[logback] 01/02: Fix CVE-2017-5929
Markus Koschany
apo at moszumanska.debian.org
Tue Mar 28 15:55:49 UTC 2017
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch master
in repository logback.
commit 09bcd0ff2881e9bab0452a470d7ff4a2cba9e3ae
Author: Markus Koschany <apo at debian.org>
Date: Tue Mar 28 14:55:10 2017 +0200
Fix CVE-2017-5929
---
debian/patches/CVE-2017-5929.patch | 303 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 304 insertions(+)
diff --git a/debian/patches/CVE-2017-5929.patch b/debian/patches/CVE-2017-5929.patch
new file mode 100644
index 0000000..f63e939
--- /dev/null
+++ b/debian/patches/CVE-2017-5929.patch
@@ -0,0 +1,303 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 28 Mar 2017 14:51:54 +0200
+Subject: CVE-2017-5929
+
+Bug-Debian: https://bugs.debian.org/857343
+Origin: https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8
+---
+ .../logback/classic/net/SimpleSocketServer.java | 1 -
+ .../server/LogbackClassicSerializationHelper.java | 28 +++++++++
+ .../logback/classic/LoggerSerializationTest.java | 10 +++-
+ .../core/net/HardenedObjectInputStream.java | 48 +++++++++++++++
+ .../core/net/HardenedObjectInputStreamTest.java | 61 +++++++++++++++++++
+ .../java/ch/qos/logback/core/net/Innocent.java | 69 ++++++++++++++++++++++
+ 6 files changed, 215 insertions(+), 2 deletions(-)
+ create mode 100644 logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java
+ create mode 100644 logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
+ create mode 100644 logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java
+ create mode 100644 logback-core/src/test/java/ch/qos/logback/core/net/Innocent.java
+
+diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java
+index 13bf6f7..17fda2a 100644
+--- a/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java
++++ b/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java
+@@ -14,7 +14,6 @@
+ package ch.qos.logback.classic.net;
+
+ import java.io.IOException;
+-import java.lang.reflect.Constructor;
+ import java.net.ServerSocket;
+ import java.net.Socket;
+ import java.util.ArrayList;
+diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java
+new file mode 100644
+index 0000000..00a974f
+--- /dev/null
++++ b/logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java
+@@ -0,0 +1,28 @@
++package ch.qos.logback.classic.net.server;
++
++import java.util.ArrayList;
++import java.util.List;
++
++import org.slf4j.helpers.BasicMarker;
++
++import ch.qos.logback.classic.Logger;
++import ch.qos.logback.classic.spi.LoggerContextVO;
++import ch.qos.logback.classic.spi.LoggingEventVO;
++import ch.qos.logback.classic.spi.ThrowableProxyVO;
++
++public class LogbackClassicSerializationHelper {
++
++
++
++ static public List<String> getWhilelist() {
++ List<String> whitelist = new ArrayList<String>();
++ whitelist.add(LoggingEventVO.class.getName());
++ whitelist.add(LoggerContextVO.class.getName());
++ whitelist.add(ThrowableProxyVO.class.getName());
++ whitelist.add(StackTraceElement.class.getName());
++ whitelist.add(BasicMarker.class.getName());
++ whitelist.add(BasicMarker.class.getName());
++ whitelist.add(Logger.class.getName());
++ return whitelist;
++ }
++}
+diff --git a/logback-classic/src/test/java/ch/qos/logback/classic/LoggerSerializationTest.java b/logback-classic/src/test/java/ch/qos/logback/classic/LoggerSerializationTest.java
+index dd8b2e6..26e9b36 100644
+--- a/logback-classic/src/test/java/ch/qos/logback/classic/LoggerSerializationTest.java
++++ b/logback-classic/src/test/java/ch/qos/logback/classic/LoggerSerializationTest.java
+@@ -14,6 +14,10 @@
+ package ch.qos.logback.classic;
+
+ import java.io.*;
++import java.util.List;
++
++import ch.qos.logback.classic.net.server.LogbackClassicSerializationHelper;
++import ch.qos.logback.core.net.HardenedObjectInputStream;
+
+ import ch.qos.logback.core.util.CoreTestConstants;
+ import org.junit.After;
+@@ -37,6 +41,8 @@ public class LoggerSerializationTest {
+ ObjectOutputStream oos;
+ ObjectInputStream inputStream;
+
++ List<String> whitelist ;
++
+ @Before
+ public void setUp() throws Exception {
+ lc = new LoggerContext();
+@@ -45,6 +51,8 @@ public class LoggerSerializationTest {
+ // create the byte output stream
+ bos = new ByteArrayOutputStream();
+ oos = new ObjectOutputStream(bos);
++ whitelist = LogbackClassicSerializationHelper.getWhilelist();
++ whitelist.add(Foo.class.getName());
+ }
+
+ @After
+@@ -110,7 +118,7 @@ public class LoggerSerializationTest {
+ private Foo writeAndRead(Foo foo) throws IOException, ClassNotFoundException {
+ writeObject(oos, foo);
+ ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray());
+- inputStream = new ObjectInputStream(bis);
++ inputStream = new HardenedObjectInputStream(bis, whitelist);
+ Foo fooBack = readFooObject(inputStream);
+ inputStream.close();
+ return fooBack;
+diff --git a/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
+new file mode 100644
+index 0000000..439e2bd
+--- /dev/null
++++ b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
+@@ -0,0 +1,48 @@
++package ch.qos.logback.core.net;
++
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.InvalidClassException;
++import java.io.ObjectInputStream;
++import java.io.ObjectStreamClass;
++import java.util.ArrayList;
++import java.util.Collections;
++import java.util.List;
++
++/**
++ *
++ * @author Ceki Gülcü
++ * @since 1.2.0
++ */
++public class HardenedObjectInputStream extends ObjectInputStream {
++
++ List<String> whitelistedClassNames;
++ String[] javaPackages = new String[] {"java.lang", "java.util"};
++
++ public HardenedObjectInputStream(InputStream in, List<String> whilelist) throws IOException {
++ super(in);
++ this.whitelistedClassNames = Collections.synchronizedList(new ArrayList<String>(whilelist));
++ }
++
++ @Override
++ protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException {
++ String incomingClassName = anObjectStreamClass.getName();
++ if(!isWhitelisted(incomingClassName)) {
++ throw new InvalidClassException("Unauthorized deserialization attempt", anObjectStreamClass.getName());
++ }
++
++ return super.resolveClass(anObjectStreamClass);
++ }
++
++ private boolean isWhitelisted(String incomingClassName) {
++ for(int i = 0; i < javaPackages.length; i++) {
++ if(incomingClassName.startsWith(javaPackages[i]))
++ return true;
++ }
++ for(String className: whitelistedClassNames) {
++ if(incomingClassName.equals(className))
++ return true;
++ }
++ return false;
++ }
++}
+diff --git a/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java b/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java
+new file mode 100644
+index 0000000..6a34897
+--- /dev/null
++++ b/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java
+@@ -0,0 +1,61 @@
++package ch.qos.logback.core.net;
++
++import static org.junit.Assert.*;
++
++import java.io.ByteArrayInputStream;
++import java.io.ByteArrayOutputStream;
++import java.io.IOException;
++import java.io.ObjectOutputStream;
++import java.util.ArrayList;
++import java.util.List;
++
++import org.junit.After;
++import org.junit.Before;
++import org.junit.Test;
++
++public class HardenedObjectInputStreamTest {
++
++ ByteArrayOutputStream bos;
++ ObjectOutputStream oos;
++ HardenedObjectInputStream inputStream;
++ List<String> whitelist = new ArrayList<String>();
++
++ @Before
++ public void setUp() throws Exception {
++ whitelist.add(Innocent.class.getName());
++ bos = new ByteArrayOutputStream();
++ oos = new ObjectOutputStream(bos);
++ }
++
++ @After
++ public void tearDown() throws Exception {
++ }
++
++ @Test
++ public void smoke() throws ClassNotFoundException, IOException {
++ Innocent innocent = new Innocent();
++ innocent.setAnInt(1);
++ innocent.setAnInteger(2);
++ innocent.setaString("smoke");
++ Innocent back = writeAndRead(innocent);
++ assertEquals(innocent, back);
++ }
++
++
++
++ private Innocent writeAndRead(Innocent innocent) throws IOException, ClassNotFoundException {
++ writeObject(oos, innocent);
++ ByteArrayInputStream bis = new ByteArrayInputStream(bos.toByteArray());
++ inputStream = new HardenedObjectInputStream(bis, whitelist);
++ Innocent fooBack = (Innocent) inputStream.readObject();
++ inputStream.close();
++ return fooBack;
++ }
++
++ private void writeObject(ObjectOutputStream oos, Object o) throws IOException {
++ oos.writeObject(o);
++ oos.flush();
++ oos.close();
++ }
++
++}
+diff --git a/logback-core/src/test/java/ch/qos/logback/core/net/Innocent.java b/logback-core/src/test/java/ch/qos/logback/core/net/Innocent.java
+new file mode 100644
+index 0000000..2cef5a0
+--- /dev/null
++++ b/logback-core/src/test/java/ch/qos/logback/core/net/Innocent.java
+@@ -0,0 +1,69 @@
++package ch.qos.logback.core.net;
++
++public class Innocent implements java.io.Serializable {
++
++ private static final long serialVersionUID = -1227008349289885025L;
++
++ int anInt;
++ Integer anInteger;
++ String aString;
++
++ public int getAnInt() {
++ return anInt;
++ }
++
++ public void setAnInt(int anInt) {
++ this.anInt = anInt;
++ }
++
++ public Integer getAnInteger() {
++ return anInteger;
++ }
++
++ public void setAnInteger(Integer anInteger) {
++ this.anInteger = anInteger;
++ }
++
++ public String getaString() {
++ return aString;
++ }
++
++ public void setaString(String aString) {
++ this.aString = aString;
++ }
++
++ @Override
++ public int hashCode() {
++ final int prime = 31;
++ int result = 1;
++ result = prime * result + ((aString == null) ? 0 : aString.hashCode());
++ result = prime * result + anInt;
++ result = prime * result + ((anInteger == null) ? 0 : anInteger.hashCode());
++ return result;
++ }
++
++ @Override
++ public boolean equals(Object obj) {
++ if (this == obj)
++ return true;
++ if (obj == null)
++ return false;
++ if (getClass() != obj.getClass())
++ return false;
++ Innocent other = (Innocent) obj;
++ if (aString == null) {
++ if (other.aString != null)
++ return false;
++ } else if (!aString.equals(other.aString))
++ return false;
++ if (anInt != other.anInt)
++ return false;
++ if (anInteger == null) {
++ if (other.anInteger != null)
++ return false;
++ } else if (!anInteger.equals(other.anInteger))
++ return false;
++ return true;
++ }
++
++}
diff --git a/debian/patches/series b/debian/patches/series
index 510aca9..79138a8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
01-compile-groovy.patch
02-remove-google-ads.patch
+CVE-2017-5929.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/logback.git
More information about the pkg-java-commits
mailing list