[Git][java-team/jackson-databind][stretch] 2 commits: Add multiple-CVE-BeanDeserializerFactory.patch
Markus Koschany
gitlab at salsa.debian.org
Thu Jul 9 15:50:04 BST 2020
Markus Koschany pushed to branch stretch at Debian Java Maintainers / jackson-databind
Commits:
f06514ef by Markus Koschany at 2020-07-09T16:41:56+02:00
Add multiple-CVE-BeanDeserializerFactory.patch
This fixes 17 CVE that currently affect the package.
- - - - -
aae01a24 by Markus Koschany at 2020-07-09T16:44:28+02:00
Update changelog
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/multiple-CVE-BeanDeserializerFactory.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,15 @@
+jackson-databind (2.8.6-1+deb9u7) stretch; urgency=medium
+
+ * Add multiple-CVE-BeanDeserializerFactory.patch and block more classes from
+ polymorphic deserialization.
+ This fixes 17 CVE that currently affect the package namely,
+ CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195,
+ CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620,
+ CVE-2020-11619, CVE-2020-11113, CVE-2020-11112, CVE-2020-11111,
+ CVE-2020-10969, CVE-2020-10968, CVE-2020-10673, CVE-2020-10672.
+
+ -- Markus Koschany <apo at debian.org> Thu, 09 Jul 2020 16:42:01 +0200
+
jackson-databind (2.8.6-1+deb9u6) stretch-security; urgency=high
* Fix CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
=====================================
debian/patches/multiple-CVE-BeanDeserializerFactory.patch
=====================================
@@ -0,0 +1,188 @@
+From: Markus Koschany <apo at debian.org>
+Date: Thu, 9 Jul 2020 16:39:09 +0200
+Subject: multiple CVE BeanDeserializerFactory
+
+This is the fix for
+CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195,
+CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620, CVE-2020-11619,
+CVE-2020-11113, CVE-2020-11112, CVE-2020-11111, CVE-2020-10969, CVE-2020-10968,
+CVE-2020-10673, CVE-2020-10672
+---
+ .../databind/deser/BeanDeserializerFactory.java | 109 ++++++++++++++++++---
+ 1 file changed, 96 insertions(+), 13 deletions(-)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 77d426c..a594f08 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -54,6 +54,7 @@ public class BeanDeserializerFactory
+ Set<String> s = new HashSet<>();
+ // Courtesy of [https://github.com/kantega/notsoserial]:
+ // (and wrt [databind#1599])
++
+ s.add("org.apache.commons.collections.functors.InvokerTransformer");
+ s.add("org.apache.commons.collections.functors.InstantiateTransformer");
+ s.add("org.apache.commons.collections4.functors.InvokerTransformer");
+@@ -69,10 +70,14 @@ public class BeanDeserializerFactory
+ s.add("java.util.logging.FileHandler");
+ s.add("java.rmi.server.UnicastRemoteObject");
+ // [databind#1737]; 3rd party
+- s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
++//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
+ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+-// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
+-// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
++ // [databind#2680]
++ s.add("org.springframework.aop.config.MethodLocatingFactoryBean");
++ s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean");
++
++// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
++// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
+ // [databind#1855]: more 3rd party
+ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
+ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+@@ -82,10 +87,11 @@ public class BeanDeserializerFactory
+ // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities
+ s.add("org.apache.ibatis.parsing.XPathParser");
+
+- // [databind#2052]: ldap approaches; in all cases LDAP connection String is passed
+- // and access attempt is made:
+- s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
++ // [databind#2052]: Jodd-db, with jndi/ldap lookup
+ s.add("jodd.db.connection.DataSourceConnectionProvider");
++
++ // [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
++ s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
+ s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
+
+ // [databind#2097]: some 3rd party, one JDK-bundled
+@@ -94,31 +100,32 @@ public class BeanDeserializerFactory
+ s.add("com.sun.deploy.security.ruleset.DRSHelper");
+ s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
+
+- // [databind#2186]: yet more 3rd party gadgets
++ // [databind#2186], [databind#2670]: yet more 3rd party gadgets
+ s.add("org.jboss.util.propertyeditor.DocumentEditor");
+ s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
+ s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
++ s.add("org.apache.openjpa.ee.WASRegistryManagedRuntime"); // [#2670] addition
+ s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+
+- // [databind#2326] (2.9.9): one more 3rd party gadget
++ // [databind#2326] (2.9.9)
+ s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
+
+- // [databind#2334]: logback-core
++ // [databind#2334]: logback-core (2.9.9.1)
+ s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
+
+- // [databind#2341]: jdom/jdom2
++ // [databind#2341]: jdom/jdom2 (2.9.9.1)
+ s.add("org.jdom.transform.XSLTransformer");
+ s.add("org.jdom2.transform.XSLTransformer");
+
+- // [databind#2387]: EHCache
++ // [databind#2387], [databind#2460]: EHCache
+ s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
++ s.add("net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup");
+
+ // [databind#2389]: logback/jndi
+ s.add("ch.qos.logback.core.db.JNDIConnectionSource");
+
+ // [databind#2410]: HikariCP/metricRegistry config
+ s.add("com.zaxxer.hikari.HikariConfig");
+-
+ // [databind#2449]: and sub-class thereof
+ s.add("com.zaxxer.hikari.HikariDataSource");
+
+@@ -129,13 +136,89 @@ public class BeanDeserializerFactory
+ s.add("org.apache.commons.configuration.JNDIConfiguration");
+ s.add("org.apache.commons.configuration2.JNDIConfiguration");
+
+- // [databind#2469]: xalan2
++ // [databind#2469]: xalan
+ s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
++ // [databind#2704]: xalan2
++ s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");
+
+ // [databind#2478]: comons-dbcp, p6spy
++ s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
+ s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
+ s.add("com.p6spy.engine.spy.P6DataSource");
+
++ // [databind#2498]: log4j-extras (1.2)
++ s.add("org.apache.log4j.receivers.db.DriverManagerConnectionSource");
++ s.add("org.apache.log4j.receivers.db.JNDIConnectionSource");
++
++ // [databind#2526]: some more ehcache
++ s.add("net.sf.ehcache.transaction.manager.selector.GenericJndiSelector");
++ s.add("net.sf.ehcache.transaction.manager.selector.GlassfishSelector");
++
++ // [databind#2620]: xbean-reflect
++ s.add("org.apache.xbean.propertyeditor.JndiConverter");
++
++ // [databind#2631]: shaded hikari-config
++ s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");
++
++ // [databind#2634]: ibatis-sqlmap, anteros-core
++ s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
++ s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
++
++ // [databind#2642]: javax.swing (jdk)
++ s.add("javax.swing.JEditorPane");
++
++ // [databind#2648], [databind#2653]: shire-core
++ s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
++ s.add("org.apache.shiro.jndi.JndiObjectFactory");
++
++ // [databind#2658]: ignite-jta (, quartz-core)
++ s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup");
++ s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
++ s.add("org.quartz.utils.JNDIConnectionProvider");
++
++ // [databind#2659]: aries.transaction.jms
++ s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");
++ s.add("org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory");
++
++ // [databind#2660]: caucho-quercus
++ s.add("com.caucho.config.types.ResourceRef");
++
++ // [databind#2662]: aoju/bus-proxy
++ s.add("org.aoju.bus.proxy.provider.RmiProvider");
++ s.add("org.aoju.bus.proxy.provider.remoting.RmiProvider");
++
++ // [databind#2664]: activemq-core, activemq-pool, activemq-pool-jms
++
++ s.add("org.apache.activemq.ActiveMQConnectionFactory"); // core
++ s.add("org.apache.activemq.ActiveMQXAConnectionFactory");
++ s.add("org.apache.activemq.spring.ActiveMQConnectionFactory");
++ s.add("org.apache.activemq.spring.ActiveMQXAConnectionFactory");
++ s.add("org.apache.activemq.pool.JcaPooledConnectionFactory"); // pool
++ s.add("org.apache.activemq.pool.PooledConnectionFactory");
++ s.add("org.apache.activemq.pool.XaPooledConnectionFactory");
++ s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory"); // pool-jms
++ s.add("org.apache.activemq.jms.pool.JcaPooledConnectionFactory");
++ // [databind#2666]: apache/commons-jms
++ s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
++
++ // [databind#2682]: commons-jelly
++ s.add("org.apache.commons.jelly.impl.Embedded");
++
++ // [databind#2688]: apache/drill
++ s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
++
++ // [databind#2698]: weblogic w/ oracle/aq-jms
++ // (note: dependency not available via Maven Central, but as part of
++ // weblogic installation, possibly fairly old version(s))
++ s.add("oracle.jms.AQjmsQueueConnectionFactory");
++ s.add("oracle.jms.AQjmsXATopicConnectionFactory");
++ s.add("oracle.jms.AQjmsTopicConnectionFactory");
++ s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
++ s.add("oracle.jms.AQjmsXAConnectionFactory");
++
++ // [databind#2764]: org.jsecurity:
++ s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
++
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
=====================================
debian/patches/series
=====================================
@@ -11,3 +11,4 @@ CVE-2018-14718.patch
CVE-2018-19360.patch
CVE-2019-12086.patch
polymorphic-typing-issues.patch
+multiple-CVE-BeanDeserializerFactory.patch
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/compare/b7ef4f68e1e14e5df5bc06e39ccb4fef7ee9354a...aae01a2494ba832e23571a190b96ac2b877baf47
--
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/compare/b7ef4f68e1e14e5df5bc06e39ccb4fef7ee9354a...aae01a2494ba832e23571a190b96ac2b877baf47
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20200709/a67fd64c/attachment.html>
More information about the pkg-java-commits
mailing list