[Git][java-team/libxstream-java][master] 3 commits: Fix CVE-2021-21341-to-CVE-2021-21351

Markus Koschany gitlab at salsa.debian.org
Sat Apr 3 20:23:03 BST 2021 


Markus Koschany pushed to branch master at Debian Java Maintainers / libxstream-java


Commits:
d8022a96 by Markus Koschany at 2021-04-03T21:08:59+02:00
Fix CVE-2021-21341-to-CVE-2021-21351

- - - - -
d7270cdc by Markus Koschany at 2021-04-03T21:11:42+02:00
Remove CVE-2021-21341-to-CVE-2021-21351.patch

- - - - -
c1946024 by Markus Koschany at 2021-04-03T21:16:47+02:00
Rebase CVE-2021-21341-to-CVE-2021-21351.patch

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2021-21341-to-CVE-2021-21351.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,28 @@
+libxstream-java (1.4.15-2) unstable; urgency=high
+
+  * Team upload.
+  * Fix CVE-2021-21341 to CVE-2021-21351:
+    In XStream there is a vulnerability which may allow a remote attacker to
+    load and execute arbitrary code from a remote host only by manipulating the
+    processed input stream.
+
+    The type hierarchies for java.io.InputStream, java.nio.channels.Channel,
+    javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now
+    blacklisted as well as the individual types
+    com.sun.corba.se.impl.activation.ServerTableEntry,
+    com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
+    sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and
+    sun.swing.SwingLazyValue. Additionally the internal type
+    Accessor$GetterSetterReflection of JAXB, the internal types
+    MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of
+    JAX-WS, all inner classes of javafx.collections.ObservableList and an
+    internal ClassLoader used in a private BCEL copy are now part of the
+    default blacklist and the deserialization of XML containing one of the two
+    types will fail. You will have to enable these types by explicit
+    configuration, if you need them.
+
+ -- Markus Koschany <apo at debian.org>  Sat, 03 Apr 2021 19:17:05 +0200
+
 libxstream-java (1.4.15-1) unstable; urgency=medium
 
   * Team upload.


=====================================
debian/patches/CVE-2021-21341-to-CVE-2021-21351.patch
=====================================
@@ -0,0 +1,139 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 3 Apr 2021 21:15:39 +0200
+Subject: CVE-2021-21341-to-CVE-2021-21351
+
+Bug-Debian: https://bugs.debian.org/985843
+Origin: https://github.com/x-stream/xstream/commit/d5e51177634afea7213b9dc2d21f101d2e258db9
+---
+ .../src/java/com/thoughtworks/xstream/XStream.java | 32 +++++++++++++---
+ .../acceptance/SecurityVulnerabilityTest.java      | 43 ++++++++++++++++++++++
+ 2 files changed, 70 insertions(+), 5 deletions(-)
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index 8415da2..b5e43af 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -1,6 +1,6 @@
+ /*
+  * Copyright (C) 2003, 2004, 2005, 2006 Joe Walnes.
+- * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020 XStream Committers.
++ * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021 XStream Committers.
+  * All rights reserved.
+  *
+  * The software in this package is published under the terms of the BSD
+@@ -36,7 +36,6 @@ import java.net.URL;
+ import java.nio.charset.Charset;
+ import java.text.DecimalFormatSymbols;
+ import java.util.ArrayList;
+-import java.util.Arrays;
+ import java.util.BitSet;
+ import java.util.Calendar;
+ import java.util.Collection;
+@@ -335,9 +334,14 @@ public class XStream {
+ 
+     private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
+     private static final Pattern IGNORE_ALL = Pattern.compile(".*");
++    private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection");
++    private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter");
+     private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
++    private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator");
++    private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile(
++        "javafx\\.collections\\.ObservableList\\$.*");
+     private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
+-    private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
++    private static final Pattern BCEL_CL = Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader");
+ 
+     /**
+      * Constructs a default XStream.
+@@ -647,12 +651,30 @@ public class XStream {
+             "java.beans.EventHandler", //
+             "java.lang.ProcessBuilder", //
+             "javax.imageio.ImageIO$ContainsFilter", //
+-            "jdk.nashorn.internal.objects.NativeString" });
+-        denyTypesByRegExp(new Pattern[]{LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
++            "jdk.nashorn.internal.objects.NativeString", //
++            "com.sun.corba.se.impl.activation.ServerTableEntry", //
++            "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator", //
++            "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", //
++            "sun.swing.SwingLazyValue"});
++        denyTypesByRegExp(new Pattern[]{
++            LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS,
++            JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
++        denyTypeHierarchy(InputStream.class);
++        denyTypeHierarchyDynamically("java.nio.channels.Channel");
++        denyTypeHierarchyDynamically("javax.activation.DataSource");
++        denyTypeHierarchyDynamically("javax.sql.rowset.BaseRowSet");
++
+         allowTypeHierarchy(Exception.class);
+         securityInitialized = false;
+     }
+ 
++    private void denyTypeHierarchyDynamically(String className) {
++        Class type = JVM.loadClassForName(className);
++        if (type != null) {
++            denyTypeHierarchy(type);
++        }
++    }
++
+     /**
+      * Setup the security framework of a XStream instance.
+      * <p>
+diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+index da5f861..9da221c 100644
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -11,6 +11,7 @@
+ package com.thoughtworks.acceptance;
+ 
+ import java.beans.EventHandler;
++import java.io.ByteArrayInputStream;
+ import java.io.File;
+ import java.io.FileOutputStream;
+ import java.io.IOException;
+@@ -282,4 +283,46 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+             }
+         }
+     }
++
++    public void testCannotInjectManipulatedByteArryInputStream() {
++        xstream.alias("bais", ByteArrayInputStream.class);
++        System.out.println(Integer.MAX_VALUE);
++        final String xml = ""
++            + "<bais>\n"
++            + "  <buf></buf>\n"
++            + "  <pos>-2147483648</pos>\n"
++            + "  <mark>0</mark>\n"
++            + "  <count>0</count>\n"
++            + "</bais>";
++
++        try {
++            xstream.fromXML(xml);
++            fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
++        } catch (final ForbiddenClassException e) {
++            assertEquals(e.getMessage(),ByteArrayInputStream.class.getName());
++        }
++    }
++
++    public void testExplicitlyUnmarshalEndlessByteArryInputStream() {
++        xstream.alias("bais", ByteArrayInputStream.class);
++        xstream.allowTypes(new Class[]{ByteArrayInputStream.class});
++
++        final String xml = ""
++            + "<bais>\n"
++            + "  <buf></buf>\n"
++            + "  <pos>-2147483648</pos>\n"
++            + "  <mark>0</mark>\n"
++            + "  <count>0</count>\n"
++            + "</bais>";
++        
++        final byte[] data = new byte[10];
++        final ByteArrayInputStream bais = (ByteArrayInputStream)xstream.fromXML(xml);
++        int i = 5;
++        while(bais.read(data, 0, 10) == 0) {
++            if (--i == 0) {
++                break;
++            }
++        }
++        assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
++    }
+ }


=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
 01-java7-compatibility.patch
 02-disable-beastax-driver.patch
+CVE-2021-21341-to-CVE-2021-21351.patch



View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/a393f6c7668d5c7df465e144e0df3b33e584a5c3...c19460247bcfcca9eb124fcd9abddd7f4e7116d9

-- 
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/a393f6c7668d5c7df465e144e0df3b33e584a5c3...c19460247bcfcca9eb124fcd9abddd7f4e7116d9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210403/6a76ba88/attachment.htm>

More information about the pkg-java-commits mailing list