[Git][java-team/libxstream-java][buster] New revision 1.4.11.1-1+deb10u2
Markus Koschany
gitlab at salsa.debian.org
Thu Dec 31 19:26:46 GMT 2020
Markus Koschany pushed to branch buster at Debian Java Maintainers / libxstream-java
Commits:
8b4c8a54 by Markus Koschany at 2020-12-31T20:25:40+01:00
New revision 1.4.11.1-1+deb10u2
- - - - -
5 changed files:
- debian/changelog
- debian/maven.ignoreRules
- + debian/patches/CVE-2020-26258.patch
- + debian/patches/CVE-2020-26259.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,19 @@
+libxstream-java (1.4.11.1-1+deb10u2) buster-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2020-26258:
+ XStream is vulnerable to a Server-Side Forgery Request which can be
+ activated when unmarshalling. The vulnerability may allow a remote attacker
+ to request data from internal resources that are not publicly available
+ only by manipulating the processed input stream.
+ * Fix CVE-2020-26259:
+ Xstream is vulnerable to an Arbitrary File Deletion on the local host when
+ unmarshalling. The vulnerability may allow a remote attacker to delete
+ arbitrary known files on the host as long as the executing process has
+ sufficient rights only by manipulating the processed input stream.
+
+ -- Markus Koschany <apo at debian.org> Thu, 31 Dec 2020 14:15:35 +0100
+
libxstream-java (1.4.11.1-1+deb10u1) buster-security; urgency=high
* Team upload.
=====================================
debian/maven.ignoreRules
=====================================
@@ -36,3 +36,4 @@ org.codehaus.mojo jxr-maven-plugin * * * *
org.json json * * * *
oro oro * * * *
xmlpull xmlpull * * * *
+com.sun.xml.ws jaxws-rt * * * *
=====================================
debian/patches/CVE-2020-26258.patch
=====================================
@@ -0,0 +1,26 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 27 Dec 2020 11:00:57 +0100
+Subject: CVE-2020-26258
+
+Origin: https://github.com/x-stream/xstream/commit/6740c04b217aef02d44fba26402b35e0f6f493ce
+---
+ xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index 0ae38b6..65670f1 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -698,7 +698,11 @@ public class XStream {
+ }
+
+ addPermission(AnyTypePermission.ANY);
+- denyTypes(new String[]{"java.beans.EventHandler", "javax.imageio.ImageIO$ContainsFilter"});
++ denyTypes(new String[]{
++ "java.beans.EventHandler",
++ "java.lang.ProcessBuilder",
++ "javax.imageio.ImageIO$ContainsFilter",
++ "jdk.nashorn.internal.objects.NativeString"});
+ denyTypes(new Class[]{ java.lang.ProcessBuilder.class,
+ java.beans.EventHandler.class, java.lang.ProcessBuilder.class,
+ java.lang.Void.class, void.class });
=====================================
debian/patches/CVE-2020-26259.patch
=====================================
@@ -0,0 +1,205 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 27 Dec 2020 11:05:05 +0100
+Subject: CVE-2020-26259
+
+Origin: https://github.com/x-stream/xstream/commit/0bcbf50126a62dfcd65f93a0da0c6d1ae92aa738
+---
+ pom.xml | 6 ++
+ xstream/pom.xml | 48 ++++++++++++++++
+ .../src/java/com/thoughtworks/xstream/XStream.java | 10 +++-
+ .../acceptance/SecurityVulnerabilityTest.java | 65 ++++++++++++++++++++++
+ 4 files changed, 126 insertions(+), 3 deletions(-)
+
+diff --git a/pom.xml b/pom.xml
+index 5d52a8f..3e47500 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -552,6 +552,11 @@
+ <artifactId>jaxb-api</artifactId>
+ <version>${version.javax.xml.bind.api}</version>
+ </dependency>
++ <dependency>
++ <groupId>com.sun.xml.ws</groupId>
++ <artifactId>jaxws-rt</artifactId>
++ <version>${version.javax.xml.ws.jaxws.rt}</version>
++ </dependency>
+
+ <dependency>
+ <groupId>org.hibernate</groupId>
+@@ -984,6 +989,7 @@
+ <version.javax.activation>1.1.1</version.javax.activation>
+ <version.javax.annotation.api>1.3.2</version.javax.annotation.api>
+ <version.javax.xml.bind.api>2.3.1</version.javax.xml.bind.api>
++ <version.javax.xml.ws.jaxws.rt>2.2</version.javax.xml.ws.jaxws.rt><!-- Java 5 -->
+ <version.jmock>1.0.1</version.jmock>
+ <version.joda-time>1.6</version.joda-time>
+ <version.junit>3.8.1</version.junit>
+diff --git a/xstream/pom.xml b/xstream/pom.xml
+index 566b619..8b9dc22 100644
+--- a/xstream/pom.xml
++++ b/xstream/pom.xml
+@@ -149,6 +149,54 @@
+ <artifactId>commons-lang</artifactId>
+ <scope>test</scope>
+ </dependency>
++
++ <dependency>
++ <groupId>com.sun.xml.ws</groupId>
++ <artifactId>jaxws-rt</artifactId>
++ <scope>test</scope>
++ <exclusions>
++ <exclusion>
++ <groupId>javax.xml.ws</groupId>
++ <artifactId>jaxws-api</artifactId>
++ </exclusion>
++ <exclusion>
++ <groupId>com.sun.istack</groupId>
++ <artifactId>istack-commons-runtime</artifactId>
++ </exclusion>
++ <exclusion>
++ <groupId>com.sun.xml.bind</groupId>
++ <artifactId>jaxb-impl</artifactId>
++ </exclusion>
++ <exclusion>
++ <groupId>com.sun.xml.messaging.saaj</groupId>
++ <artifactId>saaj-impl</artifactId>
++ </exclusion>
++ <exclusion>
++ <groupId>com.sun.xml.stream.buffer</groupId>
++ <artifactId>streambuffer</artifactId>
++ </exclusion>
++ <exclusion>
++ <groupId>com.sun.xml.ws</groupId>
++ <artifactId>policy</artifactId>
++ </exclusion>
++ <exclusion>
++ <groupId>com.sun.org.apache.xml.internal</groupId>
++ <artifactId>resolver</artifactId>
++ </exclusion>
++ <exclusion>
++ <groupId>org.glassfish.gmbal</groupId>
++ <artifactId>gmbal-api-only</artifactId>
++ </exclusion>
++ <exclusion>
++ <groupId>org.jvnet</groupId>
++ <artifactId>mimepull</artifactId>
++ </exclusion>
++ <exclusion>
++ <groupId>org.jvnet.staxex</groupId>
++ <artifactId>stax-ex</artifactId>
++ </exclusion>
++ </exclusions>
++ </dependency>
+ </dependencies>
+
+ <build>
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index 65670f1..1d28088 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -356,6 +356,7 @@ public class XStream {
+ private static final Pattern IGNORE_ALL = Pattern.compile(".*");
+ private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
+ private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
++ private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
+
+ /**
+ * Constructs a default XStream.
+@@ -703,10 +704,13 @@ public class XStream {
+ "java.lang.ProcessBuilder",
+ "javax.imageio.ImageIO$ContainsFilter",
+ "jdk.nashorn.internal.objects.NativeString"});
+- denyTypes(new Class[]{ java.lang.ProcessBuilder.class,
+- java.beans.EventHandler.class, java.lang.ProcessBuilder.class,
++ denyTypes(new Class[]{
++ java.lang.ProcessBuilder.class,
++ jdk.nashorn.internal.objects.NativeString.class,
++ java.beans.EventHandler.class,
++ java.lang.ProcessBuilder.class,
+ java.lang.Void.class, void.class });
+- denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
++ denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
+ allowTypeHierarchy(Exception.class);
+ securityInitialized = false;
+ }
+diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+index 44b0015..36b61a1 100644
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -11,6 +11,11 @@
+ package com.thoughtworks.acceptance;
+
+ import java.beans.EventHandler;
++import java.io.File;
++import java.io.FileOutputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
+ import java.util.Iterator;
+
+ import com.thoughtworks.xstream.XStream;
+@@ -206,4 +211,64 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ // OK
+ }
+ }
++
++ public void testCannotUseJaxwsInputStreamToDeleteFile() {
++ final String xml = ""
++ + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
++ + " <tempFile>target/junit/test.txt</tempFile>\n"
++ + "</is>";
++
++ xstream.aliasType("is", InputStream.class);
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + ConversionException.class.getName() + " expected");
++ } catch (final ForbiddenClassException e) {
++ // OK
++ }
++ }
++
++ public void testExplicitlyUseJaxwsInputStreamToDeleteFile() throws IOException {
++ final File testDir = new File("target/junit");
++ final File testFile = new File(testDir, "test.txt");
++ try {
++ testDir.mkdirs();
++
++ final OutputStream out = new FileOutputStream(testFile);
++ out.write("JUnit".getBytes());
++ out.flush();
++ out.close();
++
++ assertTrue("Test file " + testFile.getPath() + " does not exist.", testFile.exists());
++
++ final String xml = ""
++ + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
++ + " <tempFile>target/junit/test.txt</tempFile>\n"
++ + "</is>";
++
++ xstream.addPermission(AnyTypePermission.ANY); // clear out defaults
++ xstream.aliasType("is", InputStream.class);
++
++ InputStream is = null;
++ try {
++ is = (InputStream)xstream.fromXML(xml);
++ } catch (final ForbiddenClassException e) {
++ // OK
++ }
++
++ assertTrue("Test file " + testFile.getPath() + " no longer exists.", testFile.exists());
++
++ byte[] data = new byte[10];
++ is.read(data);
++ is.close();
++
++ assertFalse("Test file " + testFile.getPath() + " still exists exist.", testFile.exists());
++ } finally {
++ if (testFile.exists()) {
++ testFile.delete();
++ }
++ if (testDir.exists()) {
++ testDir.delete();
++ }
++ }
++ }
+ }
=====================================
debian/patches/series
=====================================
@@ -1,2 +1,4 @@
01-java7-compatibility.patch
CVE-2020-26217.patch
+CVE-2020-26258.patch
+CVE-2020-26259.patch
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/commit/8b4c8a5457f2781e07207e9beecdddafb1cbea52
--
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/commit/8b4c8a5457f2781e07207e9beecdddafb1cbea52
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20201231/695484a0/attachment.html>
More information about the pkg-java-commits
mailing list