[Git][java-team/libxstream-java][stretch] 9 commits: Drop old CVE patches in favor of whitelist.
Markus Koschany (@apo)
gitlab at salsa.debian.org
Wed Sep 29 21:54:43 BST 2021
Markus Koschany pushed to branch stretch at Debian Java Maintainers / libxstream-java
Commits:
740f1d2c by Markus Koschany at 2021-09-22T12:06:14+02:00
Drop old CVE patches in favor of whitelist.
- - - - -
67022e68 by Markus Koschany at 2021-09-22T12:12:31+02:00
Enable the security whitelist by default to prevent RCE vulnerabilities.
- - - - -
acb300e0 by Markus Koschany at 2021-09-22T12:15:34+02:00
Update changelog
- - - - -
2f046f70 by Markus Koschany at 2021-09-22T13:58:21+02:00
Update SecurityVulnerabilityTest.java
- - - - -
4b2387c8 by Markus Koschany at 2021-09-22T15:16:50+02:00
Fix version
- - - - -
47ed444f by Sylvain Beucler at 2021-09-22T15:20:29+02:00
Import Debian changes 1.4.11.1-1+deb9u3
libxstream-java (1.4.11.1-1+deb9u3) stretch-security; urgency=high
..
* Non-maintainer upload by the LTS Security Team.
* CVE-2021-29505: a remote attacker may get sufficient rights to execute
commands of the host only by manipulating the processed input stream.
..
libxstream-java (1.4.11.1-1+deb9u2) stretch-security; urgency=high
..
* Non-maintainer upload by the LTS team.
* Fix CVE-2021-21341 to CVE-2021-21351:
In XStream there is a vulnerability which may allow a remote attacker to
load and execute arbitrary code from a remote host only by manipulating the
processed input stream.
..
The type hierarchies for java.io.InputStream, java.nio.channels.Channel,
javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now
blacklisted as well as the individual types
com.sun.corba.se.impl.activation.ServerTableEntry,
com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and
sun.swing.SwingLazyValue. Additionally the internal type
Accessor$GetterSetterReflection of JAXB, the internal types
MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of
JAX-WS, all inner classes of javafx.collections.ObservableList and an
internal ClassLoader used in a private BCEL copy are now part of the
default blacklist and the deserialization of XML containing one of the two
types will fail. You will have to enable these types by explicit
configuration, if you need them.
..
libxstream-java (1.4.11.1-1+deb9u1) stretch-security; urgency=high
..
* Team upload.
* Fix CVE-2020-26258:
XStream is vulnerable to a Server-Side Forgery Request which can be
activated when unmarshalling. The vulnerability may allow a remote attacker
to request data from internal resources that are not publicly available
only by manipulating the processed input stream.
* Fix CVE-2020-26259:
Xstream is vulnerable to an Arbitrary File Deletion on the local host when
unmarshalling. The vulnerability may allow a remote attacker to delete
arbitrary known files on the host as long as the executing process has
sufficient rights only by manipulating the processed input stream.
..
libxstream-java (1.4.11.1-1+deb10u1) buster-security; urgency=high
..
* Team upload.
* Fix CVE-2020-26217:
It was found that XStream is vulnerable to Remote Code Execution. The
vulnerability may allow a remote attacker to run arbitrary shell commands
only by manipulating the processed input stream. Users who rely on
blocklists are affected (the default in Debian). We strongly recommend to
use the whitelist approach of XStream's Security Framework because there
are likely more class combinations the blacklist approach may not address.
..
libxstream-java (1.4.11.1-1) unstable; urgency=medium
..
* Team upload.
* New upstream version 1.4.11.1.
..
libxstream-java (1.4.11-1) unstable; urgency=medium
..
* Team upload.
* New upstream version 1.4.11.
* Switch to compat level 11.
* Declare compliance with Debian Policy 4.2.1.
* Build-depend on libjaxb-api-java to fix FTBFS with Java 11.
(Closes: #912377)
* Add a new maven rule for xpp3 to fix a FTBFS.
* Remove Damien Raude-Morvan from Uploaders. (Closes: #889445)
..
libxstream-java (1.4.10-1) unstable; urgency=medium
..
* New upstream release
- Removed CVE-2017-7957.patch (fixed upstream)
* Standards-Version updated to 3.9.8
* Switch to debhelper level 10
..
libxstream-java (1.4.9-2) unstable; urgency=medium
..
* Fixed CVE-2017-7957: Attempts to create an instance of the primitive
type 'void' during unmarshalling lead to a remote application crash.
(Closes: #861521)
..
libxstream-java (1.4.9-1) unstable; urgency=medium
..
* New upstream release
- Fixes CVE-2016-3674: XML External Entity vulnerability (Closes: #819455)
- Ignore the new xstream-jmh module
- Updated the Maven rules
* No longer build the xstream-benchmark module (never used in Debian)
* Build with maven-debian-helper
* Depend on libcglib-nodep-java instead of libcglib3-java
* Standards-Version updated to 3.9.7 (no changes)
* Use secure Vcs-* fields
* Updated the old references to codehaus.org
..
libxstream-java (1.4.8-1) unstable; urgency=medium
..
* New upstream release
* Added a patch to compile with Java 7
* Moved the package to Git
..
libxstream-java (1.4.7-2) unstable; urgency=medium
..
* Depend on libcglib3-java instead of libcglib-java
* Standards-Version updated to 3.9.6 (no changes)
..
libxstream-java (1.4.7-1) unstable; urgency=low
..
* New upstream release
- Fixes CVE-2013-7285 (Closes: #734821)
- Added a dependency on libjdom2-java
* Standards-Version updated to 3.9.5 (no changes)
* Use XZ compression for the upstream tarball
* Build depend on debhelper >= 9
* debian/copyright: Updated to the Copyright Format 1.0
..
libxstream-java (1.4.4-1) unstable; urgency=low
..
* New upstream release
* Update Standards-Version: 3.9.4 (no changes)
* Use canonical URLs for the Vcs-* fields
* debian/rules: Improved the clean target to allow rebuilds
..
libxstream-java (1.4.2-1) unstable; urgency=low
..
[ tony mancill ]
* Remove Michael Koch from Uploaders (Closes: #654106)
* Update Standards-Version: 3.9.3.
..
[ Damien Raude-Morvan ]
* New upstream release (Closes: #655908)
- Add Build-Depends on libstax-java, libwoodstox-java, libstax2-api-java
and libkxml2-java (and Suggests).
* Use maven-ant-helper for build:
- Add Build-Depends on maven-ant-helper.
- New debian/build.xml.
- Drop patch on MANIFEST.MF update and use jh_manifest.
- Add Build-Depends on javahelper.
* Add myself as Uploader.
..
libxstream-java (1.3.1-7) unstable; urgency=low
..
* Switch to source format 3.0.
* Update Standards-Version: 3.9.1.
..
libxstream-java (1.3.1-6) unstable; urgency=low
..
[ Onkar Shinde ]
* debian/control
- Add quilt build dependency.
* debian/rules
- Include patchsys-quilt.mk rule.
* debian/patches/01_fix_classpath.diff
- Add appropriate jar files in classpath using manifest attribute.
(LP: #457660)
* debian/patches/series
- Create new and include the new patch added.
* debian/README.source
- Add to comply with policy.
..
[ Michael Koch ]
* Added myself to Uploaders.
..
libxstream-java (1.3.1-5) unstable; urgency=low
..
* Switch to default-jdk
* Build-Depends: replace cglib2.1 with cglib (Closes: #550613)
* Bump Standards-Version to 3.8.3
* Bump dh compat to 7
..
libxstream-java (1.3.1-4) unstable; urgency=low
..
* Add missing dependencies to Depends and Suggests
..
libxstream-java (1.3.1-3) unstable; urgency=low
..
* Upload to unstable.
..
libxstream-java (1.3.1-2) experimental; urgency=low
..
* Change section to java
* Bump up Standards-Version to 3.8.2
* Add ${misc:Depends} to Depends to clear Lintian warnings
* Remove Depends on Java runtimes as it is a library
* Add the Maven POM to the package
* Add a Build-Depends-Indep dependency on maven-repo-helper
..
libxstream-java (1.3.1-1) unstable; urgency=low
..
* New upstream release
* Minor cleanups
..
libxstream-java (1.3-4) unstable; urgency=low
..
* Fix java bytecode / java runtime version mismatch by setting -source
and -target to 1.5 (Closes: #503789)
..
libxstream-java (1.3-3) unstable; urgency=low
..
* Really move package to main.
..
libxstream-java (1.3-2) unstable; urgency=low
..
* Build package with OpenJDK now.
* Move package to main.
* Bump Standards-Version: 3.8.0 (no changes needed).
..
libxstream-java (1.3-1) unstable; urgency=low
..
* New upstream release
* Add myself to Uploaders
* Bump Standards-Version to 3.7.3
* Remove patches/encoding.diff - not required
..
libxstream-java (1.2.2-1) unstable; urgency=low
..
* initial version (Closes: #453149)
- - - - -
3197a32d by Markus Koschany at 2021-09-22T15:27:01+02:00
Reimport +deb9u4
- - - - -
ec28fb67 by Markus Koschany at 2021-09-29T16:47:44+02:00
Update changelog
- - - - -
04930e3e by Markus Koschany at 2021-09-29T21:31:44+02:00
Add debian-specific-whitelist-extension.patch
- - - - -
9 changed files:
- debian/changelog
- − debian/patches/CVE-2020-26217.patch
- − debian/patches/CVE-2020-26258.patch
- − debian/patches/CVE-2020-26259.patch
- − debian/patches/CVE-2021-21341-to-CVE-2021-21351.patch
- + debian/patches/SecurityVulnerabilityTest.patch
- + debian/patches/debian-specific-whitelist-extension.patch
- + debian/patches/enable-security-whitelist-by-default.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,20 @@
+libxstream-java (1.4.11.1-1+deb9u4) stretch-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Enable the security whitelist by default to prevent RCE vulnerabilities.
+ XStream no longer uses a blacklist because it cannot be secured for general
+ purpose.
+
+ -- Markus Koschany <apo at debian.org> Wed, 29 Sep 2021 16:47:37 +0200
+
+libxstream-java (1.4.11.1-1+deb9u3) stretch-security; urgency=high
+
+ * Non-maintainer upload by the LTS Security Team.
+ * CVE-2021-29505: a remote attacker may get sufficient rights to execute
+ commands of the host only by manipulating the processed input stream..
+
+ -- Sylvain Beucler <beuc at debian.org> Sat, 03 Jul 2021 20:40:52 +0200
+
libxstream-java (1.4.11.1-1+deb9u2) stretch-security; urgency=high
* Non-maintainer upload by the LTS team.
=====================================
debian/patches/CVE-2020-26217.patch deleted
=====================================
@@ -1,328 +0,0 @@
-From: Markus Koschany <apo at debian.org>
-Date: Tue, 1 Dec 2020 23:11:04 +0100
-Subject: CVE-2020-26217
-
-Origin: https://github.com/x-stream/xstream/commit/6ec68c4e4192faec64f350e9449f44bc120c813b
-Origin: https://github.com/x-stream/xstream/commit/51abe602e09016c8e43e91325a15226022f4da46
-Origin: https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a
----
- .../src/java/com/thoughtworks/xstream/XStream.java | 40 ++----
- .../acceptance/SecurityVulnerabilityTest.java | 136 ++++++++++++++++-----
- 2 files changed, 121 insertions(+), 55 deletions(-)
-
-diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-index a088877..0ae38b6 100644
---- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
-+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-@@ -1,6 +1,6 @@
- /*
- * Copyright (C) 2003, 2004, 2005, 2006 Joe Walnes.
-- * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 XStream Committers.
-+ * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020 XStream Committers.
- * All rights reserved.
- *
- * The software in this package is published under the terms of the BSD
-@@ -36,6 +36,7 @@ import java.net.URL;
- import java.nio.charset.Charset;
- import java.text.DecimalFormatSymbols;
- import java.util.ArrayList;
-+import java.util.Arrays;
- import java.util.BitSet;
- import java.util.Calendar;
- import java.util.Collection;
-@@ -65,10 +66,8 @@ import com.thoughtworks.xstream.converters.Converter;
- import com.thoughtworks.xstream.converters.ConverterLookup;
- import com.thoughtworks.xstream.converters.ConverterRegistry;
- import com.thoughtworks.xstream.converters.DataHolder;
--import com.thoughtworks.xstream.converters.MarshallingContext;
- import com.thoughtworks.xstream.converters.SingleValueConverter;
- import com.thoughtworks.xstream.converters.SingleValueConverterWrapper;
--import com.thoughtworks.xstream.converters.UnmarshallingContext;
- import com.thoughtworks.xstream.converters.basic.BigDecimalConverter;
- import com.thoughtworks.xstream.converters.basic.BigIntegerConverter;
- import com.thoughtworks.xstream.converters.basic.BooleanConverter;
-@@ -355,6 +354,8 @@ public class XStream {
-
- private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
- private static final Pattern IGNORE_ALL = Pattern.compile(".*");
-+ private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
-+ private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
-
- /**
- * Constructs a default XStream.
-@@ -697,6 +698,12 @@ public class XStream {
- }
-
- addPermission(AnyTypePermission.ANY);
-+ denyTypes(new String[]{"java.beans.EventHandler", "javax.imageio.ImageIO$ContainsFilter"});
-+ denyTypes(new Class[]{ java.lang.ProcessBuilder.class,
-+ java.beans.EventHandler.class, java.lang.ProcessBuilder.class,
-+ java.lang.Void.class, void.class });
-+ denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
-+ allowTypeHierarchy(Exception.class);
- securityInitialized = false;
- }
-
-@@ -962,7 +969,6 @@ public class XStream {
- registerConverter(
- new SerializableConverter(mapper, reflectionProvider, classLoaderReference), PRIORITY_LOW);
- registerConverter(new ExternalizableConverter(mapper, classLoaderReference), PRIORITY_LOW);
-- registerConverter(new InternalBlackList(), PRIORITY_LOW);
-
- registerConverter(new NullConverter(), PRIORITY_VERY_HIGH);
- registerConverter(new IntConverter(), PRIORITY_NORMAL);
-@@ -1482,7 +1488,8 @@ public class XStream {
- try {
- if (!securityInitialized && !securityWarningGiven) {
- securityWarningGiven = true;
-- System.err.println("Security framework of XStream not initialized, XStream is probably vulnerable.");
-+ System.err
-+ .println("Security framework of XStream not explicitly initialized, using predefined black list on your own risk.");
- }
- return marshallingStrategy.unmarshal(
- root, reader, dataHolder, converterLookup, mapper);
-@@ -2360,7 +2367,7 @@ public class XStream {
- */
- public void addPermission(TypePermission permission) {
- if (securityMapper != null) {
-- securityInitialized = true;
-+ securityInitialized |= permission.equals(NoTypePermission.NONE) || permission.equals(AnyTypePermission.ANY);
- securityMapper.addPermission(permission);
- }
- }
-@@ -2539,25 +2546,4 @@ public class XStream {
- super(message);
- }
- }
--
-- private class InternalBlackList implements Converter {
--
-- public boolean canConvert(final Class type) {
-- return (type == void.class || type == Void.class)
-- || (!securityInitialized
-- && type != null
-- && (type.getName().equals("java.beans.EventHandler")
-- || type.getName().endsWith("$LazyIterator")
-- || type.getName().startsWith("javax.crypto.")));
-- }
--
-- public void marshal(final Object source, final HierarchicalStreamWriter writer,
-- final MarshallingContext context) {
-- throw new ConversionException("Security alert. Marshalling rejected.");
-- }
--
-- public Object unmarshal(final HierarchicalStreamReader reader, final UnmarshallingContext context) {
-- throw new ConversionException("Security alert. Unmarshalling rejected.");
-- }
-- }
- }
-diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-index 85eaf1c..44b0015 100644
---- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-@@ -11,13 +11,15 @@
- package com.thoughtworks.acceptance;
-
- import java.beans.EventHandler;
-+import java.util.Iterator;
-
- import com.thoughtworks.xstream.XStream;
- import com.thoughtworks.xstream.XStreamException;
- import com.thoughtworks.xstream.converters.ConversionException;
--import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
-+import com.thoughtworks.xstream.core.JVM;
-+import com.thoughtworks.xstream.security.AnyTypePermission;
- import com.thoughtworks.xstream.security.ForbiddenClassException;
--import com.thoughtworks.xstream.security.ProxyTypePermission;
-+import com.thoughtworks.xstream.security.NoTypePermission;
-
-
- /**
-@@ -31,21 +33,22 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- super.setUp();
- BUFFER.setLength(0);
- xstream.alias("runnable", Runnable.class);
-- xstream.allowTypeHierarchy(Runnable.class);
-- xstream.addPermission(ProxyTypePermission.PROXIES);
-+ }
-+
-+ protected void setupSecurity(XStream xstream) {
- }
-
- public void testCannotInjectEventHandler() {
- final String xml = ""
-- + "<string class='runnable-array'>\n"
-- + " <dynamic-proxy>\n"
-- + " <interface>java.lang.Runnable</interface>\n"
-- + " <handler class='java.beans.EventHandler'>\n"
-- + " <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
-- + " <action>exec</action>\n"
-- + " </handler>\n"
-- + " </dynamic-proxy>\n"
-- + "</string>";
-+ + "<string class='runnable-array'>\n"
-+ + " <dynamic-proxy>\n"
-+ + " <interface>java.lang.Runnable</interface>\n"
-+ + " <handler class='java.beans.EventHandler'>\n"
-+ + " <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
-+ + " <action>exec</action>\n"
-+ + " </handler>\n"
-+ + " </dynamic-proxy>\n"
-+ + "</string>";
-
- try {
- xstream.fromXML(xml);
-@@ -57,7 +60,6 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- }
-
- public void testCannotInjectEventHandlerWithUnconfiguredSecurityFramework() {
-- xstream = new XStream(createDriver());
- xstream.alias("runnable", Runnable.class);
- final String xml = ""
- + "<string class='runnable-array'>\n"
-@@ -74,26 +76,24 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- xstream.fromXML(xml);
- fail("Thrown " + XStreamException.class.getName() + " expected");
- } catch (final XStreamException e) {
-- assertTrue(e.getMessage().indexOf(EventHandler.class.getName())>=0);
-+ assertTrue(e.getMessage().indexOf(EventHandler.class.getName()) >= 0);
- }
- assertEquals(0, BUFFER.length());
- }
-
- public void testExplicitlyConvertEventHandler() {
- final String xml = ""
-- + "<string class='runnable-array'>\n"
-- + " <dynamic-proxy>\n"
-- + " <interface>java.lang.Runnable</interface>\n"
-- + " <handler class='java.beans.EventHandler'>\n"
-- + " <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
-- + " <action>exec</action>\n"
-- + " </handler>\n"
-- + " </dynamic-proxy>\n"
-- + "</string>";
-+ + "<string class='runnable-array'>\n"
-+ + " <dynamic-proxy>\n"
-+ + " <interface>java.lang.Runnable</interface>\n"
-+ + " <handler class='java.beans.EventHandler'>\n"
-+ + " <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
-+ + " <action>exec</action>\n"
-+ + " </handler>\n"
-+ + " </dynamic-proxy>\n"
-+ + "</string>";
-
- xstream.allowTypes(new Class[]{EventHandler.class});
-- xstream.registerConverter(new ReflectionConverter(xstream.getMapper(), xstream
-- .getReflectionProvider(), EventHandler.class));
-
- final Runnable[] array = (Runnable[])xstream.fromXML(xml);
- assertEquals(0, BUFFER.length());
-@@ -101,6 +101,71 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- assertEquals("Executed!", BUFFER.toString());
- }
-
-+ public void testCannotInjectConvertImageIOContainsFilterWithUnconfiguredSecurityFramework() {
-+ if (JVM.isVersion(7)) {
-+ final String xml = ""
-+ + "<string class='javax.imageio.spi.FilterIterator'>\n"
-+ + " <iter class='java.util.ArrayList$Itr'>\n"
-+ + " <cursor>0</cursor>\n"
-+ + " <lastRet>1</lastRet>\n"
-+ + " <expectedModCount>1</expectedModCount>\n"
-+ + " <outer-class>\n"
-+ + " <com.thoughtworks.acceptance.SecurityVulnerabilityTest_-Exec/>\n"
-+ + " </outer-class>\n"
-+ + " </iter>\n"
-+ + " <filter class='javax.imageio.ImageIO$ContainsFilter'>\n"
-+ + " <method>\n"
-+ + " <class>com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec</class>\n"
-+ + " <name>exec</name>\n"
-+ + " <parameter-types/>\n"
-+ + " </method>\n"
-+ + " <name>exec</name>\n"
-+ + " </filter>\n"
-+ + " <next/>\n"
-+ + "</string>";
-+
-+ try {
-+ xstream.fromXML(xml);
-+ fail("Thrown " + XStreamException.class.getName() + " expected");
-+ } catch (final XStreamException e) {
-+ assertTrue(e.getMessage().indexOf("javax.imageio.ImageIO$ContainsFilter") >= 0);
-+ }
-+ assertEquals(0, BUFFER.length());
-+ }
-+ }
-+
-+ public void testExplicitlyConvertImageIOContainsFilter() {
-+ if (JVM.isVersion(7)) {
-+ final String xml = ""
-+ + "<string class='javax.imageio.spi.FilterIterator'>\n"
-+ + " <iter class='java.util.ArrayList$Itr'>\n"
-+ + " <cursor>0</cursor>\n"
-+ + " <lastRet>1</lastRet>\n"
-+ + " <expectedModCount>1</expectedModCount>\n"
-+ + " <outer-class>\n"
-+ + " <com.thoughtworks.acceptance.SecurityVulnerabilityTest_-Exec/>\n"
-+ + " </outer-class>\n"
-+ + " </iter>\n"
-+ + " <filter class='javax.imageio.ImageIO$ContainsFilter'>\n"
-+ + " <method>\n"
-+ + " <class>com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec</class>\n"
-+ + " <name>exec</name>\n"
-+ + " <parameter-types/>\n"
-+ + " </method>\n"
-+ + " <name>exec</name>\n"
-+ + " </filter>\n"
-+ + " <next/>\n"
-+ + "</string>";
-+
-+ xstream.allowTypes(new String[]{"javax.imageio.ImageIO$ContainsFilter"});
-+
-+ final Iterator iterator = (Iterator)xstream.fromXML(xml);
-+ assertEquals(0, BUFFER.length());
-+ iterator.next();
-+ assertEquals("Executed!", BUFFER.toString());
-+ }
-+ }
-+
- public static class Exec {
-
- public void exec() {
-@@ -109,6 +174,8 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- }
-
- public void testDeniedInstanceOfVoid() {
-+ xstream.addPermission(AnyTypePermission.ANY); // clear out defaults
-+ xstream.denyTypes(new Class[] { void.class, Void.class });
- try {
- xstream.fromXML("<void/>");
- fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
-@@ -118,12 +185,25 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- }
-
- public void testAllowedInstanceOfVoid() {
-- xstream.allowTypes(new Class[] { void.class, Void.class });
-+ xstream.allowTypes(new Class[]{void.class, Void.class});
- try {
- xstream.fromXML("<void/>");
- fail("Thrown " + ConversionException.class.getName() + " expected");
- } catch (final ConversionException e) {
-- assertEquals("void", e.get("required-type"));
-+ assertEquals("void", e.get("construction-type"));
-+ }
-+ }
-+
-+ public static class LazyIterator {
-+ }
-+
-+ public void testInstanceOfLazyIterator() {
-+ xstream.alias("lazy-iterator", LazyIterator.class);
-+ try {
-+ xstream.fromXML("<lazy-iterator/>");
-+ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
-+ } catch (final ForbiddenClassException e) {
-+ // OK
- }
- }
- }
=====================================
debian/patches/CVE-2020-26258.patch deleted
=====================================
@@ -1,26 +0,0 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sun, 27 Dec 2020 11:00:57 +0100
-Subject: CVE-2020-26258
-
-Origin: https://github.com/x-stream/xstream/commit/6740c04b217aef02d44fba26402b35e0f6f493ce
----
- xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-index 0ae38b6..65670f1 100644
---- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
-+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-@@ -698,7 +698,11 @@ public class XStream {
- }
-
- addPermission(AnyTypePermission.ANY);
-- denyTypes(new String[]{"java.beans.EventHandler", "javax.imageio.ImageIO$ContainsFilter"});
-+ denyTypes(new String[]{
-+ "java.beans.EventHandler",
-+ "java.lang.ProcessBuilder",
-+ "javax.imageio.ImageIO$ContainsFilter",
-+ "jdk.nashorn.internal.objects.NativeString"});
- denyTypes(new Class[]{ java.lang.ProcessBuilder.class,
- java.beans.EventHandler.class, java.lang.ProcessBuilder.class,
- java.lang.Void.class, void.class });
=====================================
debian/patches/CVE-2020-26259.patch deleted
=====================================
@@ -1,205 +0,0 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sun, 27 Dec 2020 11:05:05 +0100
-Subject: CVE-2020-26259
-
-Origin: https://github.com/x-stream/xstream/commit/0bcbf50126a62dfcd65f93a0da0c6d1ae92aa738
----
- pom.xml | 6 ++
- xstream/pom.xml | 48 ++++++++++++++++
- .../src/java/com/thoughtworks/xstream/XStream.java | 10 +++-
- .../acceptance/SecurityVulnerabilityTest.java | 65 ++++++++++++++++++++++
- 4 files changed, 126 insertions(+), 3 deletions(-)
-
-diff --git a/pom.xml b/pom.xml
-index 5d52a8f..3e47500 100644
---- a/pom.xml
-+++ b/pom.xml
-@@ -552,6 +552,11 @@
- <artifactId>jaxb-api</artifactId>
- <version>${version.javax.xml.bind.api}</version>
- </dependency>
-+ <dependency>
-+ <groupId>com.sun.xml.ws</groupId>
-+ <artifactId>jaxws-rt</artifactId>
-+ <version>${version.javax.xml.ws.jaxws.rt}</version>
-+ </dependency>
-
- <dependency>
- <groupId>org.hibernate</groupId>
-@@ -984,6 +989,7 @@
- <version.javax.activation>1.1.1</version.javax.activation>
- <version.javax.annotation.api>1.3.2</version.javax.annotation.api>
- <version.javax.xml.bind.api>2.3.1</version.javax.xml.bind.api>
-+ <version.javax.xml.ws.jaxws.rt>2.2</version.javax.xml.ws.jaxws.rt><!-- Java 5 -->
- <version.jmock>1.0.1</version.jmock>
- <version.joda-time>1.6</version.joda-time>
- <version.junit>3.8.1</version.junit>
-diff --git a/xstream/pom.xml b/xstream/pom.xml
-index 566b619..8b9dc22 100644
---- a/xstream/pom.xml
-+++ b/xstream/pom.xml
-@@ -149,6 +149,54 @@
- <artifactId>commons-lang</artifactId>
- <scope>test</scope>
- </dependency>
-+
-+ <dependency>
-+ <groupId>com.sun.xml.ws</groupId>
-+ <artifactId>jaxws-rt</artifactId>
-+ <scope>test</scope>
-+ <exclusions>
-+ <exclusion>
-+ <groupId>javax.xml.ws</groupId>
-+ <artifactId>jaxws-api</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>com.sun.istack</groupId>
-+ <artifactId>istack-commons-runtime</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>com.sun.xml.bind</groupId>
-+ <artifactId>jaxb-impl</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>com.sun.xml.messaging.saaj</groupId>
-+ <artifactId>saaj-impl</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>com.sun.xml.stream.buffer</groupId>
-+ <artifactId>streambuffer</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>com.sun.xml.ws</groupId>
-+ <artifactId>policy</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>com.sun.org.apache.xml.internal</groupId>
-+ <artifactId>resolver</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>org.glassfish.gmbal</groupId>
-+ <artifactId>gmbal-api-only</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>org.jvnet</groupId>
-+ <artifactId>mimepull</artifactId>
-+ </exclusion>
-+ <exclusion>
-+ <groupId>org.jvnet.staxex</groupId>
-+ <artifactId>stax-ex</artifactId>
-+ </exclusion>
-+ </exclusions>
-+ </dependency>
- </dependencies>
-
- <build>
-diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-index 65670f1..1d28088 100644
---- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
-+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-@@ -356,6 +356,7 @@ public class XStream {
- private static final Pattern IGNORE_ALL = Pattern.compile(".*");
- private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
- private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
-+ private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
-
- /**
- * Constructs a default XStream.
-@@ -703,10 +704,13 @@ public class XStream {
- "java.lang.ProcessBuilder",
- "javax.imageio.ImageIO$ContainsFilter",
- "jdk.nashorn.internal.objects.NativeString"});
-- denyTypes(new Class[]{ java.lang.ProcessBuilder.class,
-- java.beans.EventHandler.class, java.lang.ProcessBuilder.class,
-+ denyTypes(new Class[]{
-+ java.lang.ProcessBuilder.class,
-+ jdk.nashorn.internal.objects.NativeString.class,
-+ java.beans.EventHandler.class,
-+ java.lang.ProcessBuilder.class,
- java.lang.Void.class, void.class });
-- denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
-+ denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
- allowTypeHierarchy(Exception.class);
- securityInitialized = false;
- }
-diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-index 44b0015..36b61a1 100644
---- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-@@ -11,6 +11,11 @@
- package com.thoughtworks.acceptance;
-
- import java.beans.EventHandler;
-+import java.io.File;
-+import java.io.FileOutputStream;
-+import java.io.IOException;
-+import java.io.InputStream;
-+import java.io.OutputStream;
- import java.util.Iterator;
-
- import com.thoughtworks.xstream.XStream;
-@@ -206,4 +211,64 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- // OK
- }
- }
-+
-+ public void testCannotUseJaxwsInputStreamToDeleteFile() {
-+ final String xml = ""
-+ + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
-+ + " <tempFile>target/junit/test.txt</tempFile>\n"
-+ + "</is>";
-+
-+ xstream.aliasType("is", InputStream.class);
-+ try {
-+ xstream.fromXML(xml);
-+ fail("Thrown " + ConversionException.class.getName() + " expected");
-+ } catch (final ForbiddenClassException e) {
-+ // OK
-+ }
-+ }
-+
-+ public void testExplicitlyUseJaxwsInputStreamToDeleteFile() throws IOException {
-+ final File testDir = new File("target/junit");
-+ final File testFile = new File(testDir, "test.txt");
-+ try {
-+ testDir.mkdirs();
-+
-+ final OutputStream out = new FileOutputStream(testFile);
-+ out.write("JUnit".getBytes());
-+ out.flush();
-+ out.close();
-+
-+ assertTrue("Test file " + testFile.getPath() + " does not exist.", testFile.exists());
-+
-+ final String xml = ""
-+ + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
-+ + " <tempFile>target/junit/test.txt</tempFile>\n"
-+ + "</is>";
-+
-+ xstream.addPermission(AnyTypePermission.ANY); // clear out defaults
-+ xstream.aliasType("is", InputStream.class);
-+
-+ InputStream is = null;
-+ try {
-+ is = (InputStream)xstream.fromXML(xml);
-+ } catch (final ForbiddenClassException e) {
-+ // OK
-+ }
-+
-+ assertTrue("Test file " + testFile.getPath() + " no longer exists.", testFile.exists());
-+
-+ byte[] data = new byte[10];
-+ is.read(data);
-+ is.close();
-+
-+ assertFalse("Test file " + testFile.getPath() + " still exists exist.", testFile.exists());
-+ } finally {
-+ if (testFile.exists()) {
-+ testFile.delete();
-+ }
-+ if (testDir.exists()) {
-+ testDir.delete();
-+ }
-+ }
-+ }
- }
=====================================
debian/patches/CVE-2021-21341-to-CVE-2021-21351.patch deleted
=====================================
@@ -1,144 +0,0 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 3 Apr 2021 20:47:22 +0200
-Subject: CVE-2021-21341-to-CVE-2021-21351
-
-Bug-Debian: https://bugs.debian.org/985843
-Origin: https://github.com/x-stream/xstream/commit/d5e51177634afea7213b9dc2d21f101d2e258db9
----
- .../src/java/com/thoughtworks/xstream/XStream.java | 31 +++++++++++++---
- .../acceptance/SecurityVulnerabilityTest.java | 43 ++++++++++++++++++++++
- 2 files changed, 69 insertions(+), 5 deletions(-)
-
-diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-index 1d28088..5fcf401 100644
---- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
-+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-@@ -1,6 +1,6 @@
- /*
- * Copyright (C) 2003, 2004, 2005, 2006 Joe Walnes.
-- * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020 XStream Committers.
-+ * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021 XStream Committers.
- * All rights reserved.
- *
- * The software in this package is published under the terms of the BSD
-@@ -36,7 +36,6 @@ import java.net.URL;
- import java.nio.charset.Charset;
- import java.text.DecimalFormatSymbols;
- import java.util.ArrayList;
--import java.util.Arrays;
- import java.util.BitSet;
- import java.util.Calendar;
- import java.util.Collection;
-@@ -354,9 +353,14 @@ public class XStream {
-
- private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
- private static final Pattern IGNORE_ALL = Pattern.compile(".*");
-+ private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection");
-+ private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter");
- private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
-+ private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator");
-+ private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile(
-+ "javafx\\.collections\\.ObservableList\\$.*");
- private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
-- private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
-+ private static final Pattern BCEL_CL = Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader");
-
- /**
- * Constructs a default XStream.
-@@ -703,18 +707,35 @@ public class XStream {
- "java.beans.EventHandler",
- "java.lang.ProcessBuilder",
- "javax.imageio.ImageIO$ContainsFilter",
-- "jdk.nashorn.internal.objects.NativeString"});
-+ "jdk.nashorn.internal.objects.NativeString", //
-+ "com.sun.corba.se.impl.activation.ServerTableEntry", //
-+ "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator", //
-+ "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", //
-+ "sun.swing.SwingLazyValue"});
-+ denyTypesByRegExp(new Pattern[]{
-+ LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS,
-+ JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
-+ denyTypeHierarchy(InputStream.class);
-+ denyTypeHierarchyDynamically("java.nio.channels.Channel");
-+ denyTypeHierarchyDynamically("javax.activation.DataSource");
-+ denyTypeHierarchyDynamically("javax.sql.rowset.BaseRowSet");
- denyTypes(new Class[]{
- java.lang.ProcessBuilder.class,
- jdk.nashorn.internal.objects.NativeString.class,
- java.beans.EventHandler.class,
- java.lang.ProcessBuilder.class,
- java.lang.Void.class, void.class });
-- denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
- allowTypeHierarchy(Exception.class);
- securityInitialized = false;
- }
-
-+ private void denyTypeHierarchyDynamically(String className) {
-+ Class type = JVM.loadClassForName(className);
-+ if (type != null) {
-+ denyTypeHierarchy(type);
-+ }
-+ }
-+
- /**
- * Setup the security framework of a XStream instance.
- * <p>
-diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-index 36b61a1..77c2bb9 100644
---- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-@@ -11,6 +11,7 @@
- package com.thoughtworks.acceptance;
-
- import java.beans.EventHandler;
-+import java.io.ByteArrayInputStream;
- import java.io.File;
- import java.io.FileOutputStream;
- import java.io.IOException;
-@@ -271,4 +272,46 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- }
- }
- }
-+
-+ public void testCannotInjectManipulatedByteArryInputStream() {
-+ xstream.alias("bais", ByteArrayInputStream.class);
-+ System.out.println(Integer.MAX_VALUE);
-+ final String xml = ""
-+ + "<bais>\n"
-+ + " <buf></buf>\n"
-+ + " <pos>-2147483648</pos>\n"
-+ + " <mark>0</mark>\n"
-+ + " <count>0</count>\n"
-+ + "</bais>";
-+
-+ try {
-+ xstream.fromXML(xml);
-+ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
-+ } catch (final ForbiddenClassException e) {
-+ assertEquals(e.getMessage(),ByteArrayInputStream.class.getName());
-+ }
-+ }
-+
-+ public void testExplicitlyUnmarshalEndlessByteArryInputStream() {
-+ xstream.alias("bais", ByteArrayInputStream.class);
-+ xstream.allowTypes(new Class[]{ByteArrayInputStream.class});
-+
-+ final String xml = ""
-+ + "<bais>\n"
-+ + " <buf></buf>\n"
-+ + " <pos>-2147483648</pos>\n"
-+ + " <mark>0</mark>\n"
-+ + " <count>0</count>\n"
-+ + "</bais>";
-+
-+ final byte[] data = new byte[10];
-+ final ByteArrayInputStream bais = (ByteArrayInputStream)xstream.fromXML(xml);
-+ int i = 5;
-+ while(bais.read(data, 0, 10) == 0) {
-+ if (--i == 0) {
-+ break;
-+ }
-+ }
-+ assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
-+ }
- }
=====================================
debian/patches/SecurityVulnerabilityTest.patch
=====================================
@@ -0,0 +1,181 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 22 Sep 2021 12:25:39 +0200
+Subject: SecurityVulnerabilityTest
+
+Update SecurityVulnerabilityTest.java to the latest upstream version.
+---
+ .../acceptance/SecurityVulnerabilityTest.java | 95 ++++++++++++++++++----
+ 1 file changed, 78 insertions(+), 17 deletions(-)
+
+diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+index 85eaf1c..d387bcd 100644
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -1,21 +1,28 @@
+ /*
+- * Copyright (C) 2013, 2014, 2017, 2018 XStream Committers.
++ * Copyright (C) 2013, 2014, 2017, 2018, 2020, 2021 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+ * style license a copy of which has been included with this distribution in
+ * the LICENSE.txt file.
+- *
++ *
+ * Created on 23. December 2013 by Joerg Schaible
+ */
+ package com.thoughtworks.acceptance;
+
+ import java.beans.EventHandler;
++import java.io.ByteArrayInputStream;
++import java.io.File;
++import java.io.FileOutputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
++import java.util.Iterator;
+
+-import com.thoughtworks.xstream.XStream;
+ import com.thoughtworks.xstream.XStreamException;
+ import com.thoughtworks.xstream.converters.ConversionException;
+ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
++import com.thoughtworks.xstream.security.AnyTypePermission;
+ import com.thoughtworks.xstream.security.ForbiddenClassException;
+ import com.thoughtworks.xstream.security.ProxyTypePermission;
+
+@@ -27,6 +34,7 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+
+ private final static StringBuffer BUFFER = new StringBuffer();
+
++ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ BUFFER.setLength(0);
+@@ -37,28 +45,26 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+
+ public void testCannotInjectEventHandler() {
+ final String xml = ""
+- + "<string class='runnable-array'>\n"
+- + " <dynamic-proxy>\n"
+- + " <interface>java.lang.Runnable</interface>\n"
+- + " <handler class='java.beans.EventHandler'>\n"
+- + " <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
+- + " <action>exec</action>\n"
+- + " </handler>\n"
+- + " </dynamic-proxy>\n"
+- + "</string>";
++ + "<string class='runnable-array'>\n"
++ + " <dynamic-proxy>\n"
++ + " <interface>java.lang.Runnable</interface>\n"
++ + " <handler class='java.beans.EventHandler'>\n"
++ + " <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
++ + " <action>exec</action>\n"
++ + " </handler>\n"
++ + " </dynamic-proxy>\n"
++ + "</string>";
+
+ try {
+ xstream.fromXML(xml);
+ fail("Thrown " + XStreamException.class.getName() + " expected");
+ } catch (final XStreamException e) {
+- assertTrue(e.getMessage().indexOf(EventHandler.class.getName()) > 0);
++ assertTrue(e.getMessage().contains(EventHandler.class.getName()));
+ }
+ assertEquals(0, BUFFER.length());
+ }
+
+- public void testCannotInjectEventHandlerWithUnconfiguredSecurityFramework() {
+- xstream = new XStream(createDriver());
+- xstream.alias("runnable", Runnable.class);
++ public void testExplicitlyConvertEventHandler() {
+ final String xml = ""
+ + "<string class='runnable-array'>\n"
+ + " <dynamic-proxy>\n"
+@@ -76,10 +82,12 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ } catch (final XStreamException e) {
+ assertTrue(e.getMessage().indexOf(EventHandler.class.getName())>=0);
+ }
++
++
+ assertEquals(0, BUFFER.length());
+ }
+
+- public void testExplicitlyConvertEventHandler() {
++ public void testExplicitlyConvertImageIOContainsFilter() {
+ final String xml = ""
+ + "<string class='runnable-array'>\n"
+ + " <dynamic-proxy>\n"
+@@ -96,6 +104,7 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ .getReflectionProvider(), EventHandler.class));
+
+ final Runnable[] array = (Runnable[])xstream.fromXML(xml);
++
+ assertEquals(0, BUFFER.length());
+ array[0].run();
+ assertEquals("Executed!", BUFFER.toString());
+@@ -108,6 +117,15 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ }
+ }
+
++ public void testInstanceOfVoid() {
++ try {
++ xstream.fromXML("<void/>");
++ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
++ } catch (final ForbiddenClassException e) {
++ // OK
++ }
++ }
++
+ public void testDeniedInstanceOfVoid() {
+ try {
+ xstream.fromXML("<void/>");
+@@ -124,6 +142,49 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ fail("Thrown " + ConversionException.class.getName() + " expected");
+ } catch (final ConversionException e) {
+ assertEquals("void", e.get("required-type"));
++
++ }
++ }
++
++ public void testCannotInjectManipulatedByteArryInputStream() {
++ xstream.alias("bais", ByteArrayInputStream.class);
++ final String xml = ""
++ + "<bais>\n"
++ + " <buf></buf>\n"
++ + " <pos>-2147483648</pos>\n"
++ + " <mark>0</mark>\n"
++ + " <count>0</count>\n"
++ + "</bais>";
++
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
++ } catch (final ForbiddenClassException e) {
++ assertEquals(e.getMessage(), ByteArrayInputStream.class.getName());
++ }
++ }
++
++ public void testExplicitlyUnmarshalEndlessByteArryInputStream() throws IOException {
++ xstream.alias("bais", ByteArrayInputStream.class);
++ xstream.allowTypes(new Class[]{ByteArrayInputStream.class});
++
++ final String xml = ""
++ + "<bais>\n"
++ + " <buf></buf>\n"
++ + " <pos>-2147483648</pos>\n"
++ + " <mark>0</mark>\n"
++ + " <count>0</count>\n"
++ + "</bais>";
++
++ final byte[] data = new byte[10];
++ try (final ByteArrayInputStream bais = (ByteArrayInputStream)xstream.fromXML(xml)) {
++ int i = 5;
++ while (bais.read(data, 0, 10) == 0) {
++ if (--i == 0) {
++ break;
++ }
++ }
++ assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
+ }
+ }
+ }
=====================================
debian/patches/debian-specific-whitelist-extension.patch
=====================================
@@ -0,0 +1,26 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 29 Sep 2021 21:11:38 +0200
+Subject: debian specific whitelist extension
+
+Fix regressions in jsap, jajuk, jodconverter, jmeter and tiles-autotag.
+
+Ignore the rest because they are negligible.
+---
+ xstream/src/java/com/thoughtworks/xstream/XStream.java | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index 5c49410..49ee8cb 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -708,6 +708,10 @@ public class XStream {
+ allowTypeHierarchy(Number.class);
+ allowTypeHierarchy(Throwable.class);
+ allowTypeHierarchy(TimeZone.class);
++ allowTypesByWildcard(new
++ String[]{"com.martiansoftware.jsap.xml.**","ext.services.xml.**",
++ "com.artofsolving.jodconverter.**","org.apache.jmeter.**",
++ "org.apache.tiles.autotag.**"});
+
+ Class type = JVM.loadClassForName("java.lang.Enum");
+ if (type != null) {
=====================================
debian/patches/enable-security-whitelist-by-default.patch
=====================================
@@ -0,0 +1,205 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 22 Sep 2021 12:12:08 +0200
+Subject: enable security whitelist by default
+
+---
+ .../src/java/com/thoughtworks/xstream/XStream.java | 175 ++++++++++-----------
+ 1 file changed, 85 insertions(+), 90 deletions(-)
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index a088877..5c49410 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -695,107 +695,102 @@ public class XStream {
+ if (securityMapper == null) {
+ return;
+ }
+-
+- addPermission(AnyTypePermission.ANY);
+- securityInitialized = false;
++ addPermission(NoTypePermission.NONE);
++ addPermission(NullPermission.NULL);
++ addPermission(PrimitiveTypePermission.PRIMITIVES);
++ addPermission(ArrayTypePermission.ARRAYS);
++ addPermission(InterfaceTypePermission.INTERFACES);
++ allowTypeHierarchy(Calendar.class);
++ allowTypeHierarchy(Collection.class);
++ allowTypeHierarchy(Map.class);
++ allowTypeHierarchy(Map.Entry.class);
++ allowTypeHierarchy(Member.class);
++ allowTypeHierarchy(Number.class);
++ allowTypeHierarchy(Throwable.class);
++ allowTypeHierarchy(TimeZone.class);
++
++ Class type = JVM.loadClassForName("java.lang.Enum");
++ if (type != null) {
++ allowTypeHierarchy(type);
++ }
++ type = JVM.loadClassForName("java.nio.file.Path");
++ if (type != null) {
++ allowTypeHierarchy(type);
++ }
++
++ final Set types = new HashSet();
++ types.add(BitSet.class);
++ types.add(Charset.class);
++ types.add(Class.class);
++ types.add(Currency.class);
++ types.add(Date.class);
++ types.add(DecimalFormatSymbols.class);
++ types.add(File.class);
++ types.add(Locale.class);
++ types.add(Object.class);
++ types.add(Pattern.class);
++ types.add(StackTraceElement.class);
++ types.add(String.class);
++ types.add(StringBuffer.class);
++ types.add(JVM.loadClassForName("java.lang.StringBuilder"));
++ types.add(URL.class);
++ types.add(URI.class);
++ types.add(JVM.loadClassForName("java.util.UUID"));
++ if (JVM.isSQLAvailable()) {
++ types.add(JVM.loadClassForName("java.sql.Timestamp"));
++ types.add(JVM.loadClassForName("java.sql.Time"));
++ types.add(JVM.loadClassForName("java.sql.Date"));
++ }
++ if (JVM.isVersion(8)) {
++ allowTypeHierarchy(JVM.loadClassForName("java.time.Clock"));
++ types.add(JVM.loadClassForName("java.time.Duration"));
++ types.add(JVM.loadClassForName("java.time.Instant"));
++ types.add(JVM.loadClassForName("java.time.LocalDate"));
++ types.add(JVM.loadClassForName("java.time.LocalDateTime"));
++ types.add(JVM.loadClassForName("java.time.LocalTime"));
++ types.add(JVM.loadClassForName("java.time.MonthDay"));
++ types.add(JVM.loadClassForName("java.time.OffsetDateTime"));
++ types.add(JVM.loadClassForName("java.time.OffsetTime"));
++ types.add(JVM.loadClassForName("java.time.Period"));
++ types.add(JVM.loadClassForName("java.time.Ser"));
++ types.add(JVM.loadClassForName("java.time.Year"));
++ types.add(JVM.loadClassForName("java.time.YearMonth"));
++ types.add(JVM.loadClassForName("java.time.ZonedDateTime"));
++ allowTypeHierarchy(JVM.loadClassForName("java.time.ZoneId"));
++ types.add(JVM.loadClassForName("java.time.chrono.HijrahDate"));
++ types.add(JVM.loadClassForName("java.time.chrono.JapaneseDate"));
++ types.add(JVM.loadClassForName("java.time.chrono.JapaneseEra"));
++ types.add(JVM.loadClassForName("java.time.chrono.MinguoDate"));
++ types.add(JVM.loadClassForName("java.time.chrono.ThaiBuddhistDate"));
++ types.add(JVM.loadClassForName("java.time.chrono.Ser"));
++ allowTypeHierarchy(JVM.loadClassForName("java.time.chrono.Chronology"));
++ types.add(JVM.loadClassForName("java.time.temporal.ValueRange"));
++ types.add(JVM.loadClassForName("java.time.temporal.WeekFields"));
++ }
++ types.remove(null);
++
++ final Iterator iter = types.iterator();
++ final Class[] classes = new Class[types.size()];
++ for (int i = 0; i < classes.length; ++i) {
++ classes[i] = (Class)iter.next();
++ }
++ allowTypes(classes);
++
+ }
+
+ /**
+ * Setup the security framework of a XStream instance.
+ * <p>
+- * This method is a pure helper method for XStream 1.4.x. It initializes an XStream instance with a white list of
+- * well-known and simply types of the Java runtime as it is done in XStream 1.5.x by default. This method will do
+- * therefore nothing in XStream 1.5.
++ * This method was a pure helper method for XStream 1.4.10 to 1.4.17. It initialized an XStream instance with a
++ * whitelist of well-known and simply types of the Java runtime as it is done in XStream 1.4.11 by default. This
++ * method will do therefore nothing in XStream 1.4.11 or higher.
+ * </p>
+ *
+ * @param xstream
+ * @since 1.4.10
++ * @deprecated As of 1.4.11
+ */
+ public static void setupDefaultSecurity(final XStream xstream) {
+- if (!xstream.securityInitialized) {
+- xstream.addPermission(NoTypePermission.NONE);
+- xstream.addPermission(NullPermission.NULL);
+- xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
+- xstream.addPermission(ArrayTypePermission.ARRAYS);
+- xstream.addPermission(InterfaceTypePermission.INTERFACES);
+- xstream.allowTypeHierarchy(Calendar.class);
+- xstream.allowTypeHierarchy(Collection.class);
+- xstream.allowTypeHierarchy(Map.class);
+- xstream.allowTypeHierarchy(Map.Entry.class);
+- xstream.allowTypeHierarchy(Member.class);
+- xstream.allowTypeHierarchy(Number.class);
+- xstream.allowTypeHierarchy(Throwable.class);
+- xstream.allowTypeHierarchy(TimeZone.class);
+-
+- Class type = JVM.loadClassForName("java.lang.Enum");
+- if (type != null) {
+- xstream.allowTypeHierarchy(type);
+- }
+- type = JVM.loadClassForName("java.nio.file.Path");
+- if (type != null) {
+- xstream.allowTypeHierarchy(type);
+- }
+-
+- final Set types = new HashSet();
+- types.add(BitSet.class);
+- types.add(Charset.class);
+- types.add(Class.class);
+- types.add(Currency.class);
+- types.add(Date.class);
+- types.add(DecimalFormatSymbols.class);
+- types.add(File.class);
+- types.add(Locale.class);
+- types.add(Object.class);
+- types.add(Pattern.class);
+- types.add(StackTraceElement.class);
+- types.add(String.class);
+- types.add(StringBuffer.class);
+- types.add(JVM.loadClassForName("java.lang.StringBuilder"));
+- types.add(URL.class);
+- types.add(URI.class);
+- types.add(JVM.loadClassForName("java.util.UUID"));
+- if (JVM.isSQLAvailable()) {
+- types.add(JVM.loadClassForName("java.sql.Timestamp"));
+- types.add(JVM.loadClassForName("java.sql.Time"));
+- types.add(JVM.loadClassForName("java.sql.Date"));
+- }
+- if (JVM.isVersion(8)) {
+- xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.Clock"));
+- types.add(JVM.loadClassForName("java.time.Duration"));
+- types.add(JVM.loadClassForName("java.time.Instant"));
+- types.add(JVM.loadClassForName("java.time.LocalDate"));
+- types.add(JVM.loadClassForName("java.time.LocalDateTime"));
+- types.add(JVM.loadClassForName("java.time.LocalTime"));
+- types.add(JVM.loadClassForName("java.time.MonthDay"));
+- types.add(JVM.loadClassForName("java.time.OffsetDateTime"));
+- types.add(JVM.loadClassForName("java.time.OffsetTime"));
+- types.add(JVM.loadClassForName("java.time.Period"));
+- types.add(JVM.loadClassForName("java.time.Ser"));
+- types.add(JVM.loadClassForName("java.time.Year"));
+- types.add(JVM.loadClassForName("java.time.YearMonth"));
+- types.add(JVM.loadClassForName("java.time.ZonedDateTime"));
+- xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.ZoneId"));
+- types.add(JVM.loadClassForName("java.time.chrono.HijrahDate"));
+- types.add(JVM.loadClassForName("java.time.chrono.JapaneseDate"));
+- types.add(JVM.loadClassForName("java.time.chrono.JapaneseEra"));
+- types.add(JVM.loadClassForName("java.time.chrono.MinguoDate"));
+- types.add(JVM.loadClassForName("java.time.chrono.ThaiBuddhistDate"));
+- types.add(JVM.loadClassForName("java.time.chrono.Ser"));
+- xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.chrono.Chronology"));
+- types.add(JVM.loadClassForName("java.time.temporal.ValueRange"));
+- types.add(JVM.loadClassForName("java.time.temporal.WeekFields"));
+- }
+- types.remove(null);
+-
+- final Iterator iter = types.iterator();
+- final Class[] classes = new Class[types.size()];
+- for (int i = 0; i < classes.length; ++i) {
+- classes[i] = (Class)iter.next();
+- }
+- xstream.allowTypes(classes);
+- } else {
+- throw new IllegalArgumentException("Security framework of XStream instance already initialized");
+- }
+ }
+
+ protected void setupAliases() {
=====================================
debian/patches/series
=====================================
@@ -1,5 +1,4 @@
01-java7-compatibility.patch
-CVE-2020-26217.patch
-CVE-2020-26258.patch
-CVE-2020-26259.patch
-CVE-2021-21341-to-CVE-2021-21351.patch
+enable-security-whitelist-by-default.patch
+SecurityVulnerabilityTest.patch
+debian-specific-whitelist-extension.patch
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/74ecb47cd1bb2316da54d413dd453cfe37d9c289...04930e3e05674644b12dc607b1983722e62137ec
--
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/74ecb47cd1bb2316da54d413dd453cfe37d9c289...04930e3e05674644b12dc607b1983722e62137ec
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210929/e20398cd/attachment.htm>
More information about the pkg-java-commits
mailing list