[Git][java-team/libxstream-java][buster] 4 commits: Update: properly applied to buster code

Fri Jun 18 16:34:31 BST 2021


Markus Koschany pushed to branch buster at Debian Java Maintainers / libxstream-java


Commits:
735f1214 by Hideki Yamane at 2021-06-18T23:25:48+09:00
Update: properly applied to buster code

Accidentally it was committed as patch for unstable without changes,
so now I should fix it.

- - - - -
7f93127e by Hideki Yamane at 2021-06-18T23:25:48+09:00
Rename patch as 0004-Fix-CVE-2021-29505-for-buster.patch

- - - - -
a42f8f60 by Hideki Yamane at 2021-06-18T23:27:25+09:00
Update patch descriptions

- - - - -
e44f12c4 by Markus Koschany at 2021-06-18T15:34:26+00:00
Merge branch 'buster' into 'buster'

Fix: properly applied to buster code

See merge request java-team/libxstream-java!3
- - - - -


3 changed files:

- + debian/patches/0004-Fix-CVE-2021-29505-for-buster.patch
- − debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch
- debian/patches/series


Changes:

=====================================
debian/patches/0004-Fix-CVE-2021-29505-for-buster.patch
=====================================
@@ -0,0 +1,36 @@
+From: Hideki Yamane <henrich at debian.org>
+Date: Thu, 18 Jun 2021 23:27:25 +0900
+Subject: Fix CVE-2021-29505 from upstream commit (Closes:#989491)
+
+Taken patch from upstream commit
+https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227
+and modified it to be applied buster branch (1.4.11.1)
+
+---
+ xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+Index: libxstream-java/xstream/src/java/com/thoughtworks/xstream/XStream.java
+===================================================================
+--- libxstream-java.orig/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ libxstream-java/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -354,8 +354,10 @@ public class XStream {
+ 
+     private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
+     private static final Pattern IGNORE_ALL = Pattern.compile(".*");
++    private static final Pattern LAZY_ENUMERATORS = Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*");
+     private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
+     private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
++    private static final Pattern JAVA_RMI = Pattern.compile("(?:java|sun)\\.rmi\\..*");
+     private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
+ 
+     /**
+@@ -710,7 +712,7 @@ public class XStream {
+             java.beans.EventHandler.class,
+             java.lang.ProcessBuilder.class,
+             java.lang.Void.class, void.class });
+-        denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
++        denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM, LAZY_ENUMERATORS,JAVA_RMI});
+         allowTypeHierarchy(Exception.class);
+         securityInitialized = false;
+     }


=====================================
debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch deleted
=====================================
@@ -1,38 +0,0 @@
-From: Hideki Yamane <henrich at debian.org>
-Date: Thu, 17 Jun 2021 21:42:35 +0900
-Subject: Fix CVE-2021-29505 from upstream commit (Closes:#989491)
-
-See https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227
----
- xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-index b5e43af..7a166ca 100644
---- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
-+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-@@ -336,11 +336,13 @@ public class XStream {
-     private static final Pattern IGNORE_ALL = Pattern.compile(".*");
-     private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection");
-     private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter");
-+    private static final Pattern LAZY_ENUMERATORS = Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*");
-     private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
-     private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator");
-     private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile(
-         "javafx\\.collections\\.ObservableList\\$.*");
-     private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
-+    private static final Pattern JAVA_RMI = Pattern.compile("(?:java|sun)\\.rmi\\..*");
-     private static final Pattern BCEL_CL = Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader");
- 
-     /**
-@@ -657,8 +659,8 @@ public class XStream {
-             "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", //
-             "sun.swing.SwingLazyValue"});
-         denyTypesByRegExp(new Pattern[]{
--            LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS,
--            JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
-+            LAZY_ITERATORS, LAZY_ENUMERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVA_RMI, JAVAX_CRYPTO,
-+            JAXWS_ITERATORS, JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
-         denyTypeHierarchy(InputStream.class);
-         denyTypeHierarchyDynamically("java.nio.channels.Channel");
-         denyTypeHierarchyDynamically("javax.activation.DataSource");


=====================================
debian/patches/series
=====================================
@@ -2,4 +2,4 @@
 CVE-2020-26217.patch
 CVE-2020-26258.patch
 CVE-2020-26259.patch
-0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch
+0004-Fix-CVE-2021-29505-for-buster.patch



View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/d4edc8dcd008a6373f4542f45f5da90401818d21...e44f12c48a192fb864094616fe8c2de84248f2c4

-- 
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/d4edc8dcd008a6373f4542f45f5da90401818d21...e44f12c48a192fb864094616fe8c2de84248f2c4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20210618/145f798a/attachment.htm>
