[Git][java-team/libxstream-java][buster] New revision 1.4.11.1-1+deb10u2

Markus Koschany gitlab at salsa.debian.org
Thu Dec 31 19:26:46 GMT 2020



Markus Koschany pushed to branch buster at Debian Java Maintainers / libxstream-java


Commits:
8b4c8a54 by Markus Koschany at 2020-12-31T20:25:40+01:00
New revision 1.4.11.1-1+deb10u2

- - - - -


5 changed files:

- debian/changelog
- debian/maven.ignoreRules
- + debian/patches/CVE-2020-26258.patch
- + debian/patches/CVE-2020-26259.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,19 @@
+libxstream-java (1.4.11.1-1+deb10u2) buster-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2020-26258:
+    XStream is vulnerable to a Server-Side Forgery Request which can be
+    activated when unmarshalling. The vulnerability may allow a remote attacker
+    to request data from internal resources that are not publicly available
+    only by manipulating the processed input stream.
+  * Fix CVE-2020-26259:
+    Xstream is vulnerable to an Arbitrary File Deletion on the local host when
+    unmarshalling. The vulnerability may allow a remote attacker to delete
+    arbitrary known files on the host as long as the executing process has
+    sufficient rights only by manipulating the processed input stream.
+
+ -- Markus Koschany <apo at debian.org>  Thu, 31 Dec 2020 14:15:35 +0100
+
 libxstream-java (1.4.11.1-1+deb10u1) buster-security; urgency=high
 
   * Team upload.


=====================================
debian/maven.ignoreRules
=====================================
@@ -36,3 +36,4 @@ org.codehaus.mojo jxr-maven-plugin * * * *
 org.json json * * * *
 oro oro * * * *
 xmlpull xmlpull * * * *
+com.sun.xml.ws jaxws-rt * * * *


=====================================
debian/patches/CVE-2020-26258.patch
=====================================
@@ -0,0 +1,26 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 27 Dec 2020 11:00:57 +0100
+Subject: CVE-2020-26258
+
+Origin: https://github.com/x-stream/xstream/commit/6740c04b217aef02d44fba26402b35e0f6f493ce
+---
+ xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index 0ae38b6..65670f1 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -698,7 +698,11 @@ public class XStream {
+         }
+         
+         addPermission(AnyTypePermission.ANY);
+-        denyTypes(new String[]{"java.beans.EventHandler", "javax.imageio.ImageIO$ContainsFilter"});
++        denyTypes(new String[]{
++            "java.beans.EventHandler",
++            "java.lang.ProcessBuilder",
++            "javax.imageio.ImageIO$ContainsFilter",
++            "jdk.nashorn.internal.objects.NativeString"});
+         denyTypes(new Class[]{ java.lang.ProcessBuilder.class,
+             java.beans.EventHandler.class, java.lang.ProcessBuilder.class,
+             java.lang.Void.class, void.class });


=====================================
debian/patches/CVE-2020-26259.patch
=====================================
@@ -0,0 +1,205 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sun, 27 Dec 2020 11:05:05 +0100
+Subject: CVE-2020-26259
+
+Origin: https://github.com/x-stream/xstream/commit/0bcbf50126a62dfcd65f93a0da0c6d1ae92aa738
+---
+ pom.xml                                            |  6 ++
+ xstream/pom.xml                                    | 48 ++++++++++++++++
+ .../src/java/com/thoughtworks/xstream/XStream.java | 10 +++-
+ .../acceptance/SecurityVulnerabilityTest.java      | 65 ++++++++++++++++++++++
+ 4 files changed, 126 insertions(+), 3 deletions(-)
+
+diff --git a/pom.xml b/pom.xml
+index 5d52a8f..3e47500 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -552,6 +552,11 @@
+         <artifactId>jaxb-api</artifactId>
+         <version>${version.javax.xml.bind.api}</version>
+       </dependency>
++      <dependency>
++        <groupId>com.sun.xml.ws</groupId>
++        <artifactId>jaxws-rt</artifactId>
++        <version>${version.javax.xml.ws.jaxws.rt}</version>
++      </dependency>
+ 
+       <dependency>
+         <groupId>org.hibernate</groupId>
+@@ -984,6 +989,7 @@
+     <version.javax.activation>1.1.1</version.javax.activation>
+     <version.javax.annotation.api>1.3.2</version.javax.annotation.api>
+     <version.javax.xml.bind.api>2.3.1</version.javax.xml.bind.api>
++    <version.javax.xml.ws.jaxws.rt>2.2</version.javax.xml.ws.jaxws.rt><!-- Java 5 -->
+     <version.jmock>1.0.1</version.jmock>
+     <version.joda-time>1.6</version.joda-time>
+     <version.junit>3.8.1</version.junit>
+diff --git a/xstream/pom.xml b/xstream/pom.xml
+index 566b619..8b9dc22 100644
+--- a/xstream/pom.xml
++++ b/xstream/pom.xml
+@@ -149,6 +149,54 @@
+       <artifactId>commons-lang</artifactId>
+       <scope>test</scope>
+     </dependency>
++
++      <dependency>
++      <groupId>com.sun.xml.ws</groupId>
++      <artifactId>jaxws-rt</artifactId>
++      <scope>test</scope>
++      <exclusions>
++        <exclusion>
++          <groupId>javax.xml.ws</groupId>
++          <artifactId>jaxws-api</artifactId>
++        </exclusion>
++        <exclusion>
++          <groupId>com.sun.istack</groupId>
++          <artifactId>istack-commons-runtime</artifactId>
++        </exclusion>
++        <exclusion>
++          <groupId>com.sun.xml.bind</groupId>
++          <artifactId>jaxb-impl</artifactId>
++        </exclusion>
++        <exclusion>
++          <groupId>com.sun.xml.messaging.saaj</groupId>
++          <artifactId>saaj-impl</artifactId>
++        </exclusion>
++        <exclusion>
++          <groupId>com.sun.xml.stream.buffer</groupId>
++          <artifactId>streambuffer</artifactId>
++        </exclusion>
++        <exclusion>
++          <groupId>com.sun.xml.ws</groupId>
++          <artifactId>policy</artifactId>
++        </exclusion>
++        <exclusion>
++          <groupId>com.sun.org.apache.xml.internal</groupId>
++          <artifactId>resolver</artifactId>
++        </exclusion>
++        <exclusion>
++          <groupId>org.glassfish.gmbal</groupId>
++          <artifactId>gmbal-api-only</artifactId>
++        </exclusion>
++        <exclusion>
++          <groupId>org.jvnet</groupId>
++          <artifactId>mimepull</artifactId>
++        </exclusion>
++        <exclusion>
++          <groupId>org.jvnet.staxex</groupId>
++          <artifactId>stax-ex</artifactId>
++        </exclusion>
++      </exclusions>
++  </dependency>
+   </dependencies>
+ 
+   <build>
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index 65670f1..1d28088 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -356,6 +356,7 @@ public class XStream {
+     private static final Pattern IGNORE_ALL = Pattern.compile(".*");
+     private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
+     private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
++    private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
+ 
+     /**
+      * Constructs a default XStream.
+@@ -703,10 +704,13 @@ public class XStream {
+             "java.lang.ProcessBuilder",
+             "javax.imageio.ImageIO$ContainsFilter",
+             "jdk.nashorn.internal.objects.NativeString"});
+-        denyTypes(new Class[]{ java.lang.ProcessBuilder.class,
+-            java.beans.EventHandler.class, java.lang.ProcessBuilder.class,
++        denyTypes(new Class[]{
++            java.lang.ProcessBuilder.class,
++            jdk.nashorn.internal.objects.NativeString.class,
++            java.beans.EventHandler.class,
++            java.lang.ProcessBuilder.class,
+             java.lang.Void.class, void.class });
+-        denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
++        denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
+         allowTypeHierarchy(Exception.class);
+         securityInitialized = false;
+     }
+diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+index 44b0015..36b61a1 100644
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -11,6 +11,11 @@
+ package com.thoughtworks.acceptance;
+ 
+ import java.beans.EventHandler;
++import java.io.File;
++import java.io.FileOutputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
+ import java.util.Iterator;
+ 
+ import com.thoughtworks.xstream.XStream;
+@@ -206,4 +211,64 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+             // OK
+         }
+     }
++
++    public void testCannotUseJaxwsInputStreamToDeleteFile() {
++        final String xml = ""
++            + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
++            + " <tempFile>target/junit/test.txt</tempFile>\n"
++            + "</is>";
++
++        xstream.aliasType("is", InputStream.class);
++        try {
++            xstream.fromXML(xml);
++            fail("Thrown " + ConversionException.class.getName() + " expected");
++        } catch (final ForbiddenClassException e) {
++            // OK
++        }
++    }
++
++    public void testExplicitlyUseJaxwsInputStreamToDeleteFile() throws IOException {
++        final File testDir = new File("target/junit");
++        final File testFile = new File(testDir, "test.txt");
++        try {
++            testDir.mkdirs();
++
++            final OutputStream out = new FileOutputStream(testFile);
++            out.write("JUnit".getBytes());
++            out.flush();
++            out.close();
++
++            assertTrue("Test file " + testFile.getPath() + " does not exist.", testFile.exists());
++
++            final String xml = ""
++                + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
++                + " <tempFile>target/junit/test.txt</tempFile>\n"
++                + "</is>";
++
++            xstream.addPermission(AnyTypePermission.ANY); // clear out defaults
++            xstream.aliasType("is", InputStream.class);
++
++            InputStream is = null;
++            try {
++                is = (InputStream)xstream.fromXML(xml);
++            } catch (final ForbiddenClassException e) {
++                // OK
++            }
++
++            assertTrue("Test file " + testFile.getPath() + " no longer exists.", testFile.exists());
++
++            byte[] data = new byte[10];
++            is.read(data);
++            is.close();
++
++            assertFalse("Test file " + testFile.getPath() + " still exists exist.", testFile.exists());
++        } finally {
++            if (testFile.exists()) {
++                testFile.delete();
++            }
++            if (testDir.exists()) {
++                testDir.delete();
++            }
++        }
++    }
+ }


=====================================
debian/patches/series
=====================================
@@ -1,2 +1,4 @@
 01-java7-compatibility.patch
 CVE-2020-26217.patch
+CVE-2020-26258.patch
+CVE-2020-26259.patch



View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/commit/8b4c8a5457f2781e07207e9beecdddafb1cbea52

-- 
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/commit/8b4c8a5457f2781e07207e9beecdddafb1cbea52
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20201231/695484a0/attachment.html>


More information about the pkg-java-commits mailing list