[groovy2] 01/01: Fix CVE-2015-3253
Miguel Landaeta
nomadium at moszumanska.debian.org
Sat Jul 25 22:53:41 UTC 2015
This is an automated email from the git hooks/post-receive script.
nomadium pushed a commit to branch jessie
in repository groovy2.
commit b644f770749338ff4927bbdfcaebc5189489ab45
Author: Miguel Landaeta <nomadium at debian.org>
Date: Sat Jul 25 15:48:17 2015 -0300
Fix CVE-2015-3253
---
debian/changelog | 7 +++++++
debian/patches/04_CVE-2015-3253.diff | 32 ++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 40 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index f8fcc86..8c8fa3e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+groovy2 (2.2.2+dfsg-3+deb8u1) stable; urgency=high
+
+ * Fix remote execution of untrusted code and possible DoS vulnerability.
+ (CVE-2015-3253) (Closes: #793398).
+
+ -- Miguel Landaeta <nomadium at debian.org> Sat, 25 Jul 2015 15:46:24 -0300
+
groovy2 (2.2.2+dfsg-3) unstable; urgency=medium
* Relicense patches under Apache-2.0 license to make them compatible
diff --git a/debian/patches/04_CVE-2015-3253.diff b/debian/patches/04_CVE-2015-3253.diff
new file mode 100644
index 0000000..32bee6e
--- /dev/null
+++ b/debian/patches/04_CVE-2015-3253.diff
@@ -0,0 +1,32 @@
+Description: Fix remote execution of untrusted code when deserializing (CVE-2015-3253)
+Author: Cedric Champeau <cchampeau at apache.org>
+Bug-Debian: https://bugs.debian.org/793398
+Origin: upstream, https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
+Forwarded: no
+Last-Update: 2015-07-25
+
+--- groovy2-2.4.3+dfsg.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java
++++ groovy2-2.4.3+dfsg/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+@@ -30,6 +30,8 @@ import java.util.List;
+ */
+ public class MethodClosure extends Closure {
+
++ public static boolean ALLOW_RESOLVE = false;
++
+ private String method;
+
+ public MethodClosure(Object owner, String method) {
+@@ -60,6 +62,13 @@ public class MethodClosure extends Closure {
+ return InvokerHelper.invokeMethod(getOwner(), method, arguments);
+ }
+
++ private Object readResolve() {
++ if (ALLOW_RESOLVE) {
++ return this;
++ }
++ throw new UnsupportedOperationException();
++ }
++
+ public Object getProperty(String property) {
+ if ("method".equals(property)) {
+ return getMethod();
diff --git a/debian/patches/series b/debian/patches/series
index ebca9cd..b036870 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
01_fix_gradle_build.diff
02_fix_start_script.diff
03_add_maven_poms.diff
+04_CVE-2015-3253.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/groovy2.git
More information about the pkg-java-commits
mailing list