[Git][java-team/libxstream-java][master] 2 commits: patch for CVE-2021-29505

Thu Jun 17 23:47:59 BST 2021


Markus Koschany pushed to branch master at Debian Java Maintainers / libxstream-java


Commits:
494f9a3d by Hideki Yamane at 2021-06-17T22:47:55+00:00
patch for CVE-2021-29505

- - - - -
eb57551f by Markus Koschany at 2021-06-17T22:47:56+00:00
Merge branch 'master' into 'master'

patch for CVE-2021-29505

See merge request java-team/libxstream-java!1
- - - - -


3 changed files:

- debian/changelog
- + debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,15 @@
+libxstream-java (1.4.15-3) unstable; urgency=medium
+
+  * Team upload.
+  * debian/patches
+    - Add 0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch to
+      deal with CVE-2021-29505 (Closes: 98949)
+
+      For more detail, see
+      https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
+
+ -- Hideki Yamane <henrich at debian.org>  Thu, 17 Jun 2021 21:45:48 +0900
+
 libxstream-java (1.4.15-2) unstable; urgency=high
 
   * Team upload.


=====================================
debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch
=====================================
@@ -0,0 +1,38 @@
+From: Hideki Yamane <henrich at debian.org>
+Date: Thu, 17 Jun 2021 21:42:35 +0900
+Subject: Fix CVE-2021-29505 from upstream commit (Closes:#989491)
+
+See https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227
+---
+ xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index b5e43af..7a166ca 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -336,11 +336,13 @@ public class XStream {
+     private static final Pattern IGNORE_ALL = Pattern.compile(".*");
+     private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection");
+     private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter");
++    private static final Pattern LAZY_ENUMERATORS = Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*");
+     private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
+     private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator");
+     private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile(
+         "javafx\\.collections\\.ObservableList\\$.*");
+     private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
++    private static final Pattern JAVA_RMI = Pattern.compile("(?:java|sun)\\.rmi\\..*");
+     private static final Pattern BCEL_CL = Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader");
+ 
+     /**
+@@ -657,8 +659,8 @@ public class XStream {
+             "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", //
+             "sun.swing.SwingLazyValue"});
+         denyTypesByRegExp(new Pattern[]{
+-            LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS,
+-            JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
++            LAZY_ITERATORS, LAZY_ENUMERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVA_RMI, JAVAX_CRYPTO,
++            JAXWS_ITERATORS, JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
+         denyTypeHierarchy(InputStream.class);
+         denyTypeHierarchyDynamically("java.nio.channels.Channel");
+         denyTypeHierarchyDynamically("javax.activation.DataSource");


=====================================
debian/patches/series
=====================================
@@ -1,3 +1,4 @@
 01-java7-compatibility.patch
 02-disable-beastax-driver.patch
 CVE-2021-21341-to-CVE-2021-21351.patch
+0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch



View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/c19460247bcfcca9eb124fcd9abddd7f4e7116d9...eb57551f19b0cab40647e77e64f756f22e9c300a

-- 
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/c19460247bcfcca9eb124fcd9abddd7f4e7116d9...eb57551f19b0cab40647e77e64f756f22e9c300a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210617/ad890565/attachment.htm>
