[Git][java-team/apache-log4j1.2][master] 6 commits: Fix CVE-2019-17571
Markus Koschany
gitlab at salsa.debian.org
Sat Jan 11 23:07:58 GMT 2020
Markus Koschany pushed to branch master at Debian Java Maintainers / apache-log4j1.2
Commits:
4f40ebd7 by Markus Koschany at 2020-01-11T23:03:30+01:00
Fix CVE-2019-17571
- - - - -
2ed8df84 by Markus Koschany at 2020-01-11T23:04:06+01:00
Switch to debhelper-compat = 12.
- - - - -
69442cf3 by Markus Koschany at 2020-01-11T23:04:21+01:00
Declare compliance with Debian Policy 4.4.1.
- - - - -
d1f7b0c7 by Markus Koschany at 2020-01-11T23:04:57+01:00
Use canonical VCS URI.
- - - - -
c670c965 by Markus Koschany at 2020-01-11T23:06:13+01:00
Remove trailing whitespace
- - - - -
71d384d3 by Markus Koschany at 2020-01-11T23:07:32+01:00
Update changelog
- - - - -
5 changed files:
- debian/changelog
- − debian/compat
- debian/control
- + debian/patches/CVE-2019-17571.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,17 @@
+apache-log4j1.2 (1.2.17-9) unstable; urgency=high
+
+ * Team upload.
+ * Fix CVE-2019-17571. (Closes: #947124)
+ Included in Log4j 1.2 is a SocketServer class that is vulnerable to
+ deserialization of untrusted data which can be exploited to remotely
+ execute arbitrary code when combined with a deserialization gadget when
+ listening to untrusted network traffic for log data.
+ * Switch to debhelper-compat = 12.
+ * Declare compliance with Debian Policy 4.4.1.
+ * Use canonical VCS URI.
+
+ -- Markus Koschany <apo at debian.org> Sat, 11 Jan 2020 23:06:27 +0100
+
apache-log4j1.2 (1.2.17-8) unstable; urgency=medium
* No longer attempt to install the javadoc jar (Closes: #879251)
@@ -100,7 +114,7 @@ apache-log4j1.2 (1.2.16-2) unstable; urgency=low
* d/control: update Homepage to reflect the new location of log4j
* include OSGi metadata in the jar, add Build-Depends on bnd
* Add --has-package-version to libapache-log4j1.2-java.poms
- * Deploy javadoc jar into the Maven repository
+ * Deploy javadoc jar into the Maven repository
[ Niels Thykier ]
* Updated Vcs-* fields.
@@ -137,7 +151,7 @@ jakarta-log4j (1.2.15-11) unstable; urgency=low
(Closes: #576737)
* Source format 3.0 (quilt)
- removed quilt as build dependency
- - removed include patchsys-quilt.mk in d/rules
+ - removed include patchsys-quilt.mk in d/rules
-- Ludovic Claude <ludovic.claude at laposte.net> Mon, 05 Apr 2010 16:30:15 +0200
@@ -159,7 +173,7 @@ jakarta-log4j (1.2.15-9) unstable; urgency=low
jakarta-log4j (1.2.15-8) unstable; urgency=low
- * Build with jmx support
+ * Build with jmx support
-- Thomas Koch <thomas.koch at ymc.ch> Tue, 12 Jan 2010 11:02:21 +0100
@@ -306,26 +320,26 @@ jakarta-log4j1.2 (1.2.9-1) unstable; urgency=low
are deprecated in preparation for 1.3)
* Javadocs are now retained from the upstream distribution.
This is just a temporary measure until gjdoc works (closes: #265746)
-
+
-- Kalle Kivimaa <killer at debian.org> Sat, 13 Nov 2004 16:00:00 +0200
jakarta-log4j1.2 (1.2.8-7) unstable; urgency=high
* Javadocs are now correctly generated (closes: #265746)
-
+
-- Kalle Kivimaa <killer at debian.org> Sun, 15 Aug 2004 15:00:00 +0300
jakarta-log4j1.2 (1.2.8-6) unstable; urgency=high
* rules script now correctly includes log4j.dtd (closes: #265704)
* Bogus libmx4j-java classes removed from jikes classpath (closes: #265710)
-
+
-- Kalle Kivimaa <killer at debian.org> Sat, 14 Aug 2004 18:00:00 +0300
jakarta-log4j1.2 (1.2.8-5) unstable; urgency=low
* rules script was missing two removes related to bug #221236.
-
+
-- Kalle Kivimaa <killer at debian.org> Fri, 13 Aug 2004 12:30:00 +0300
jakarta-log4j1.2 (1.2.8-4) unstable; urgency=low
@@ -333,14 +347,14 @@ jakarta-log4j1.2 (1.2.8-4) unstable; urgency=low
* Builds from source (closes: #221236) (removed chainsaw and lf5
parts, these will be available in liblog4j1.2-contrib-java)
* Adopted the package to pkg-java-maintainers (closes: #263869)
-
+
-- Kalle Kivimaa <killer at debian.org> Fri, 13 Aug 2004 11:00:00 +0300
jakarta-log4j1.2 (1.2.8-3) unstable; urgency=low
* Changed section from contrib to main. (closes: #237362, #230441)
* Modified depends to depend on java1-runtime or java2-runtime.
-
+
-- Benoit Joly <benoit at debian.org> Sat, 27 Mar 2004 15:42:06 -0500
jakarta-log4j1.2 (1.2.8-2) unstable; urgency=low
=====================================
debian/compat deleted
=====================================
@@ -1 +0,0 @@
-10
=====================================
debian/control
=====================================
@@ -11,14 +11,14 @@ Uploaders:
Build-Depends:
ant,
bnd (>= 2.1.0),
- debhelper (>= 10),
+ debhelper-compat (= 12),
default-jdk,
default-jdk-doc,
libmail-java,
maven-repo-helper
-Standards-Version: 4.1.1
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/apache-log4j1.2.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/apache-log4j1.2.git
+Standards-Version: 4.4.1
+Vcs-Git: https://salsa.debian.org/java-team/apache-log4j1.2.git
+Vcs-Browser: https://salsa.debian.org/java-team/apache-log4j1.2
Homepage: http://logging.apache.org/log4j/1.2/
Package: liblog4j1.2-java
=====================================
debian/patches/CVE-2019-17571.patch
=====================================
@@ -0,0 +1,125 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 11 Jan 2020 23:01:09 +0100
+Subject: CVE-2019-17571
+
+Bug-Debian: https://bugs.debian.org/947124
+Origin: https://src.fedoraproject.org/rpms/log4j12/c/d4c817c458d69dcc629a7271999d178b0dcb7c74?branch=master
+---
+ .../apache/log4j/FilteredObjectInputStream.java | 65 ++++++++++++++++++++++
+ src/main/java/org/apache/log4j/net/SocketNode.java | 17 +++++-
+ 2 files changed, 80 insertions(+), 2 deletions(-)
+ create mode 100644 src/main/java/org/apache/log4j/FilteredObjectInputStream.java
+
+diff --git a/src/main/java/org/apache/log4j/FilteredObjectInputStream.java b/src/main/java/org/apache/log4j/FilteredObjectInputStream.java
+new file mode 100644
+index 0000000..b9ef20c
+--- /dev/null
++++ b/src/main/java/org/apache/log4j/FilteredObjectInputStream.java
+@@ -0,0 +1,65 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache license, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the license for the specific language governing permissions and
++ * limitations under the license.
++ */
++package org.apache.log4j;
++
++import java.io.FileOutputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.InvalidObjectException;
++import java.io.ObjectInputStream;
++import java.io.ObjectStreamClass;
++import java.util.Arrays;
++import java.util.Collection;
++import java.util.List;
++
++/**
++ * Extended ObjectInputStream that only allows certain classes to be deserialized.
++ *
++ * Backported from 2.8.2
++ */
++public class FilteredObjectInputStream extends ObjectInputStream {
++
++ private static final List REQUIRED_JAVA_CLASSES = Arrays.asList(new String[] {
++ // Types of non-trainsient fields of LoggingEvent
++ "java.lang.String",
++ "java.util.Hashtable",
++ // ThrowableInformation
++ "[Ljava.lang.String;"
++ });
++
++ private final Collection allowedClasses;
++
++ public FilteredObjectInputStream(final InputStream in, final Collection allowedClasses) throws IOException {
++ super(in);
++ this.allowedClasses = allowedClasses;
++ }
++
++ protected Class resolveClass(final ObjectStreamClass desc) throws IOException, ClassNotFoundException {
++ String name = desc.getName();
++ if (!(isAllowedByDefault(name) || allowedClasses.contains(name))) {
++ throw new InvalidObjectException("Class is not allowed for deserialization: " + name);
++ }
++ return super.resolveClass(desc);
++ }
++
++ private static boolean isAllowedByDefault(final String name) {
++ return name.startsWith("org.apache.log4j.") ||
++ name.startsWith("[Lorg.apache.log4j.") ||
++ REQUIRED_JAVA_CLASSES.contains(name);
++ }
++
++}
+diff --git a/src/main/java/org/apache/log4j/net/SocketNode.java b/src/main/java/org/apache/log4j/net/SocketNode.java
+index e977f13..f95bb10 100644
+--- a/src/main/java/org/apache/log4j/net/SocketNode.java
++++ b/src/main/java/org/apache/log4j/net/SocketNode.java
+@@ -22,6 +22,10 @@ import java.io.IOException;
+ import java.io.InterruptedIOException;
+ import java.io.ObjectInputStream;
+ import java.net.Socket;
++import java.util.ArrayList;
++import java.util.Arrays;
++import java.util.Collection;
++import org.apache.log4j.FilteredObjectInputStream;
+
+ import org.apache.log4j.Logger;
+ import org.apache.log4j.spi.LoggerRepository;
+@@ -53,8 +57,9 @@ public class SocketNode implements Runnable {
+ this.socket = socket;
+ this.hierarchy = hierarchy;
+ try {
+- ois = new ObjectInputStream(
+- new BufferedInputStream(socket.getInputStream()));
++ ois = new FilteredObjectInputStream(
++ new BufferedInputStream(socket.getInputStream()),
++ getAllowedClasses());
+ } catch(InterruptedIOException e) {
+ Thread.currentThread().interrupt();
+ logger.error("Could not open ObjectInputStream to "+socket, e);
+@@ -65,6 +70,14 @@ public class SocketNode implements Runnable {
+ }
+ }
+
++ private Collection getAllowedClasses() {
++ Collection allowedClasses = new ArrayList();
++ String property = System.getProperty("org.apache.log4j.net.allowedClasses");
++ if (property != null)
++ allowedClasses.addAll(Arrays.asList(property.split(",")));
++ return allowedClasses;
++ }
++
+ //public
+ //void finalize() {
+ //System.err.println("-------------------------Finalize called");
=====================================
debian/patches/series
=====================================
@@ -2,3 +2,4 @@ build_fix.patch
remove-activation-framework-dependency.patch
add-missing-classes.patch
+CVE-2019-17571.patch
View it on GitLab: https://salsa.debian.org/java-team/apache-log4j1.2/compare/d8436fc421be7d47d3ca8216869a1901e9d8aad4...71d384d392f72f2eaaaf2e34441510c70f9e5bdd
--
View it on GitLab: https://salsa.debian.org/java-team/apache-log4j1.2/compare/d8436fc421be7d47d3ca8216869a1901e9d8aad4...71d384d392f72f2eaaaf2e34441510c70f9e5bdd
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20200111/d7241ace/attachment.html>
More information about the pkg-java-commits
mailing list