[Git][java-team/libxstream-java][bullseye] 3 commits: Fix CVE-2022-41966
Markus Koschany (@apo)
gitlab at salsa.debian.org
Wed Jan 11 13:28:26 GMT 2023
Markus Koschany pushed to branch bullseye at Debian Java Maintainers / libxstream-java
Commits:
db5ba0c8 by Markus Koschany at 2023-01-11T14:00:32+01:00
Fix CVE-2022-41966
- - - - -
12ce85f4 by Markus Koschany at 2023-01-11T14:05:56+01:00
Update changelog
- - - - -
146532f1 by Markus Koschany at 2023-01-11T14:18:49+01:00
Update CVE-2022-41966.patch
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/CVE-2022-41966.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,23 @@
+libxstream-java (1.4.15-3+deb11u2) bullseye-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2022-41966:
+ XStream serializes Java objects to XML and back again. Versions prior to
+ 1.4.15-3+deb11u2 may allow a remote attacker to terminate the application
+ with a stack overflow error, resulting in a denial of service only via
+ manipulation of the processed input stream. The attack uses the hash code
+ implementation for collections and maps to force recursive hash calculation
+ causing a stack overflow. This issue is patched in version 1.4.15-3+deb11u2
+ which handles the stack overflow and raises an InputManipulationException
+ instead. A potential workaround for users who only use HashMap or HashSet
+ and whose XML refers these only as default map or set, is to change the
+ default implementation of java.util.Map and java.util per the code example
+ in the referenced advisory. However, this implies that your application
+ does not care about the implementation of the map and all elements are
+ comparable. (Closes: #1027754)
+
+ -- Markus Koschany <apo at debian.org> Wed, 11 Jan 2023 14:00:44 +0100
+
libxstream-java (1.4.15-3+deb11u1) bullseye-security; urgency=high
* Team upload.
=====================================
debian/patches/CVE-2022-41966.patch
=====================================
@@ -0,0 +1,165 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 11 Jan 2023 13:57:58 +0100
+Subject: CVE-2022-41966
+
+Bug-Debian: https://bugs.debian.org/1027754
+Origin: https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391
+---
+ .../src/java/com/thoughtworks/xstream/XStream.java | 8 +++--
+ .../security/AbstractSecurityException.java | 29 ++++++++++++++++++
+ .../security/InputManipulationException.java | 27 +++++++++++++++++
+ .../acceptance/SecurityVulnerabilityTest.java | 35 +++++++++++++++++++++-
+ 4 files changed, 96 insertions(+), 3 deletions(-)
+ create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+ create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index 129be1c..24c51cf 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -162,6 +162,7 @@ import com.thoughtworks.xstream.security.RegExpTypePermission;
+ import com.thoughtworks.xstream.security.TypeHierarchyPermission;
+ import com.thoughtworks.xstream.security.TypePermission;
+ import com.thoughtworks.xstream.security.WildcardTypePermission;
++import com.thoughtworks.xstream.security.InputManipulationException;
+
+
+ /**
+@@ -1398,8 +1399,11 @@ public class XStream {
+ .println(
+ "Security framework of XStream not explicitly initialized, using predefined black list on your own risk.");
+ }
+- return marshallingStrategy.unmarshal(root, reader, dataHolder, converterLookup, mapper);
+-
++ try {
++ return marshallingStrategy.unmarshal(root, reader, dataHolder, converterLookup, mapper);
++ } catch (final StackOverflowError e) {
++ throw new InputManipulationException("Possible Denial of Service attack by Stack Overflow");
++ }
+ } catch (ConversionException e) {
+ Package pkg = getClass().getPackage();
+ String version = pkg != null ? pkg.getImplementationVersion() : null;
+diff --git a/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+new file mode 100644
+index 0000000..777765a
+--- /dev/null
++++ b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+@@ -0,0 +1,29 @@
++/*
++ * Copyright (C) 2021, 2022 XStream Committers.
++ * All rights reserved.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.security;
++
++import com.thoughtworks.xstream.XStreamException;
++
++
++/**
++ * General base class for a Security Exception in XStream.
++ *
++ * @author Jörg Schaible
++ * @since 1.4.19
++ */
++public abstract class AbstractSecurityException extends XStreamException {
++ private static final long serialVersionUID = 20210921L;
++
++ /**
++ * Constructs a SecurityException.
++ * @param message the exception message
++ * @since 1.4.19
++ */
++ public AbstractSecurityException(final String message) {
++ super(message);
++ }
++}
+diff --git a/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+new file mode 100644
+index 0000000..80f492c
+--- /dev/null
++++ b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+@@ -0,0 +1,27 @@
++/*
++ * Copyright (C) 2021, 2022 XStream Committers.
++ * All rights reserved.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.security;
++
++
++/**
++ * Class for a Security Exception assuming input manipulation in XStream.
++ *
++ * @author Jörg Schaible
++ * @since 1.4.19
++ */
++public class InputManipulationException extends AbstractSecurityException {
++ private static final long serialVersionUID = 20210921L;
++
++ /**
++ * Constructs a SecurityException.
++ * @param message the exception message
++ * @since 1.4.19
++ */
++ public InputManipulationException(final String message) {
++ super(message);
++ }
++}
+diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+index d387bcd..f21ea45 100644
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013, 2014, 2017, 2018, 2020, 2021 XStream Committers.
++ * Copyright (C) 2013, 2014, 2017, 2018, 2020, 2021, 2022 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+@@ -25,6 +25,8 @@ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
+ import com.thoughtworks.xstream.security.AnyTypePermission;
+ import com.thoughtworks.xstream.security.ForbiddenClassException;
+ import com.thoughtworks.xstream.security.ProxyTypePermission;
++import com.thoughtworks.xstream.security.InputManipulationException;
++
+
+
+ /**
+@@ -187,4 +189,35 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
+ }
+ }
++
++ public void testStackOverflowWithRecursiveHashSet() {
++ final String xml = ""
++ + "<set>\n"
++ + " <set>\n"
++ + " <set>\n"
++ + " <set>\n"
++ + " <set>\n"
++ + " <set>\n"
++ + " <string>a</string>\n"
++ + " </set>\n"
++ + " <set>\n"
++ + " <string>b</string>\n"
++ + " </set>\n"
++ + " </set>\n"
++ + " <set>\n"
++ + " <string>c</string>\n"
++ + " <set reference=\"../../../set/set[2]\"/>\n"
++ + " </set>\n"
++ + " </set>\n"
++ + " </set>\n"
++ + " </set>\n"
++ + "</set>";
++
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (final InputManipulationException e) {
++ assertTrue(e.getMessage().indexOf("Stack Overflow") >= 0);
++ }
++ }
+ }
=====================================
debian/patches/series
=====================================
@@ -3,3 +3,4 @@
enable-security-whitelist-by-default.patch
SecurityVulnerabilityTest.patch
debian-specific-whitelist-extension.patch
+CVE-2022-41966.patch
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/ac906f95a9115601b58fad01d47025f6d410645c...146532f1b36c3f2e9394dce53a31b7b4bb7d586f
--
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/ac906f95a9115601b58fad01d47025f6d410645c...146532f1b36c3f2e9394dce53a31b7b4bb7d586f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230111/b5230e0e/attachment.htm>
More information about the pkg-java-commits
mailing list