true; +- } +- + if (name.startsWith("java.lang.Math.")) { + return true; + } diff -Nru hsqldb-2.5.1/debian/patches/series hsqldb-2.5.1/debian/patches/series --- hsqldb-2.5.1/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 +++ hsqldb-2.5.1/debian/patches/series 2023-01-10 21:07:42.000000000 +0000 @@ -0,0 +1 @@ +CVE-2022-41853.patch