")); +- output.append(m_priv->title); ++ Transform::appendEscapingTags(output, m_priv->title); + output.append(LOG4CXX

Version in base suite: 1.4.0-1 Base version: log4cxx_1.4.0-1 Target version: log4cxx_1.4.0-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/l/log4cxx/log4cxx_1.4.0-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/l/log4cxx/log4cxx_1.4.0-1+deb13u1.dsc changelog | 9 gitlab-ci.yml | 6 patches/04-CVE-2025-54812-1-Escape-loggername.patch | 131 ++++++++++ patches/05-CVE-2025-54812-2-Escape-threadname.patch | 30 ++ patches/06-CVE-2025-54812-3-Escape-html-layout-title.patch | 28 ++ patches/07-CVE-2025-54813-Escape-control-characters-in-JSONLayout.patch | 121 +++++++++ patches/series | 4 7 files changed, 327 insertions(+), 2 deletions(-) diff -Nru log4cxx-1.4.0/debian/changelog log4cxx-1.4.0/debian/changelog --- log4cxx-1.4.0/debian/changelog 2025-03-22 12:13:22.000000000 +0000 +++ log4cxx-1.4.0/debian/changelog 2025-11-06 20:14:52.000000000 +0000 @@ -1,3 +1,12 @@ +log4cxx (1.4.0-1+deb13u1) trixie; urgency=medium + + [ Lukas Märdian and Tobias Frost ] + * Backport fixes for: + - CVE-2025-54812: Improper HTML escaping in HTMLLayout (Closes: #1111879) + - CVE-2025-54813: Improper escaping with JSONLayout (Closes: #1111881) + + -- Tobias Frost Thu, 06 Nov 2025 21:14:52 +0100 + log4cxx (1.4.0-1) unstable; urgency=medium * New upstream release. diff -Nru log4cxx-1.4.0/debian/gitlab-ci.yml log4cxx-1.4.0/debian/gitlab-ci.yml --- log4cxx-1.4.0/debian/gitlab-ci.yml 2025-01-04 11:12:27.000000000 +0000 +++ log4cxx-1.4.0/debian/gitlab-ci.yml 2025-11-06 20:14:52.000000000 +0000 @@ -1,4 +1,6 @@ --- include: - - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + RELEASE: 'trixie' diff -Nru log4cxx-1.4.0/debian/patches/04-CVE-2025-54812-1-Escape-loggername.patch log4cxx-1.4.0/debian/patches/04-CVE-2025-54812-1-Escape-loggername.patch --- log4cxx-1.4.0/debian/patches/04-CVE-2025-54812-1-Escape-loggername.patch 1970-01-01 00:00:00.000000000 +0000 +++ log4cxx-1.4.0/debian/patches/04-CVE-2025-54812-1-Escape-loggername.patch 2025-11-06 20:14:52.000000000 +0000 @@ -0,0 +1,131 @@ +Description: CVE-2025-54812 - part 1 - Improper HTML escaping in HTMLLayout +Origin: https://github.com/apache/logging-log4cxx/commit/1c599de956ae9eedd8b5e3f744bfb867c39e8bba +Bug: https://logging.apache.org/security.html#CVE-2025-54812 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111879 + +From 1c599de956ae9eedd8b5e3f744bfb867c39e8bba Mon Sep 17 00:00:00 2001 +From: Stephen Webb +Date: Sat, 12 Jul 2025 10:19:03 +1000 +Subject: [PATCH] Escape any logger name '&' or '"' in html attribute data + (#509) + +--- + src/main/cpp/htmllayout.cpp | 8 ++--- + src/test/cpp/xml/xmllayouttest.cpp | 49 ++++++++++++++++++++++++++++++ + 2 files changed, 53 insertions(+), 4 deletions(-) + +diff --git a/src/main/cpp/htmllayout.cpp b/src/main/cpp/htmllayout.cpp +index c2411ece9..ed6e61d76 100644 +--- a/src/main/cpp/htmllayout.cpp ++++ b/src/main/cpp/htmllayout.cpp +@@ -109,25 +109,25 @@ void HTMLLayout::format(LogString& output, + if (event->getLevel()->equals(Level::getDebug())) + { + output.append(LOG4CXX_STR("")); +- output.append(event->getLevel()->toString()); ++ Transform::appendEscapingTags(output, event->getLevel()->toString()); + output.append(LOG4CXX_STR("")); + } + else if (event->getLevel()->isGreaterOrEqual(Level::getWarn())) + { + output.append(LOG4CXX_STR("")); +- output.append(event->getLevel()->toString()); ++ Transform::appendEscapingTags(output, event->getLevel()->toString()); + output.append(LOG4CXX_STR("")); + } + else + { +- output.append(event->getLevel()->toString()); ++ Transform::appendEscapingTags(output, event->getLevel()->toString()); + } + + output.append(LOG4CXX_STR("")); + output.append(LOG4CXX_EOL); + + output.append(LOG4CXX_STR("getLoggerName()); ++ Transform::appendEscapingTags(output, event->getLoggerName()); + output.append(LOG4CXX_STR(" logger\">")); + Transform::appendEscapingTags(output, event->getLoggerName()); + output.append(LOG4CXX_STR("")); +diff --git a/src/test/cpp/xml/xmllayouttest.cpp b/src/test/cpp/xml/xmllayouttest.cpp +index 78f1c1183..710e9fca4 100644 +--- a/src/test/cpp/xml/xmllayouttest.cpp ++++ b/src/test/cpp/xml/xmllayouttest.cpp +@@ -18,6 +18,7 @@ + #include "../logunit.h" + #include + #include ++#include + #include + #include + +@@ -37,6 +38,7 @@ + #include "../xml/xlevel.h" + #include + #include ++#include + + + using namespace log4cxx; +@@ -67,6 +69,7 @@ LOGUNIT_CLASS(XMLLayoutTest) + LOGUNIT_TEST(testActivateOptions); + LOGUNIT_TEST(testProblemCharacters); + LOGUNIT_TEST(testNDCWithCDATA); ++ LOGUNIT_TEST(testHTMLLayout); + LOGUNIT_TEST_SUITE_END(); + + +@@ -453,6 +456,52 @@ LOGUNIT_CLASS(XMLLayoutTest) + LOGUNIT_ASSERT_EQUAL(1, ndcCount); + } + ++ /** ++ * Tests problematic characters in multiple fields. ++ * @throws Exception if parser can not be constructed or source is not a valid XML document. ++ */ ++ void testHTMLLayout() ++ { ++ LogString problemName = LOG4CXX_STR("com.example.bar<>&\"'"); ++ auto level = std::make_shared(6000, problemName, 7); ++ NDC context(problemName); ++ auto event = std::make_shared(problemName, level, problemName, LOG4CXX_LOCATION); ++ ++ HTMLLayout layout; ++ Pool p; ++ LogString html(LOG4CXX_STR("")); ++ layout.format(html, event, p); ++ html += LOG4CXX_STR(""); ++ ++ LogLog::debug(html); ++ char backing[3000]; ++ ByteBuffer buf(backing, sizeof(backing)); ++ CharsetEncoderPtr encoder(CharsetEncoder::getUTF8Encoder()); ++ LogString::const_iterator iter{ html.begin() }; ++ encoder->encode(html, iter, buf); ++ LOGUNIT_ASSERT(iter == html.end()); ++ buf.flip(); ++ auto parser = apr_xml_parser_create(p.getAPRPool()); ++ LOGUNIT_ASSERT(parser != 0); ++ auto stat = apr_xml_parser_feed(parser, buf.data(), buf.remaining()); ++ LOGUNIT_ASSERT(stat == APR_SUCCESS); ++ apr_xml_doc* doc = 0; ++ stat = apr_xml_parser_done(parser, &doc); ++ LOGUNIT_ASSERT(doc != 0); ++ auto parsedResult = doc->root; ++ LOGUNIT_ASSERT(parsedResult != 0); ++ ++ int childElementCount = 0; ++ for ( auto node = parsedResult->first_child ++ ; node != NULL ++ ; node = node->next) ++ { ++ ++childElementCount; ++ LOGUNIT_ASSERT_EQUAL(std::string("tr"), std::string(node->name)); ++ } ++ LOGUNIT_ASSERT(1 < childElementCount); ++ } ++ + }; + + diff -Nru log4cxx-1.4.0/debian/patches/05-CVE-2025-54812-2-Escape-threadname.patch log4cxx-1.4.0/debian/patches/05-CVE-2025-54812-2-Escape-threadname.patch --- log4cxx-1.4.0/debian/patches/05-CVE-2025-54812-2-Escape-threadname.patch 1970-01-01 00:00:00.000000000 +0000 +++ log4cxx-1.4.0/debian/patches/05-CVE-2025-54812-2-Escape-threadname.patch 2025-11-06 20:14:52.000000000 +0000 @@ -0,0 +1,30 @@ +Description: CVE-2025-54812 - part 2 - Improper escaping in html attribute data +Origin: https://github.com/apache/logging-log4cxx/pull/509 +Bug: https://logging.apache.org/security.html#CVE-2025-54812 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111879 + +From 0b3749504f0f1bd83ca8a7b391687fdfcd1f94a6 Mon Sep 17 00:00:00 2001 +From: Stephen Webb +Date: Thu, 24 Jul 2025 11:18:34 +1000 +Subject: [PATCH] Escape any logger name '&' or '"' in html attribute data + +--- + src/main/cpp/htmllayout.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/main/cpp/htmllayout.cpp b/src/main/cpp/htmllayout.cpp +index cce9c1dc2..f1b2747c4 100644 +--- a/src/main/cpp/htmllayout.cpp ++++ b/src/main/cpp/htmllayout.cpp +@@ -98,9 +98,9 @@ void HTMLLayout::format(LogString& output, + + output.append(LOG4CXX_STR("getThreadName()); +- output.append(threadName); ++ Transform::appendEscapingTags(output, threadName); + output.append(LOG4CXX_STR(" thread\">")); +- output.append(threadName); ++ Transform::appendEscapingTags(output, threadName); + output.append(LOG4CXX_STR("")); + output.append(LOG4CXX_EOL); + diff -Nru log4cxx-1.4.0/debian/patches/06-CVE-2025-54812-3-Escape-html-layout-title.patch log4cxx-1.4.0/debian/patches/06-CVE-2025-54812-3-Escape-html-layout-title.patch --- log4cxx-1.4.0/debian/patches/06-CVE-2025-54812-3-Escape-html-layout-title.patch 1970-01-01 00:00:00.000000000 +0000 +++ log4cxx-1.4.0/debian/patches/06-CVE-2025-54812-3-Escape-html-layout-title.patch 2025-11-06 20:14:52.000000000 +0000 @@ -0,0 +1,28 @@ +Description: CVE-2025-54812 - part 3 - inproper escape of thread name in htmllayoutappender +Origin: https://github.com/apache/logging-log4cxx/pull/513 +Bug: https://logging.apache.org/security.html#CVE-2025-54812 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111879 + +From ffc2ab7138577bca0e4f0b0d48cacd386cce09cd Mon Sep 17 00:00:00 2001 +From: Stephen Webb +Date: Mon, 21 Jul 2025 15:43:01 +1000 +Subject: [PATCH] Allow a HTMLLayout title to contain characters special to + HTML + +--- + src/main/cpp/htmllayout.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/main/cpp/htmllayout.cpp b/src/main/cpp/htmllayout.cpp +index ed6e61d76..cce9c1dc2 100644 +--- a/src/main/cpp/htmllayout.cpp ++++ b/src/main/cpp/htmllayout.cpp +@@ -183,7 +183,7 @@ void HTMLLayout::appendHeader(LogString& output, Pool& p) + output.append(LOG4CXX_STR("")); + output.append(LOG4CXX_EOL); + output.append(LOG4CXX_STR("")); +- output.append(m_priv->title); ++ Transform::appendEscapingTags(output, m_priv->title); + output.append(LOG4CXX_STR("")); + output.append(LOG4CXX_EOL); + output.append(LOG4CXX_STR("