[Git][java-team/jackson-databind][stretch] 3 commits: Import Debian changes 2.8.6-1+deb9u3
Markus Koschany
gitlab at salsa.debian.org
Thu May 3 16:27:39 BST 2018
Markus Koschany pushed to branch stretch at Debian Java Maintainers / jackson-databind
Commits:
44c0d6a2 by Markus Koschany at 2018-05-01T18:36:29+02:00
Import Debian changes 2.8.6-1+deb9u3
jackson-databind (2.8.6-1+deb9u3) stretch-security; urgency=high
* Team upload.
* Fix CVE-2017-17485 and CVE-2018-5968:
Bybass of deserialization blackist to disallow unauthenticated remote code
execution. These CVE exist due to an incomplete fix for CVE-2017-7525.
(Closes: #888316, #888318)
jackson-databind (2.8.6-1+deb9u2) stretch-security; urgency=high
* Team upload
* CVE-2017-15095: incomplete fixes for CVE-2017-7525
- - - - -
82aca9eb by Markus Koschany at 2018-05-01T19:12:26+02:00
Fix CVE-2018-7489
- - - - -
a3a6b050 by Markus Koschany at 2018-05-01T19:13:49+02:00
Update changelog
- - - - -
8 changed files:
- debian/changelog
- + debian/patches/CVE-2017-15095_1.patch
- + debian/patches/CVE-2017-15095_2.patch
- + debian/patches/CVE-2017-15095_3.patch
- + debian/patches/CVE-2017-17485.patch
- + debian/patches/CVE-2018-5968.patch
- + debian/patches/CVE-2018-7489.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,31 @@
+jackson-databind (2.8.6-1+deb9u4) stretch-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2018-7489: allows unauthenticated remote code execution because of
+ an incomplete fix for the CVE-2017-7525 deserialization flaw. This is
+ exploitable by sending maliciously crafted JSON input to the readValue
+ method of the ObjectMapper, bypassing a blacklist that is ineffective if
+ the c3p0 libraries are available in the classpath. (Closes: #891614)
+
+ -- Markus Koschany <apo at debian.org> Tue, 01 May 2018 19:12:38 +0200
+
+jackson-databind (2.8.6-1+deb9u3) stretch-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2017-17485 and CVE-2018-5968:
+ Bybass of deserialization blackist to disallow unauthenticated remote code
+ execution. These CVE exist due to an incomplete fix for CVE-2017-7525.
+ (Closes: #888316, #888318)
+
+ -- Markus Koschany <apo at debian.org> Sat, 27 Jan 2018 19:12:39 +0100
+
+jackson-databind (2.8.6-1+deb9u2) stretch-security; urgency=high
+
+ * Team upload
+ * CVE-2017-15095: incomplete fixes for CVE-2017-7525
+
+ -- Sebastien Delafond <seb at debian.org> Thu, 16 Nov 2017 08:55:34 +0100
+
jackson-databind (2.8.6-1+deb9u1) stretch-security; urgency=high
* Team upload.
=====================================
debian/patches/CVE-2017-15095_1.patch
=====================================
--- /dev/null
+++ b/debian/patches/CVE-2017-15095_1.patch
@@ -0,0 +1,26 @@
+From: Tatu Saloranta <tatu.saloranta at iki.fi>
+Date: Wed, 26 Apr 2017 20:22:25 -0700
+Subject: Minor improvement wrt #1599 (also cover vanilla xalan impl)
+Origin: https://github.com/FasterXML/jackson-databind//commit/3bfbb835e530055c1941ddf87fde0b08d08dcd38
+Bug: https://github.com/FasterXML/jackson-databind/issues/1599
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15095
+
+---
+ .../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index cbbb90c2b..586513ddd 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -57,6 +57,7 @@ public class BeanDeserializerFactory
+ s.add("org.codehaus.groovy.runtime.MethodClosure");
+ s.add("org.springframework.beans.factory.ObjectFactory");
+ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
++ s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
+--
+2.15.0.rc2
+
=====================================
debian/patches/CVE-2017-15095_2.patch
=====================================
--- /dev/null
+++ b/debian/patches/CVE-2017-15095_2.patch
@@ -0,0 +1,23 @@
+From: Tatu Saloranta <tatu.saloranta at iki.fi>
+Date: Fri, 30 Jun 2017 09:30:13 -0700
+Subject: Fix #1680
+Origin: https://github.com/FasterXML/jackson-databind//commit/e8f043d1aac9b82eee907e0f0c3abbdea723a935
+Bug: https://github.com/FasterXML/jackson-databind/issues/1680
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15095
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 586513ddd..f2244e0c3 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -58,6 +58,8 @@ public class BeanDeserializerFactory
+ s.add("org.springframework.beans.factory.ObjectFactory");
+ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+ s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
++ // [databind#1680]: may or may not be problem, take no chance
++ s.add("com.sun.rowset.JdbcRowSetImpl");
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
+--
+2.15.0.rc2
+
=====================================
debian/patches/CVE-2017-15095_3.patch
=====================================
--- /dev/null
+++ b/debian/patches/CVE-2017-15095_3.patch
@@ -0,0 +1,161 @@
+From: Tatu Saloranta <tatu.saloranta at iki.fi>
+Date: Thu, 17 Aug 2017 15:12:47 -0700
+Subject: Fix #1737
+Origin: https://github.com/FasterXML/jackson-databind//commit/ddfddfba6414adbecaff99684ef66eebd3a92e92
+Bug: https://github.com/FasterXML/jackson-databind/issues/1737
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15095
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 9850cf75c..9301c666a 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -49,7 +49,7 @@ public class BeanDeserializerFactory
+ static {
+ Set<String> s = new HashSet<>();
+ // Courtesy of [https://github.com/kantega/notsoserial]:
+- // (and wrt [databind#1599]
++ // (and wrt [databind#1599])
+ s.add("org.apache.commons.collections.functors.InvokerTransformer");
+ s.add("org.apache.commons.collections.functors.InstantiateTransformer");
+ s.add("org.apache.commons.collections4.functors.InvokerTransformer");
+@@ -61,6 +61,15 @@ public class BeanDeserializerFactory
+ s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
+ // [databind#1680]: may or may not be problem, take no chance
+ s.add("com.sun.rowset.JdbcRowSetImpl");
++ // [databind#1737]; JDK provided
++ s.add("java.util.logging.FileHandler");
++ s.add("java.rmi.server.UnicastRemoteObject");
++ // [databind#1737]; 3rd party
++ s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
++ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
++ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
++ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
+diff --git a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
+index 1906eadb6..8721b9b6a 100644
+--- a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
++++ b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
+@@ -1,5 +1,6 @@
+ package com.fasterxml.jackson.databind.interop;
+
++import com.fasterxml.jackson.annotation.JsonTypeInfo;
+ import com.fasterxml.jackson.databind.*;
+
+ /**
+@@ -12,12 +13,29 @@ public class IllegalTypesCheckTest extends BaseMapTest
+ public int id;
+ public Object obj;
+ }
++
++ static class PolyWrapper {
++ @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS,
++ include = JsonTypeInfo.As.WRAPPER_ARRAY)
++ public Object v;
++ }
+
+- public void testIssue1599() throws Exception
++ /*
++ /**********************************************************
++ /* Unit tests
++ /**********************************************************
++ */
++
++ private final ObjectMapper MAPPER = objectMapper();
++
++ // // // Tests for [databind#1599]
++
++ public void testXalanTypes1599() throws Exception
+ {
++ final String clsName = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl";
+ final String JSON = aposToQuotes(
+ "{'id': 124,\n"
+-+" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n"
+++" 'obj':[ '"+clsName+"',\n"
+ +" {\n"
+ +" 'transletBytecodes' : [ 'AAIAZQ==' ],\n"
+ +" 'transletName' : 'a.b',\n"
+@@ -32,9 +50,75 @@ public class IllegalTypesCheckTest extends BaseMapTest
+ mapper.readValue(JSON, Bean1599.class);
+ fail("Should not pass");
+ } catch (JsonMappingException e) {
+- verifyException(e, "Illegal type");
+- verifyException(e, "to deserialize");
+- verifyException(e, "prevented for security reasons");
++ _verifySecurityException(e, clsName);
++ }
++ }
++
++ // // // Tests for [databind#1737]
++
++ public void testJDKTypes1737() throws Exception
++ {
++ _testTypes1737(java.util.logging.FileHandler.class);
++ _testTypes1737(java.rmi.server.UnicastRemoteObject.class);
++ }
++
++ // 17-Aug-2017, tatu: Ideally would test handling of 3rd party types, too,
++ // but would require adding dependencies. This may be practical when
++ // checking done by module, but for now let's not do that for databind.
++
++ /*
++ public void testSpringTypes1737() throws Exception
++ {
++ _testTypes1737("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
++ _testTypes1737("org.springframework.beans.factory.config.PropertyPathFactoryBean");
++ }
++
++ public void testC3P0Types1737() throws Exception
++ {
++ _testTypes1737("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
++ _testTypes1737("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++ }
++ */
++
++ private void _testTypes1737(Class<?> nasty) throws Exception {
++ _testTypes1737(nasty.getName());
++ }
++
++ private void _testTypes1737(String clsName) throws Exception
++ {
++ // While usually exploited via default typing let's not require
++ // it here; mechanism still the same
++ String json = aposToQuotes(
++ "{'v':['"+clsName+"','/tmp/foobar.txt']}"
++ );
++ try {
++ MAPPER.readValue(json, PolyWrapper.class);
++ fail("Should not pass");
++ } catch (JsonMappingException e) {
++ _verifySecurityException(e, clsName);
++ }
++ }
++
++ protected void _verifySecurityException(Throwable t, String clsName) throws Exception
++ {
++ // 17-Aug-2017, tatu: Expected type more granular in 2.9 (over 2.8)
++ _verifyException(t, JsonMappingException.class,
++ "Illegal type",
++ "to deserialize",
++ "prevented for security reasons");
++ verifyException(t, clsName);
++ }
++
++ protected void _verifyException(Throwable t, Class<?> expExcType,
++ String... patterns) throws Exception
++ {
++ Class<?> actExc = t.getClass();
++ if (!expExcType.isAssignableFrom(actExc)) {
++ fail("Expected Exception of type '"+expExcType.getName()+"', got '"
++ +actExc.getName()+"', message: "+t.getMessage());
++ }
++ for (String pattern : patterns) {
++ verifyException(t, pattern);
+ }
+ }
+ }
+--
+2.15.0.rc2
+
=====================================
debian/patches/CVE-2017-17485.patch
=====================================
--- /dev/null
+++ b/debian/patches/CVE-2017-17485.patch
@@ -0,0 +1,76 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 27 Jan 2018 19:06:47 +0100
+Subject: CVE-2017-17485
+
+Bug-Debian: https://bugs.debian.org/888318
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1855
+Origin: https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d
+Origin: https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf
+Origin: https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd
+---
+ .../databind/deser/BeanDeserializerFactory.java | 38 ++++++++++++++++++----
+ 1 file changed, 32 insertions(+), 6 deletions(-)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 10ada70..b90c9c0 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -32,6 +32,8 @@ public class BeanDeserializerFactory
+ {
+ private static final long serialVersionUID = 1;
+
++ protected final static String PREFIX_STRING = "org.springframework.";
++
+ /**
+ * Signature of <b>Throwable.initCause</b> method.
+ */
+@@ -69,6 +71,9 @@ public class BeanDeserializerFactory
+ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++ // [databind#1855]: more 3rd party
++ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
++ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+ // [databind#1899]: more 3rd party
+ s.add("org.hibernate.jmx.StatisticsService");
+ s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
+@@ -898,12 +903,33 @@ public class BeanDeserializerFactory
+ {
+ // There are certain nasty classes that could cause problems, mostly
+ // via default typing -- catch them here.
+- String full = type.getRawClass().getName();
++ final Class<?> raw = type.getRawClass();
++ String full = raw.getName();
+
+- if (_cfgIllegalClassNames.contains(full)) {
+- ctxt.reportBadTypeDefinition(beanDesc,
+- "Illegal type (%s) to deserialize: prevented for security reasons", full);
+- }
+- }
++ main_check:
++ do {
++ if (_cfgIllegalClassNames.contains(full)) {
++ break;
++ }
++
++ // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
++ // for some Spring framework types
++ if (full.startsWith(PREFIX_STRING)) {
++ for (Class<?> cls = raw; cls != Object.class; cls = cls.getSuperclass()) {
++ String name = cls.getSimpleName();
++ // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
++ if ("AbstractPointcutAdvisor".equals(name)
++ // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts
++ || "AbstractApplicationContext".equals(name)) {
++ break main_check;
++ }
++ }
++ }
++ return;
++ } while (false);
++
++ throw JsonMappingException.from(ctxt,
++ String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
++ }
+
+ }
=====================================
debian/patches/CVE-2018-5968.patch
=====================================
--- /dev/null
+++ b/debian/patches/CVE-2018-5968.patch
@@ -0,0 +1,25 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 27 Jan 2018 19:00:33 +0100
+Subject: CVE-2018-5968
+
+Bug-Debian: https://bugs.debian.org/888316
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1899
+Origin: https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05
+---
+ .../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 86b5c08..10ada70 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -69,6 +69,9 @@ public class BeanDeserializerFactory
+ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++ // [databind#1899]: more 3rd party
++ s.add("org.hibernate.jmx.StatisticsService");
++ s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
+
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
=====================================
debian/patches/CVE-2018-7489.patch
=====================================
--- /dev/null
+++ b/debian/patches/CVE-2018-7489.patch
@@ -0,0 +1,51 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 1 May 2018 19:09:01 +0200
+Subject: CVE-2018-7489
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891614
+Origin: https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2
+---
+ .../jackson/databind/deser/BeanDeserializerFactory.java | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index b90c9c0..fe5e93f 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -34,6 +34,8 @@ public class BeanDeserializerFactory
+
+ protected final static String PREFIX_STRING = "org.springframework.";
+
++ protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0.";
++
+ /**
+ * Signature of <b>Throwable.initCause</b> method.
+ */
+@@ -69,8 +71,8 @@ public class BeanDeserializerFactory
+ // [databind#1737]; 3rd party
+ s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
+ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+- s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+- s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
++// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
+ // [databind#1855]: more 3rd party
+ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
+ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+@@ -924,6 +926,16 @@ public class BeanDeserializerFactory
+ break main_check;
+ }
+ }
++ } else if (full.startsWith(PREFIX_C3P0)) {
++ // [databind#1737]; more 3rd party
++ // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
++ // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++ // [databind#1931]; more 3rd party
++ // com.mchange.v2.c3p0.ComboPooledDataSource
++ // com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource
++ if (full.endsWith("DataSource")) {
++ break main_check;
++ }
+ }
+ return;
+ } while (false);
=====================================
debian/patches/series
=====================================
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,7 @@
CVE-2017-7525.patch
+CVE-2017-15095_1.patch
+CVE-2017-15095_2.patch
+CVE-2017-15095_3.patch
+CVE-2018-5968.patch
+CVE-2017-17485.patch
+CVE-2018-7489.patch
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/compare/1c133cb7a32c0b9454853543229609ed31006746...a3a6b050addc24e6e8b6a8f5cbc692ae439503c5
---
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/compare/1c133cb7a32c0b9454853543229609ed31006746...a3a6b050addc24e6e8b6a8f5cbc692ae439503c5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20180503/464e82ab/attachment.html>
More information about the pkg-java-commits
mailing list