[groovy2] 01/01: Fix CVE-2015-3253

Miguel Landaeta nomadium at moszumanska.debian.org
Sat Jul 25 22:53:41 UTC 2015


This is an automated email from the git hooks/post-receive script.

nomadium pushed a commit to branch jessie
in repository groovy2.

commit b644f770749338ff4927bbdfcaebc5189489ab45
Author: Miguel Landaeta <nomadium at debian.org>
Date:   Sat Jul 25 15:48:17 2015 -0300

    Fix CVE-2015-3253
---
 debian/changelog                     |  7 +++++++
 debian/patches/04_CVE-2015-3253.diff | 32 ++++++++++++++++++++++++++++++++
 debian/patches/series                |  1 +
 3 files changed, 40 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index f8fcc86..8c8fa3e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+groovy2 (2.2.2+dfsg-3+deb8u1) stable; urgency=high
+
+  * Fix remote execution of untrusted code and possible DoS vulnerability.
+    (CVE-2015-3253) (Closes: #793398).
+
+ -- Miguel Landaeta <nomadium at debian.org>  Sat, 25 Jul 2015 15:46:24 -0300
+
 groovy2 (2.2.2+dfsg-3) unstable; urgency=medium
 
   * Relicense patches under Apache-2.0 license to make them compatible
diff --git a/debian/patches/04_CVE-2015-3253.diff b/debian/patches/04_CVE-2015-3253.diff
new file mode 100644
index 0000000..32bee6e
--- /dev/null
+++ b/debian/patches/04_CVE-2015-3253.diff
@@ -0,0 +1,32 @@
+Description: Fix remote execution of untrusted code when deserializing (CVE-2015-3253)
+Author: Cedric Champeau <cchampeau at apache.org>
+Bug-Debian: https://bugs.debian.org/793398
+Origin: upstream, https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
+Forwarded: no
+Last-Update: 2015-07-25
+
+--- groovy2-2.4.3+dfsg.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java
++++ groovy2-2.4.3+dfsg/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+@@ -30,6 +30,8 @@ import java.util.List;
+  */
+ public class MethodClosure extends Closure {
+ 
++    public static boolean ALLOW_RESOLVE = false;
++
+     private String method;
+     
+     public MethodClosure(Object owner, String method) {
+@@ -60,6 +62,13 @@ public class MethodClosure extends Closure {
+         return InvokerHelper.invokeMethod(getOwner(), method, arguments);
+     }
+     
++    private Object readResolve() {
++        if (ALLOW_RESOLVE) {
++            return this;
++        }
++        throw new UnsupportedOperationException();
++    }
++
+     public Object getProperty(String property) {
+         if ("method".equals(property)) {
+             return getMethod();
diff --git a/debian/patches/series b/debian/patches/series
index ebca9cd..b036870 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 01_fix_gradle_build.diff
 02_fix_start_script.diff
 03_add_maven_poms.diff
+04_CVE-2015-3253.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/groovy2.git



More information about the pkg-java-commits mailing list