[groovy2] 01/01: Fix CVE-2015-3253

[Miguel Landaeta]

This is an automated email from the git hooks/post-receive script.

nomadium pushed a commit to branch master
in repository groovy2.

commit 768cef056996e9c2bca243b8f3d94e2b610d2a65
Author: Miguel Landaeta <nomadium at debian.org>
Date:   Sat Jul 25 15:41:47 2015 -0300

    Fix CVE-2015-3253
---
 debian/changelog                   |  7 +++++++
 debian/patches/CVE-2015-3253.patch | 36 ++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 44 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 9668635..7f5060b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+groovy2 (2.4.3+dfsg-2) UNRELEASED; urgency=medium
+
+  * Fix remote execution of untrusted code and possible DoS vulnerability.
+    (CVE-2015-3253) (Closes: #793398).
+
+ -- Miguel Landaeta <nomadium at debian.org>  Sat, 25 Jul 2015 15:32:35 -0300
+
 groovy2 (2.4.3+dfsg-1) experimental; urgency=medium
 
   [ Emmanuel Bourg ]
diff --git a/debian/patches/CVE-2015-3253.patch b/debian/patches/CVE-2015-3253.patch
new file mode 100644
index 0000000..20f86b1
--- /dev/null
+++ b/debian/patches/CVE-2015-3253.patch
@@ -0,0 +1,36 @@
+Description: Fix remote execution of untrusted code when deserializing (CVE-2015-3253)
+Author: Cedric Champeau <cchampeau at apache.org>
+Bug-Debian: https://bugs.debian.org/793398
+Origin: upstream, https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
+Forwarded: no
+Last-Update: 2015-07-25
+
+--- groovy2-2.4.3+dfsg.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java
++++ groovy2-2.4.3+dfsg/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+@@ -32,9 +32,11 @@
+  */
+ public class MethodClosure extends Closure {
+ 
++    public static boolean ALLOW_RESOLVE = false;
++
+     private static final Class[] EMPTY_CLASS_ARRAY = new Class[0];
+     private String method;
+-    
++
+     public MethodClosure(Object owner, String method) {
+         super(owner);
+         this.method = method;
+@@ -62,6 +64,13 @@ public String getMethod() {
+     protected Object doCall(Object arguments) {
+         return InvokerHelper.invokeMethod(getOwner(), method, arguments);
+     }
++
++    private Object readResolve() {
++        if (ALLOW_RESOLVE) {
++            return this;
++        }
++        throw new UnsupportedOperationException();
++    }
+     
+     public Object getProperty(String property) {
+         if ("method".equals(property)) {
diff --git a/debian/patches/series b/debian/patches/series
index a69d9c5..bd142b5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ change_bsf_dependencies_version.diff
 change_servlet_dependency_version.diff
 change_junit_version.diff
 change_testng_dependency_version.diff
+CVE-2015-3253.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/groovy2.git