[Git][java-team/libxstream-java][buster] 3 commits: Add debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch

Markus Koschany (@apo) gitlab at salsa.debian.org
Fri Jun 18 14:10:30 BST 2021 


Markus Koschany pushed to branch buster at Debian Java Maintainers / libxstream-java


Commits:
0cfdd479 by Hideki Yamane at 2021-06-17T22:01:56+09:00
Add debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch

- - - - -
dac776fe by Hideki Yamane at 2021-06-17T22:05:36+09:00
note to changelog (1.4.11.1-1+deb10u3) for buster-security

- - - - -
d4edc8dc by Markus Koschany at 2021-06-18T13:10:28+00:00
Merge branch 'buster' into 'buster'

CVE-2021-29505 for Buster

See merge request java-team/libxstream-java!2
- - - - -


3 changed files:

- debian/changelog
- + debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,15 @@
+libxstream-java (1.4.11.1-1+deb10u3) buster-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2021-29505:
+    - The vulnerability may allow a remote attacker has sufficient rights
+      to execute commands of the host only by manipulating the processed
+      input stream. No user is affected, who followed the recommendation
+      to setup XStream's security framework with a whitelist limited to
+      the minimal required types.
+
+ -- Hideki Yamane <henrich at debian.org>  Thu, 17 Jun 2021 22:02:16 +0900
+
 libxstream-java (1.4.11.1-1+deb10u2) buster-security; urgency=high
 
   * Team upload.


=====================================
debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch
=====================================
@@ -0,0 +1,38 @@
+From: Hideki Yamane <henrich at debian.org>
+Date: Thu, 17 Jun 2021 21:42:35 +0900
+Subject: Fix CVE-2021-29505 from upstream commit (Closes:#989491)
+
+See https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227
+---
+ xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index b5e43af..7a166ca 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -336,11 +336,13 @@ public class XStream {
+     private static final Pattern IGNORE_ALL = Pattern.compile(".*");
+     private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection");
+     private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter");
++    private static final Pattern LAZY_ENUMERATORS = Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*");
+     private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
+     private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator");
+     private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile(
+         "javafx\\.collections\\.ObservableList\\$.*");
+     private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
++    private static final Pattern JAVA_RMI = Pattern.compile("(?:java|sun)\\.rmi\\..*");
+     private static final Pattern BCEL_CL = Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader");
+ 
+     /**
+@@ -657,8 +659,8 @@ public class XStream {
+             "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", //
+             "sun.swing.SwingLazyValue"});
+         denyTypesByRegExp(new Pattern[]{
+-            LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS,
+-            JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
++            LAZY_ITERATORS, LAZY_ENUMERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVA_RMI, JAVAX_CRYPTO,
++            JAXWS_ITERATORS, JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
+         denyTypeHierarchy(InputStream.class);
+         denyTypeHierarchyDynamically("java.nio.channels.Channel");
+         denyTypeHierarchyDynamically("javax.activation.DataSource");


=====================================
debian/patches/series
=====================================
@@ -2,3 +2,4 @@
 CVE-2020-26217.patch
 CVE-2020-26258.patch
 CVE-2020-26259.patch
+0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch



View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/8b4c8a5457f2781e07207e9beecdddafb1cbea52...d4edc8dcd008a6373f4542f45f5da90401818d21

-- 
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/8b4c8a5457f2781e07207e9beecdddafb1cbea52...d4edc8dcd008a6373f4542f45f5da90401818d21
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210618/f7175329/attachment.htm>

More information about the pkg-java-commits mailing list