[groovy] 01/01: Import Debian changes 2.2.2+dfsg-3+deb8u2
Markus Koschany
apo at moszumanska.debian.org
Mon Feb 20 02:02:51 UTC 2017
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch jessie
in repository groovy.
commit 936e27ff5ef834015cffa837b640c99b68db596d
Author: Markus Koschany <apo at debian.org>
Date: Mon Jan 30 17:49:16 2017 +0100
Import Debian changes 2.2.2+dfsg-3+deb8u2
groovy2 (2.2.2+dfsg-3+deb8u2) jessie; urgency=medium
* Team upload.
* Fix CVE-2016-6814: It was found that a flaw in Apache Groovy, a dynamic
language for the Java Virtual Machine, allows remote code execution
wherever deserialization occurs in the application. It is possible for an
attacker to craft a special serialized object that will execute code
directly when deserialized. All applications which rely on serialization
and do not isolate the code which deserializes objects are subject to this
vulnerability.
---
debian/changelog | 13 +++++++++++++
debian/patches/CVE-2016-6814.patch | 37 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 51 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 8c8fa3e..2be8893 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+groovy2 (2.2.2+dfsg-3+deb8u2) jessie; urgency=medium
+
+ * Team upload.
+ * Fix CVE-2016-6814: It was found that a flaw in Apache Groovy, a dynamic
+ language for the Java Virtual Machine, allows remote code execution
+ wherever deserialization occurs in the application. It is possible for an
+ attacker to craft a special serialized object that will execute code
+ directly when deserialized. All applications which rely on serialization
+ and do not isolate the code which deserializes objects are subject to this
+ vulnerability.
+
+ -- Markus Koschany <apo at debian.org> Mon, 30 Jan 2017 17:49:16 +0100
+
groovy2 (2.2.2+dfsg-3+deb8u1) stable; urgency=high
* Fix remote execution of untrusted code and possible DoS vulnerability.
diff --git a/debian/patches/CVE-2016-6814.patch b/debian/patches/CVE-2016-6814.patch
new file mode 100644
index 0000000..72770dd
--- /dev/null
+++ b/debian/patches/CVE-2016-6814.patch
@@ -0,0 +1,37 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 30 Jan 2017 17:47:46 +0100
+Subject: CVE-2016-6814
+
+Bug-Debian: https://bugs.debian.org/851408
+Origin: http://seclists.org/oss-sec/2017/q1/92
+---
+ src/main/org/codehaus/groovy/runtime/MethodClosure.java | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/main/org/codehaus/groovy/runtime/MethodClosure.java b/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+index 8e4fac8..6fceb3d 100644
+--- a/src/main/org/codehaus/groovy/runtime/MethodClosure.java
++++ b/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+@@ -19,6 +19,7 @@ import groovy.lang.Closure;
+ import groovy.lang.MetaMethod;
+
+ import java.util.List;
++import java.io.IOException;
+
+
+ /**
+@@ -69,6 +70,14 @@ public class MethodClosure extends Closure {
+ throw new UnsupportedOperationException();
+ }
+
++ private void readObject(java.io.ObjectInputStream stream) throws
++ IOException, ClassNotFoundException {
++ if (ALLOW_RESOLVE) {
++ stream.defaultReadObject();
++ }
++ throw new UnsupportedOperationException();
++ }
++
+ public Object getProperty(String property) {
+ if ("method".equals(property)) {
+ return getMethod();
diff --git a/debian/patches/series b/debian/patches/series
index b036870..b05d36f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@
02_fix_start_script.diff
03_add_maven_poms.diff
04_CVE-2015-3253.diff
+CVE-2016-6814.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/groovy.git
More information about the pkg-java-commits
mailing list