[Git][java-team/libxstream-java][buster] 4 commits: Drop all previous CVE patches
Markus Koschany (@apo)
gitlab at salsa.debian.org
Sat Oct 2 12:06:40 BST 2021
Markus Koschany pushed to branch buster at Debian Java Maintainers / libxstream-java
Commits:
ea165429 by Markus Koschany at 2021-10-02T12:55:35+02:00
Drop all previous CVE patches
- - - - -
76c65ba4 by Markus Koschany at 2021-10-02T12:56:17+02:00
Enable the whitelist by default
- - - - -
e37a0203 by Markus Koschany at 2021-10-02T12:57:41+02:00
Update changelog
- - - - -
0ad2edb5 by Markus Koschany at 2021-10-02T12:59:07+02:00
Update debian-specific-whitelist-extension.patch
- - - - -
8 changed files:
- debian/changelog
- − debian/patches/CVE-2020-26217.patch
- − debian/patches/CVE-2020-26258.patch
- − debian/patches/CVE-2020-26259.patch
- + debian/patches/SecurityVulnerabilityTest.patch
- + debian/patches/debian-specific-whitelist-extension.patch
- + debian/patches/enable-security-whitelist-by-default.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+libxstream-java (1.4.11.1-1+deb10u4) buster-security; urgency=high
+
+ * Team upload.
+ * Enable the security whitelist by default to prevent RCE vulnerabilities.
+ XStream no longer uses a blacklist because it cannot be secured for general
+ purpose.
+
+ -- Markus Koschany <apo at debian.org> Sat, 02 Oct 2021 12:56:33 +0200
+
libxstream-java (1.4.11.1-1+deb10u3) buster-security; urgency=high
* Team upload.
=====================================
debian/patches/CVE-2020-26217.patch deleted
=====================================
@@ -1,328 +0,0 @@
-From: Markus Koschany <apo at debian.org>
-Date: Tue, 1 Dec 2020 23:11:04 +0100
-Subject: CVE-2020-26217
-
-Origin: https://github.com/x-stream/xstream/commit/6ec68c4e4192faec64f350e9449f44bc120c813b
-Origin: https://github.com/x-stream/xstream/commit/51abe602e09016c8e43e91325a15226022f4da46
-Origin: https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a
----
- .../src/java/com/thoughtworks/xstream/XStream.java | 40 ++----
- .../acceptance/SecurityVulnerabilityTest.java | 136 ++++++++++++++++-----
- 2 files changed, 121 insertions(+), 55 deletions(-)
-
-diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-index a088877..0ae38b6 100644
---- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
-+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-@@ -1,6 +1,6 @@
- /*
- * Copyright (C) 2003, 2004, 2005, 2006 Joe Walnes.
-- * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 XStream Committers.
-+ * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020 XStream Committers.
- * All rights reserved.
- *
- * The software in this package is published under the terms of the BSD
-@@ -36,6 +36,7 @@ import java.net.URL;
- import java.nio.charset.Charset;
- import java.text.DecimalFormatSymbols;
- import java.util.ArrayList;
-+import java.util.Arrays;
- import java.util.BitSet;
- import java.util.Calendar;
- import java.util.Collection;
-@@ -65,10 +66,8 @@ import com.thoughtworks.xstream.converters.Converter;
- import com.thoughtworks.xstream.converters.ConverterLookup;
- import com.thoughtworks.xstream.converters.ConverterRegistry;
- import com.thoughtworks.xstream.converters.DataHolder;
--import com.thoughtworks.xstream.converters.MarshallingContext;
- import com.thoughtworks.xstream.converters.SingleValueConverter;
- import com.thoughtworks.xstream.converters.SingleValueConverterWrapper;
--import com.thoughtworks.xstream.converters.UnmarshallingContext;
- import com.thoughtworks.xstream.converters.basic.BigDecimalConverter;
- import com.thoughtworks.xstream.converters.basic.BigIntegerConverter;
- import com.thoughtworks.xstream.converters.basic.BooleanConverter;
-@@ -355,6 +354,8 @@ public class XStream {
-
- private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
- private static final Pattern IGNORE_ALL = Pattern.compile(".*");
-+ private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
-+ private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
-
- /**
- * Constructs a default XStream.
-@@ -697,6 +698,12 @@ public class XStream {
- }
-
- addPermission(AnyTypePermission.ANY);
-+ denyTypes(new String[]{"java.beans.EventHandler", "javax.imageio.ImageIO$ContainsFilter"});
-+ denyTypes(new Class[]{ java.lang.ProcessBuilder.class,
-+ java.beans.EventHandler.class, java.lang.ProcessBuilder.class,
-+ java.lang.Void.class, void.class });
-+ denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
-+ allowTypeHierarchy(Exception.class);
- securityInitialized = false;
- }
-
-@@ -962,7 +969,6 @@ public class XStream {
- registerConverter(
- new SerializableConverter(mapper, reflectionProvider, classLoaderReference), PRIORITY_LOW);
- registerConverter(new ExternalizableConverter(mapper, classLoaderReference), PRIORITY_LOW);
-- registerConverter(new InternalBlackList(), PRIORITY_LOW);
-
- registerConverter(new NullConverter(), PRIORITY_VERY_HIGH);
- registerConverter(new IntConverter(), PRIORITY_NORMAL);
-@@ -1482,7 +1488,8 @@ public class XStream {
- try {
- if (!securityInitialized && !securityWarningGiven) {
- securityWarningGiven = true;
-- System.err.println("Security framework of XStream not initialized, XStream is probably vulnerable.");
-+ System.err
-+ .println("Security framework of XStream not explicitly initialized, using predefined black list on your own risk.");
- }
- return marshallingStrategy.unmarshal(
- root, reader, dataHolder, converterLookup, mapper);
-@@ -2360,7 +2367,7 @@ public class XStream {
- */
- public void addPermission(TypePermission permission) {
- if (securityMapper != null) {
-- securityInitialized = true;
-+ securityInitialized |= permission.equals(NoTypePermission.NONE) || permission.equals(AnyTypePermission.ANY);
- securityMapper.addPermission(permission);
- }
- }
-@@ -2539,25 +2546,4 @@ public class XStream {
- super(message);
- }
- }
--
-- private class InternalBlackList implements Converter {
--
-- public boolean canConvert(final Class type) {
-- return (type == void.class || type == Void.class)
-- || (!securityInitialized
-- && type != null
-- && (type.getName().equals("java.beans.EventHandler")
-- || type.getName().endsWith("$LazyIterator")
-- || type.getName().startsWith("javax.crypto.")));
-- }
--
-- public void marshal(final Object source, final HierarchicalStreamWriter writer,
-- final MarshallingContext context) {
-- throw new ConversionException("Security alert. Marshalling rejected.");
-- }
--
-- public Object unmarshal(final HierarchicalStreamReader reader, final UnmarshallingContext context) {
-- throw new ConversionException("Security alert. Unmarshalling rejected.");
-- }
-- }
- }
-diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-index 85eaf1c..44b0015 100644
---- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-@@ -11,13 +11,15 @@
- package com.thoughtworks.acceptance;
-
- import java.beans.EventHandler;
-+import java.util.Iterator;
-
- import com.thoughtworks.xstream.XStream;
- import com.thoughtworks.xstream.XStreamException;
- import com.thoughtworks.xstream.converters.ConversionException;
--import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
-+import com.thoughtworks.xstream.core.JVM;
-+import com.thoughtworks.xstream.security.AnyTypePermission;
- import com.thoughtworks.xstream.security.ForbiddenClassException;
--import com.thoughtworks.xstream.security.ProxyTypePermission;
-+import com.thoughtworks.xstream.security.NoTypePermission;
-
-
- /**
-@@ -31,21 +33,22 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- super.setUp();
- BUFFER.setLength(0);
- xstream.alias("runnable", Runnable.class);
-- xstream.allowTypeHierarchy(Runnable.class);
-- xstream.addPermission(ProxyTypePermission.PROXIES);
-+ }
-+
-+ protected void setupSecurity(XStream xstream) {
- }
-
- public void testCannotInjectEventHandler() {
- final String xml = ""
-- + "<string class='runnable-array'>\n"
-- + " <dynamic-proxy>\n"
-- + " <interface>java.lang.Runnable</interface>\n"
-- + " <handler class='java.beans.EventHandler'>\n"
-- + " <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
-- + " <action>exec</action>\n"
-- + " </handler>\n"
-- + " </dynamic-proxy>\n"
-- + "</string>";
-+ + "<string class='runnable-array'>\n"
-+ + " <dynamic-proxy>\n"
-+ + " <interface>java.lang.Runnable</interface>\n"
-+ + " <handler class='java.beans.EventHandler'>\n"
-+ + " <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
-+ + " <action>exec</action>\n"
-+ + " </handler>\n"
-+ + " </dynamic-proxy>\n"
-+ + "</string>";
-
- try {
- xstream.fromXML(xml);
-@@ -57,7 +60,6 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- }
-
- public void testCannotInjectEventHandlerWithUnconfiguredSecurityFramework() {
-- xstream = new XStream(createDriver());
- xstream.alias("runnable", Runnable.class);
- final String xml = ""
- + "<string class='runnable-array'>\n"
-@@ -74,26 +76,24 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- xstream.fromXML(xml);
- fail("Thrown " + XStreamException.class.getName() + " expected");
- } catch (final XStreamException e) {
-- assertTrue(e.getMessage().indexOf(EventHandler.class.getName())>=0);
-+ assertTrue(e.getMessage().indexOf(EventHandler.class.getName()) >= 0);
- }
- assertEquals(0, BUFFER.length());
- }
-
- public void testExplicitlyConvertEventHandler() {
- final String xml = ""
-- + "<string class='runnable-array'>\n"
-- + " <dynamic-proxy>\n"
-- + " <interface>java.lang.Runnable</interface>\n"
-- + " <handler class='java.beans.EventHandler'>\n"
-- + " <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
-- + " <action>exec</action>\n"
-- + " </handler>\n"
-- + " </dynamic-proxy>\n"
-- + "</string>";
-+ + "<string class='runnable-array'>\n"
-+ + " <dynamic-proxy>\n"
-+ + " <interface>java.lang.Runnable</interface>\n"
-+ + " <handler class='java.beans.EventHandler'>\n"
-+ + " <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
-+ + " <action>exec</action>\n"
-+ + " </handler>\n"
-+ + " </dynamic-proxy>\n"
-+ + "</string>";
-
- xstream.allowTypes(new Class[]{EventHandler.class});
-- xstream.registerConverter(new ReflectionConverter(xstream.getMapper(), xstream
-- .getReflectionProvider(), EventHandler.class));
-
- final Runnable[] array = (Runnable[])xstream.fromXML(xml);
- assertEquals(0, BUFFER.length());
-@@ -101,6 +101,71 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- assertEquals("Executed!", BUFFER.toString());
- }
-
-+ public void testCannotInjectConvertImageIOContainsFilterWithUnconfiguredSecurityFramework() {
-+ if (JVM.isVersion(7)) {
-+ final String xml = ""
-+ + "<string class='javax.imageio.spi.FilterIterator'>\n"
-+ + " <iter class='java.util.ArrayList$Itr'>\n"
-+ + " <cursor>0</cursor>\n"
-+ + " <lastRet>1</lastRet>\n"
-+ + " <expectedModCount>1</expectedModCount>\n"
-+ + " <outer-class>\n"
-+ + " <com.thoughtworks.acceptance.SecurityVulnerabilityTest_-Exec/>\n"
-+ + " </outer-class>\n"
-+ + " </iter>\n"
-+ + " <filter class='javax.imageio.ImageIO$ContainsFilter'>\n"
-+ + " <method>\n"
-+ + " <class>com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec</class>\n"
-+ + " <name>exec</name>\n"
-+ + " <parameter-types/>\n"
-+ + " </method>\n"
-+ + " <name>exec</name>\n"
-+ + " </filter>\n"
-+ + " <next/>\n"
-+ + "</string>";
-+
-+ try {
-+ xstream.fromXML(xml);
-+ fail("Thrown " + XStreamException.class.getName() + " expected");
-+ } catch (final XStreamException e) {
-+ assertTrue(e.getMessage().indexOf("javax.imageio.ImageIO$ContainsFilter") >= 0);
-+ }
-+ assertEquals(0, BUFFER.length());
-+ }
-+ }
-+
-+ public void testExplicitlyConvertImageIOContainsFilter() {
-+ if (JVM.isVersion(7)) {
-+ final String xml = ""
-+ + "<string class='javax.imageio.spi.FilterIterator'>\n"
-+ + " <iter class='java.util.ArrayList$Itr'>\n"
-+ + " <cursor>0</cursor>\n"
-+ + " <lastRet>1</lastRet>\n"
-+ + " <expectedModCount>1</expectedModCount>\n"
-+ + " <outer-class>\n"
-+ + " <com.thoughtworks.acceptance.SecurityVulnerabilityTest_-Exec/>\n"
-+ + " </outer-class>\n"
-+ + " </iter>\n"
-+ + " <filter class='javax.imageio.ImageIO$ContainsFilter'>\n"
-+ + " <method>\n"
-+ + " <class>com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec</class>\n"
-+ + " <name>exec</name>\n"
-+ + " <parameter-types/>\n"
-+ + " </method>\n"
-+ + " <name>exec</name>\n"
-+ + " </filter>\n"
-+ + " <next/>\n"
-+ + "</string>";
-+
-+ xstream.allowTypes(new String[]{"javax.imageio.ImageIO$ContainsFilter"});
-+
-+ final Iterator iterator = (Iterator)xstream.fromXML(xml);
-+ assertEquals(0, BUFFER.length());
-+ iterator.next();
-+ assertEquals("Executed!", BUFFER.toString());
-+ }
-+ }
-+
- public static class Exec {
-
- public void exec() {
-@@ -109,6 +174,8 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- }
-
- public void testDeniedInstanceOfVoid() {
-+ xstream.addPermission(AnyTypePermission.ANY); // clear out defaults
-+ xstream.denyTypes(new Class[] { void.class, Void.class });
- try {
- xstream.fromXML("<void/>");
- fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
-@@ -118,12 +185,25 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- }
-
- public void testAllowedInstanceOfVoid() {
-- xstream.allowTypes(new Class[] { void.class, Void.class });
-+ xstream.allowTypes(new Class[]{void.class, Void.class});
- try {
- xstream.fromXML("<void/>");
- fail("Thrown " + ConversionException.class.getName() + " expected");
- } catch (final ConversionException e) {
-- assertEquals("void", e.get("required-type"));
-+ assertEquals("void", e.get("construction-type"));
-+ }
-+ }
-+
-+ public static class LazyIterator {
-+ }
-+
-+ public void testInstanceOfLazyIterator() {
-+ xstream.alias("lazy-iterator", LazyIterator.class);
-+ try {
-+ xstream.fromXML("<lazy-iterator/>");
-+ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
-+ } catch (final ForbiddenClassException e) {
-+ // OK
- }
- }
- }
=====================================
debian/patches/CVE-2020-26258.patch deleted
=====================================
@@ -1,26 +0,0 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sun, 27 Dec 2020 11:00:57 +0100
-Subject: CVE-2020-26258
-
-Origin: https://github.com/x-stream/xstream/commit/6740c04b217aef02d44fba26402b35e0f6f493ce
----
- xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-index 0ae38b6..65670f1 100644
---- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
-+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-@@ -698,7 +698,11 @@ public class XStream {
- }
-
- addPermission(AnyTypePermission.ANY);
-- denyTypes(new String[]{"java.beans.EventHandler", "javax.imageio.ImageIO$ContainsFilter"});
-+ denyTypes(new String[]{
-+ "java.beans.EventHandler",
-+ "java.lang.ProcessBuilder",
-+ "javax.imageio.ImageIO$ContainsFilter",
-+ "jdk.nashorn.internal.objects.NativeString"});
- denyTypes(new Class[]{ java.lang.ProcessBuilder.class,
- java.beans.EventHandler.class, java.lang.ProcessBuilder.class,
- java.lang.Void.class, void.class });
=====================================
debian/patches/CVE-2020-26259.patch deleted
=====================================
@@ -1,205 +0,0 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sun, 27 Dec 2020 11:05:05 +0100
-Subject: CVE-2020-26259
-
-Origin: https://github.com/x-stream/xstream/commit/0bcbf50126a62dfcd65f93a0da0c6d1ae92aa738
----
- pom.xml | 6 ++
- xstream/pom.xml | 48 ++++++++++++++++
- .../src/java/com/thoughtworks/xstream/XStream.java | 10 +++-
- .../acceptance/SecurityVulnerabilityTest.java | 65 ++++++++++++++++++++++
- 4 files changed, 126 insertions(+), 3 deletions(-)
-
-diff --git a/pom.xml b/pom.xml
-index 5d52a8f..3e47500 100644
---- a/pom.xml
-+++ b/pom.xml
-@@ -552,6 +552,11 @@
- <artifactId>jaxb-api</artifactId>
- <version>${version.javax.xml.bind.api}</version>
- </dependency>
-+ <dependency>
-+ <groupId>com.sun.xml.ws</groupId>
-+ <artifactId>jaxws-rt</artifactId>
-+ <version>${version.javax.xml.ws.jaxws.rt}</version>
-+ </dependency>
-
- <dependency>
- <groupId>org.hibernate</groupId>
-@@ -984,6 +989,7 @@
- <version.javax.activation>1.1.1</version.javax.activation>
- <version.javax.annotation.api>1.3.2</version.javax.annotation.api>
- <version.javax.xml.bind.api>2.3.1</version.javax.xml.bind.api>
-+ <version.javax.xml.ws.jaxws.rt>2.2</version.javax.xml.ws.jaxws.rt><!-- Java 5 -->
- <version.jmock>1.0.1</version.jmock>
- <version.joda-time>1.6</version.joda-time>
- <version.junit>3.8.1</version.junit>
-diff --git a/xstream/pom.xml b/xstream/pom.xml
-index 566b619..8b9dc22 100644
---- a/xstream/pom.xml
-+++ b/xstream/pom.xml
-@@ -149,6 +149,54 @@
- <artifactId>commons-lang</artifactId>
- <scope>test</scope>
- </dependency>
-+
-+ <dependency>
-+ <groupId>com.sun.xml.ws</groupId>
-+ <artifactId>jaxws-rt</artifactId>
-+ <scope>test</scope>
-+ <exclusions>
-+ <exclusion>
-+ <groupId>javax.xml.ws</groupId>
-+ <artifactId>jaxws-api</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>com.sun.istack</groupId>
-+ <artifactId>istack-commons-runtime</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>com.sun.xml.bind</groupId>
-+ <artifactId>jaxb-impl</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>com.sun.xml.messaging.saaj</groupId>
-+ <artifactId>saaj-impl</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>com.sun.xml.stream.buffer</groupId>
-+ <artifactId>streambuffer</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>com.sun.xml.ws</groupId>
-+ <artifactId>policy</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>com.sun.org.apache.xml.internal</groupId>
-+ <artifactId>resolver</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>org.glassfish.gmbal</groupId>
-+ <artifactId>gmbal-api-only</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>org.jvnet</groupId>
-+ <artifactId>mimepull</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>org.jvnet.staxex</groupId>
-+ <artifactId>stax-ex</artifactId>
-+ </exclusion>
-+ </exclusions>
-+ </dependency>
- </dependencies>
-
- <build>
-diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-index 65670f1..1d28088 100644
---- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
-+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-@@ -356,6 +356,7 @@ public class XStream {
- private static final Pattern IGNORE_ALL = Pattern.compile(".*");
- private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
- private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
-+ private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
-
- /**
- * Constructs a default XStream.
-@@ -703,10 +704,13 @@ public class XStream {
- "java.lang.ProcessBuilder",
- "javax.imageio.ImageIO$ContainsFilter",
- "jdk.nashorn.internal.objects.NativeString"});
-- denyTypes(new Class[]{ java.lang.ProcessBuilder.class,
-- java.beans.EventHandler.class, java.lang.ProcessBuilder.class,
-+ denyTypes(new Class[]{
-+ java.lang.ProcessBuilder.class,
-+ jdk.nashorn.internal.objects.NativeString.class,
-+ java.beans.EventHandler.class,
-+ java.lang.ProcessBuilder.class,
- java.lang.Void.class, void.class });
-- denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
-+ denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
- allowTypeHierarchy(Exception.class);
- securityInitialized = false;
- }
-diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-index 44b0015..36b61a1 100644
---- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-@@ -11,6 +11,11 @@
- package com.thoughtworks.acceptance;
-
- import java.beans.EventHandler;
-+import java.io.File;
-+import java.io.FileOutputStream;
-+import java.io.IOException;
-+import java.io.InputStream;
-+import java.io.OutputStream;
- import java.util.Iterator;
-
- import com.thoughtworks.xstream.XStream;
-@@ -206,4 +211,64 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- // OK
- }
- }
-+
-+ public void testCannotUseJaxwsInputStreamToDeleteFile() {
-+ final String xml = ""
-+ + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
-+ + " <tempFile>target/junit/test.txt</tempFile>\n"
-+ + "</is>";
-+
-+ xstream.aliasType("is", InputStream.class);
-+ try {
-+ xstream.fromXML(xml);
-+ fail("Thrown " + ConversionException.class.getName() + " expected");
-+ } catch (final ForbiddenClassException e) {
-+ // OK
-+ }
-+ }
-+
-+ public void testExplicitlyUseJaxwsInputStreamToDeleteFile() throws IOException {
-+ final File testDir = new File("target/junit");
-+ final File testFile = new File(testDir, "test.txt");
-+ try {
-+ testDir.mkdirs();
-+
-+ final OutputStream out = new FileOutputStream(testFile);
-+ out.write("JUnit".getBytes());
-+ out.flush();
-+ out.close();
-+
-+ assertTrue("Test file " + testFile.getPath() + " does not exist.", testFile.exists());
-+
-+ final String xml = ""
-+ + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
-+ + " <tempFile>target/junit/test.txt</tempFile>\n"
-+ + "</is>";
-+
-+ xstream.addPermission(AnyTypePermission.ANY); // clear out defaults
-+ xstream.aliasType("is", InputStream.class);
-+
-+ InputStream is = null;
-+ try {
-+ is = (InputStream)xstream.fromXML(xml);
-+ } catch (final ForbiddenClassException e) {
-+ // OK
-+ }
-+
-+ assertTrue("Test file " + testFile.getPath() + " no longer exists.", testFile.exists());
-+
-+ byte[] data = new byte[10];
-+ is.read(data);
-+ is.close();
-+
-+ assertFalse("Test file " + testFile.getPath() + " still exists exist.", testFile.exists());
-+ } finally {
-+ if (testFile.exists()) {
-+ testFile.delete();
-+ }
-+ if (testDir.exists()) {
-+ testDir.delete();
-+ }
-+ }
-+ }
- }
=====================================
debian/patches/SecurityVulnerabilityTest.patch
=====================================
@@ -0,0 +1,181 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 22 Sep 2021 12:25:39 +0200
+Subject: SecurityVulnerabilityTest
+
+Update SecurityVulnerabilityTest.java to the latest upstream version.
+---
+ .../acceptance/SecurityVulnerabilityTest.java | 95 ++++++++++++++++++----
+ 1 file changed, 78 insertions(+), 17 deletions(-)
+
+diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+index 85eaf1c..d387bcd 100644
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -1,21 +1,28 @@
+ /*
+- * Copyright (C) 2013, 2014, 2017, 2018 XStream Committers.
++ * Copyright (C) 2013, 2014, 2017, 2018, 2020, 2021 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+ * style license a copy of which has been included with this distribution in
+ * the LICENSE.txt file.
+- *
++ *
+ * Created on 23. December 2013 by Joerg Schaible
+ */
+ package com.thoughtworks.acceptance;
+
+ import java.beans.EventHandler;
++import java.io.ByteArrayInputStream;
++import java.io.File;
++import java.io.FileOutputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
++import java.util.Iterator;
+
+-import com.thoughtworks.xstream.XStream;
+ import com.thoughtworks.xstream.XStreamException;
+ import com.thoughtworks.xstream.converters.ConversionException;
+ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
++import com.thoughtworks.xstream.security.AnyTypePermission;
+ import com.thoughtworks.xstream.security.ForbiddenClassException;
+ import com.thoughtworks.xstream.security.ProxyTypePermission;
+
+@@ -27,6 +34,7 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+
+ private final static StringBuffer BUFFER = new StringBuffer();
+
++ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ BUFFER.setLength(0);
+@@ -37,28 +45,26 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+
+ public void testCannotInjectEventHandler() {
+ final String xml = ""
+- + "<string class='runnable-array'>\n"
+- + " <dynamic-proxy>\n"
+- + " <interface>java.lang.Runnable</interface>\n"
+- + " <handler class='java.beans.EventHandler'>\n"
+- + " <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
+- + " <action>exec</action>\n"
+- + " </handler>\n"
+- + " </dynamic-proxy>\n"
+- + "</string>";
++ + "<string class='runnable-array'>\n"
++ + " <dynamic-proxy>\n"
++ + " <interface>java.lang.Runnable</interface>\n"
++ + " <handler class='java.beans.EventHandler'>\n"
++ + " <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
++ + " <action>exec</action>\n"
++ + " </handler>\n"
++ + " </dynamic-proxy>\n"
++ + "</string>";
+
+ try {
+ xstream.fromXML(xml);
+ fail("Thrown " + XStreamException.class.getName() + " expected");
+ } catch (final XStreamException e) {
+- assertTrue(e.getMessage().indexOf(EventHandler.class.getName()) > 0);
++ assertTrue(e.getMessage().contains(EventHandler.class.getName()));
+ }
+ assertEquals(0, BUFFER.length());
+ }
+
+- public void testCannotInjectEventHandlerWithUnconfiguredSecurityFramework() {
+- xstream = new XStream(createDriver());
+- xstream.alias("runnable", Runnable.class);
++ public void testExplicitlyConvertEventHandler() {
+ final String xml = ""
+ + "<string class='runnable-array'>\n"
+ + " <dynamic-proxy>\n"
+@@ -76,10 +82,12 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ } catch (final XStreamException e) {
+ assertTrue(e.getMessage().indexOf(EventHandler.class.getName())>=0);
+ }
++
++
+ assertEquals(0, BUFFER.length());
+ }
+
+- public void testExplicitlyConvertEventHandler() {
++ public void testExplicitlyConvertImageIOContainsFilter() {
+ final String xml = ""
+ + "<string class='runnable-array'>\n"
+ + " <dynamic-proxy>\n"
+@@ -96,6 +104,7 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ .getReflectionProvider(), EventHandler.class));
+
+ final Runnable[] array = (Runnable[])xstream.fromXML(xml);
++
+ assertEquals(0, BUFFER.length());
+ array[0].run();
+ assertEquals("Executed!", BUFFER.toString());
+@@ -108,6 +117,15 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ }
+ }
+
++ public void testInstanceOfVoid() {
++ try {
++ xstream.fromXML("<void/>");
++ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
++ } catch (final ForbiddenClassException e) {
++ // OK
++ }
++ }
++
+ public void testDeniedInstanceOfVoid() {
+ try {
+ xstream.fromXML("<void/>");
+@@ -124,6 +142,49 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ fail("Thrown " + ConversionException.class.getName() + " expected");
+ } catch (final ConversionException e) {
+ assertEquals("void", e.get("required-type"));
++
++ }
++ }
++
++ public void testCannotInjectManipulatedByteArryInputStream() {
++ xstream.alias("bais", ByteArrayInputStream.class);
++ final String xml = ""
++ + "<bais>\n"
++ + " <buf></buf>\n"
++ + " <pos>-2147483648</pos>\n"
++ + " <mark>0</mark>\n"
++ + " <count>0</count>\n"
++ + "</bais>";
++
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
++ } catch (final ForbiddenClassException e) {
++ assertEquals(e.getMessage(), ByteArrayInputStream.class.getName());
++ }
++ }
++
++ public void testExplicitlyUnmarshalEndlessByteArryInputStream() throws IOException {
++ xstream.alias("bais", ByteArrayInputStream.class);
++ xstream.allowTypes(new Class[]{ByteArrayInputStream.class});
++
++ final String xml = ""
++ + "<bais>\n"
++ + " <buf></buf>\n"
++ + " <pos>-2147483648</pos>\n"
++ + " <mark>0</mark>\n"
++ + " <count>0</count>\n"
++ + "</bais>";
++
++ final byte[] data = new byte[10];
++ try (final ByteArrayInputStream bais = (ByteArrayInputStream)xstream.fromXML(xml)) {
++ int i = 5;
++ while (bais.read(data, 0, 10) == 0) {
++ if (--i == 0) {
++ break;
++ }
++ }
++ assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
+ }
+ }
+ }
=====================================
debian/patches/debian-specific-whitelist-extension.patch
=====================================
@@ -0,0 +1,26 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 29 Sep 2021 21:11:38 +0200
+Subject: debian specific whitelist extension
+
+Fix regressions in jsap, jodconverter, jmeter and tiles-autotag.
+
+Ignore the rest because they are negligible.
+---
+ xstream/src/java/com/thoughtworks/xstream/XStream.java | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index 5c49410..49ee8cb 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -708,6 +708,10 @@ public class XStream {
+ allowTypeHierarchy(Number.class);
+ allowTypeHierarchy(Throwable.class);
+ allowTypeHierarchy(TimeZone.class);
++ allowTypesByWildcard(new
++ String[]{"com.martiansoftware.jsap.xml.**",
++ "com.artofsolving.jodconverter.**","org.apache.jmeter.**",
++ "org.apache.tiles.autotag.**"});
+
+ Class type = JVM.loadClassForName("java.lang.Enum");
+ if (type != null) {
=====================================
debian/patches/enable-security-whitelist-by-default.patch
=====================================
@@ -0,0 +1,205 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 22 Sep 2021 12:12:08 +0200
+Subject: enable security whitelist by default
+
+---
+ .../src/java/com/thoughtworks/xstream/XStream.java | 175 ++++++++++-----------
+ 1 file changed, 85 insertions(+), 90 deletions(-)
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index a088877..5c49410 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -695,107 +695,102 @@ public class XStream {
+ if (securityMapper == null) {
+ return;
+ }
+-
+- addPermission(AnyTypePermission.ANY);
+- securityInitialized = false;
++ addPermission(NoTypePermission.NONE);
++ addPermission(NullPermission.NULL);
++ addPermission(PrimitiveTypePermission.PRIMITIVES);
++ addPermission(ArrayTypePermission.ARRAYS);
++ addPermission(InterfaceTypePermission.INTERFACES);
++ allowTypeHierarchy(Calendar.class);
++ allowTypeHierarchy(Collection.class);
++ allowTypeHierarchy(Map.class);
++ allowTypeHierarchy(Map.Entry.class);
++ allowTypeHierarchy(Member.class);
++ allowTypeHierarchy(Number.class);
++ allowTypeHierarchy(Throwable.class);
++ allowTypeHierarchy(TimeZone.class);
++
++ Class type = JVM.loadClassForName("java.lang.Enum");
++ if (type != null) {
++ allowTypeHierarchy(type);
++ }
++ type = JVM.loadClassForName("java.nio.file.Path");
++ if (type != null) {
++ allowTypeHierarchy(type);
++ }
++
++ final Set types = new HashSet();
++ types.add(BitSet.class);
++ types.add(Charset.class);
++ types.add(Class.class);
++ types.add(Currency.class);
++ types.add(Date.class);
++ types.add(DecimalFormatSymbols.class);
++ types.add(File.class);
++ types.add(Locale.class);
++ types.add(Object.class);
++ types.add(Pattern.class);
++ types.add(StackTraceElement.class);
++ types.add(String.class);
++ types.add(StringBuffer.class);
++ types.add(JVM.loadClassForName("java.lang.StringBuilder"));
++ types.add(URL.class);
++ types.add(URI.class);
++ types.add(JVM.loadClassForName("java.util.UUID"));
++ if (JVM.isSQLAvailable()) {
++ types.add(JVM.loadClassForName("java.sql.Timestamp"));
++ types.add(JVM.loadClassForName("java.sql.Time"));
++ types.add(JVM.loadClassForName("java.sql.Date"));
++ }
++ if (JVM.isVersion(8)) {
++ allowTypeHierarchy(JVM.loadClassForName("java.time.Clock"));
++ types.add(JVM.loadClassForName("java.time.Duration"));
++ types.add(JVM.loadClassForName("java.time.Instant"));
++ types.add(JVM.loadClassForName("java.time.LocalDate"));
++ types.add(JVM.loadClassForName("java.time.LocalDateTime"));
++ types.add(JVM.loadClassForName("java.time.LocalTime"));
++ types.add(JVM.loadClassForName("java.time.MonthDay"));
++ types.add(JVM.loadClassForName("java.time.OffsetDateTime"));
++ types.add(JVM.loadClassForName("java.time.OffsetTime"));
++ types.add(JVM.loadClassForName("java.time.Period"));
++ types.add(JVM.loadClassForName("java.time.Ser"));
++ types.add(JVM.loadClassForName("java.time.Year"));
++ types.add(JVM.loadClassForName("java.time.YearMonth"));
++ types.add(JVM.loadClassForName("java.time.ZonedDateTime"));
++ allowTypeHierarchy(JVM.loadClassForName("java.time.ZoneId"));
++ types.add(JVM.loadClassForName("java.time.chrono.HijrahDate"));
++ types.add(JVM.loadClassForName("java.time.chrono.JapaneseDate"));
++ types.add(JVM.loadClassForName("java.time.chrono.JapaneseEra"));
++ types.add(JVM.loadClassForName("java.time.chrono.MinguoDate"));
++ types.add(JVM.loadClassForName("java.time.chrono.ThaiBuddhistDate"));
++ types.add(JVM.loadClassForName("java.time.chrono.Ser"));
++ allowTypeHierarchy(JVM.loadClassForName("java.time.chrono.Chronology"));
++ types.add(JVM.loadClassForName("java.time.temporal.ValueRange"));
++ types.add(JVM.loadClassForName("java.time.temporal.WeekFields"));
++ }
++ types.remove(null);
++
++ final Iterator iter = types.iterator();
++ final Class[] classes = new Class[types.size()];
++ for (int i = 0; i < classes.length; ++i) {
++ classes[i] = (Class)iter.next();
++ }
++ allowTypes(classes);
++
+ }
+
+ /**
+ * Setup the security framework of a XStream instance.
+ * <p>
+- * This method is a pure helper method for XStream 1.4.x. It initializes an XStream instance with a white list of
+- * well-known and simply types of the Java runtime as it is done in XStream 1.5.x by default. This method will do
+- * therefore nothing in XStream 1.5.
++ * This method was a pure helper method for XStream 1.4.10 to 1.4.17. It initialized an XStream instance with a
++ * whitelist of well-known and simply types of the Java runtime as it is done in XStream 1.4.11 by default. This
++ * method will do therefore nothing in XStream 1.4.11 or higher.
+ * </p>
+ *
+ * @param xstream
+ * @since 1.4.10
++ * @deprecated As of 1.4.11
+ */
+ public static void setupDefaultSecurity(final XStream xstream) {
+- if (!xstream.securityInitialized) {
+- xstream.addPermission(NoTypePermission.NONE);
+- xstream.addPermission(NullPermission.NULL);
+- xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
+- xstream.addPermission(ArrayTypePermission.ARRAYS);
+- xstream.addPermission(InterfaceTypePermission.INTERFACES);
+- xstream.allowTypeHierarchy(Calendar.class);
+- xstream.allowTypeHierarchy(Collection.class);
+- xstream.allowTypeHierarchy(Map.class);
+- xstream.allowTypeHierarchy(Map.Entry.class);
+- xstream.allowTypeHierarchy(Member.class);
+- xstream.allowTypeHierarchy(Number.class);
+- xstream.allowTypeHierarchy(Throwable.class);
+- xstream.allowTypeHierarchy(TimeZone.class);
+-
+- Class type = JVM.loadClassForName("java.lang.Enum");
+- if (type != null) {
+- xstream.allowTypeHierarchy(type);
+- }
+- type = JVM.loadClassForName("java.nio.file.Path");
+- if (type != null) {
+- xstream.allowTypeHierarchy(type);
+- }
+-
+- final Set types = new HashSet();
+- types.add(BitSet.class);
+- types.add(Charset.class);
+- types.add(Class.class);
+- types.add(Currency.class);
+- types.add(Date.class);
+- types.add(DecimalFormatSymbols.class);
+- types.add(File.class);
+- types.add(Locale.class);
+- types.add(Object.class);
+- types.add(Pattern.class);
+- types.add(StackTraceElement.class);
+- types.add(String.class);
+- types.add(StringBuffer.class);
+- types.add(JVM.loadClassForName("java.lang.StringBuilder"));
+- types.add(URL.class);
+- types.add(URI.class);
+- types.add(JVM.loadClassForName("java.util.UUID"));
+- if (JVM.isSQLAvailable()) {
+- types.add(JVM.loadClassForName("java.sql.Timestamp"));
+- types.add(JVM.loadClassForName("java.sql.Time"));
+- types.add(JVM.loadClassForName("java.sql.Date"));
+- }
+- if (JVM.isVersion(8)) {
+- xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.Clock"));
+- types.add(JVM.loadClassForName("java.time.Duration"));
+- types.add(JVM.loadClassForName("java.time.Instant"));
+- types.add(JVM.loadClassForName("java.time.LocalDate"));
+- types.add(JVM.loadClassForName("java.time.LocalDateTime"));
+- types.add(JVM.loadClassForName("java.time.LocalTime"));
+- types.add(JVM.loadClassForName("java.time.MonthDay"));
+- types.add(JVM.loadClassForName("java.time.OffsetDateTime"));
+- types.add(JVM.loadClassForName("java.time.OffsetTime"));
+- types.add(JVM.loadClassForName("java.time.Period"));
+- types.add(JVM.loadClassForName("java.time.Ser"));
+- types.add(JVM.loadClassForName("java.time.Year"));
+- types.add(JVM.loadClassForName("java.time.YearMonth"));
+- types.add(JVM.loadClassForName("java.time.ZonedDateTime"));
+- xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.ZoneId"));
+- types.add(JVM.loadClassForName("java.time.chrono.HijrahDate"));
+- types.add(JVM.loadClassForName("java.time.chrono.JapaneseDate"));
+- types.add(JVM.loadClassForName("java.time.chrono.JapaneseEra"));
+- types.add(JVM.loadClassForName("java.time.chrono.MinguoDate"));
+- types.add(JVM.loadClassForName("java.time.chrono.ThaiBuddhistDate"));
+- types.add(JVM.loadClassForName("java.time.chrono.Ser"));
+- xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.chrono.Chronology"));
+- types.add(JVM.loadClassForName("java.time.temporal.ValueRange"));
+- types.add(JVM.loadClassForName("java.time.temporal.WeekFields"));
+- }
+- types.remove(null);
+-
+- final Iterator iter = types.iterator();
+- final Class[] classes = new Class[types.size()];
+- for (int i = 0; i < classes.length; ++i) {
+- classes[i] = (Class)iter.next();
+- }
+- xstream.allowTypes(classes);
+- } else {
+- throw new IllegalArgumentException("Security framework of XStream instance already initialized");
+- }
+ }
+
+ protected void setupAliases() {
=====================================
debian/patches/series
=====================================
@@ -1,5 +1,4 @@
01-java7-compatibility.patch
-CVE-2020-26217.patch
-CVE-2020-26258.patch
-CVE-2020-26259.patch
-0004-Fix-CVE-2021-29505-for-buster.patch
+enable-security-whitelist-by-default.patch
+SecurityVulnerabilityTest.patch
+debian-specific-whitelist-extension.patch
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/e44f12c48a192fb864094616fe8c2de84248f2c4...0ad2edb53991b0f8d50308597f64ec9bd48e96b4
--
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/e44f12c48a192fb864094616fe8c2de84248f2c4...0ad2edb53991b0f8d50308597f64ec9bd48e96b4
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20211002/2e01b9dd/attachment.htm>
More information about the pkg-java-commits
mailing list