[libxstream-java] 01/01: Fixed CVE-2017-7957: Remote application crash when unmarshalling void types (Closes: #861521)

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Tue May 2 15:48:31 UTC 2017 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository libxstream-java.

commit 081611e4bd0893194362e6e5ba667ebaddb61e85
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Tue May 2 16:58:55 2017 +0200

    Fixed CVE-2017-7957: Remote application crash when unmarshalling void types (Closes: #861521)
---
 debian/changelog                   |  8 ++++
 debian/patches/CVE-2017-7957.patch | 75 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 84 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 7af9fe2..edea053 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libxstream-java (1.4.7-2+deb8u2) jessie-security; urgency=high
+
+  * Fixed CVE-2017-7957: Attempts to create an instance of the primitive
+    type 'void' during unmarshalling lead to a remote application crash.
+    (Closes: #861521)
+
+ -- Emmanuel Bourg <ebourg at apache.org>  Tue, 02 May 2017 17:21:00 +0200
+
 libxstream-java (1.4.7-2+deb8u1) jessie-security; urgency=high
 
   * Security update:
diff --git a/debian/patches/CVE-2017-7957.patch b/debian/patches/CVE-2017-7957.patch
new file mode 100644
index 0000000..50f90f6
--- /dev/null
+++ b/debian/patches/CVE-2017-7957.patch
@@ -0,0 +1,75 @@
+Description: Fixes CVE-2017-7957: When a certain denyTypes workaround is not
+ used, XStream mishandles attempts to create an instance of the primitive type
+ 'void' during unmarshalling, leading to a remote application crash, as
+ demonstrated by an xstream.fromXML("<void/>") call.
+Origin: backport, https://github.com/x-stream/xstream/commit/b3570be
+Bug-Debian: https://bugs.debian.org/861521
+--- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
++++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
+@@ -72,6 +72,9 @@
+         if (exception != null) {
+             throw new ObjectAccessException("Cannot construct " + type.getName(), exception);
+         }
++        if (type == void.class || type == Void.class) {
++            throw new ObjectAccessException("Type void cannot have an instance");
++        }
+         try {
+             return unsafe.allocateInstance(type);
+         } catch (SecurityException e) {
+--- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
++++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
+@@ -9,7 +9,7 @@
+ import com.thoughtworks.xstream.core.util.Primitives;
+ 
+ /**
+- * Permission for any primitive type and its boxed counterpart (incl. void).
++ * Permission for any primitive type and its boxed counterpart (excl. void).
+  * 
+  * @author Jörg Schaible
+  * @since 1.4.7
+@@ -21,7 +21,8 @@
+     public static final TypePermission PRIMITIVES = new PrimitiveTypePermission();
+ 
+     public boolean allows(Class type) {
+-        return type != null && type.isPrimitive() || Primitives.isBoxed(type);
++        return type != null && type != void.class && type != Void.class && type.isPrimitive()
++            || Primitives.isBoxed(type);
+     }
+ 
+     public int hashCode() {
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -13,7 +13,9 @@
+ import java.beans.EventHandler;
+ 
+ import com.thoughtworks.xstream.XStreamException;
++import com.thoughtworks.xstream.converters.ConversionException;
+ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
++import com.thoughtworks.xstream.security.ForbiddenClassException;
+ import com.thoughtworks.xstream.security.ProxyTypePermission;
+ 
+ /**
+@@ -80,4 +82,23 @@
+             BUFFER.append("Executed!");
+         }
+     }
++
++    public void testDeniedInstanceOfVoid() {
++        try {
++            xstream.fromXML("<void/>");
++            fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
++        } catch (final ForbiddenClassException e) {
++            // OK
++        }
++    }
++
++    public void testAllowedInstanceOfVoid() {
++        xstream.allowTypes(void.class, Void.class);
++        try {
++            xstream.fromXML("<void/>");
++            fail("Thrown " + ConversionException.class.getName() + " expected");
++        } catch (final ConversionException e) {
++            assertEquals("void", e.get("construction-type"));
++        }
++    }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index cfbb099..754b40b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 CVE-2016-3674.patch
+CVE-2017-7957.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libxstream-java.git

More information about the pkg-java-commits mailing list