[libxstream-java] 05/06: Removed CVE-2017-7957.patch (fixed upstream)

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Tue Jun 20 08:23:10 UTC 2017 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch master
in repository libxstream-java.

commit eb25276df7d31fb9d3274f58e7f9d9ef5d892d78
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Tue Jun 20 10:21:01 2017 +0200

    Removed CVE-2017-7957.patch (fixed upstream)
---
 debian/changelog                   |  4 +-
 debian/patches/CVE-2017-7957.patch | 97 --------------------------------------
 debian/patches/series              |  1 -
 3 files changed, 3 insertions(+), 99 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 6a9999e..e59a5c8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,7 @@
-libxstream-java (1.4.9-3) UNRELEASED; urgency=medium
+libxstream-java (1.4.10-1) UNRELEASED; urgency=medium
 
+  * New upstream release
+    - Removed CVE-2017-7957.patch (fixed upstream)
   * Standards-Version updated to 3.9.8
   * Switch to debhelper level 10
 
diff --git a/debian/patches/CVE-2017-7957.patch b/debian/patches/CVE-2017-7957.patch
deleted file mode 100644
index 37854be..0000000
--- a/debian/patches/CVE-2017-7957.patch
+++ /dev/null
@@ -1,97 +0,0 @@
-Description: Fixes CVE-2017-7957: When a certain denyTypes workaround is not
- used, XStream mishandles attempts to create an instance of the primitive type
- 'void' during unmarshalling, leading to a remote application crash, as
- demonstrated by an xstream.fromXML("<void/>") call.
-Origin: backport, https://github.com/x-stream/xstream/commit/b3570be
-Bug-Debian: https://bugs.debian.org/861521
---- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
-+++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
-@@ -78,14 +78,18 @@
-             throw ex;
-         }
-         ErrorWritingException ex = null;
--        try {
--            return unsafe.allocateInstance(type);
--        } catch (SecurityException e) {
--            ex = new ObjectAccessException("Cannot construct type", e);
--        } catch (InstantiationException e) {
--            ex =  new ConversionException("Cannot construct type", e);
--        } catch (IllegalArgumentException e) {
--            ex = new ObjectAccessException("Cannot construct type", e);
-+        if (type == void.class || type == Void.class) {
-+            ex = new ConversionException("Type void cannot have an instance");
-+        } else {
-+            try {
-+                return unsafe.allocateInstance(type);
-+            } catch (final SecurityException e) {
-+                ex = new ObjectAccessException("Cannot construct type", e);
-+            } catch (final InstantiationException e) {
-+                ex = new ConversionException("Cannot construct type", e);
-+            } catch (final IllegalArgumentException e) {
-+                ex = new ObjectAccessException("Cannot construct type", e);
-+            }
-         }
-         ex.add("construction-type", type.getName());
-         throw ex;
---- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
-+++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
-@@ -8,8 +8,9 @@
- 
- import com.thoughtworks.xstream.core.util.Primitives;
- 
-+
- /**
-- * Permission for any primitive type and its boxed counterpart (incl. void).
-+ * Permission for any primitive type and its boxed counterpart (excl. void).
-  * 
-  * @author Jörg Schaible
-  * @since 1.4.7
-@@ -21,7 +22,8 @@
-     public static final TypePermission PRIMITIVES = new PrimitiveTypePermission();
- 
-     public boolean allows(Class type) {
--        return type != null && type.isPrimitive() || Primitives.isBoxed(type);
-+        return type != null && type != void.class && type != Void.class && type.isPrimitive()
-+            || Primitives.isBoxed(type);
-     }
- 
-     public int hashCode() {
---- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-@@ -13,9 +13,12 @@
- import java.beans.EventHandler;
- 
- import com.thoughtworks.xstream.XStreamException;
-+import com.thoughtworks.xstream.converters.ConversionException;
- import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
-+import com.thoughtworks.xstream.security.ForbiddenClassException;
- import com.thoughtworks.xstream.security.ProxyTypePermission;
- 
-+
- /**
-  * @author Jörg Schaible
-  */
-@@ -80,4 +83,23 @@
-             BUFFER.append("Executed!");
-         }
-     }
-+
-+    public void testDeniedInstanceOfVoid() {
-+        try {
-+            xstream.fromXML("<void/>");
-+            fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
-+        } catch (final ForbiddenClassException e) {
-+            // OK
-+        }
-+    }
-+
-+    public void testAllowedInstanceOfVoid() {
-+        xstream.allowTypes(void.class, Void.class);
-+        try {
-+            xstream.fromXML("<void/>");
-+            fail("Thrown " + ConversionException.class.getName() + " expected");
-+        } catch (final ConversionException e) {
-+            assertEquals("void", e.get("construction-type"));
-+        }
-+    }
- }
diff --git a/debian/patches/series b/debian/patches/series
index f07cc21..8aa9df0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1 @@
 01-java7-compatibility.patch
-CVE-2017-7957.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libxstream-java.git

More information about the pkg-java-commits mailing list