[Git][java-team/libxstream-java][buster] 4 commits: Fix CVE-2022-41966
Markus Koschany (@apo)
gitlab at salsa.debian.org
Wed Jan 11 13:59:52 GMT 2023
Markus Koschany pushed to branch buster at Debian Java Maintainers / libxstream-java
Commits:
0d3481f9 by Markus Koschany at 2023-01-11T14:28:48+01:00
Fix CVE-2022-41966
- - - - -
88ee8c54 by Markus Koschany at 2023-01-11T14:48:33+01:00
Remove CVE-2022-41966.patch
- - - - -
c28ffde1 by Markus Koschany at 2023-01-11T14:51:50+01:00
Refresh CVE-2022-41966.patch
- - - - -
e6c1f198 by Markus Koschany at 2023-01-11T14:55:15+01:00
Update changelog
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/CVE-2022-41966.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,24 @@
+libxstream-java (1.4.11.1-1+deb10u4) buster-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2022-41966:
+ XStream serializes Java objects to XML and back again. Versions prior to
+ 1.4.11.1-1+deb10u4 may allow a remote attacker to terminate the application
+ with a stack overflow error, resulting in a denial of service only via
+ manipulation of the processed input stream. The attack uses the hash code
+ implementation for collections and maps to force recursive hash calculation
+ causing a stack overflow. This issue is patched in version
+ 1.4.11.1-1+deb10u4 which handles the stack overflow and raises an
+ InputManipulationException instead. A potential workaround for users who
+ only use HashMap or HashSet and whose XML refers these only as default map
+ or set, is to change the default implementation of java.util.Map and
+ java.util per the code example in the referenced advisory. However, this
+ implies that your application does not care about the implementation of the
+ map and all elements are
+ comparable. (Closes: #1027754)
+
+ -- Markus Koschany <apo at debian.org> Wed, 11 Jan 2023 14:52:21 +0100
+
libxstream-java (1.4.11.1-1+deb10u3) buster-security; urgency=high
* Team upload.
=====================================
debian/patches/CVE-2022-41966.patch
=====================================
@@ -0,0 +1,166 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 11 Jan 2023 14:49:56 +0100
+Subject: CVE-2022-41966
+
+Bug-Debian: https://bugs.debian.org/1027754
+Origin: https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391
+---
+ .../src/java/com/thoughtworks/xstream/XStream.java | 9 ++++--
+ .../security/AbstractSecurityException.java | 29 ++++++++++++++++++
+ .../security/InputManipulationException.java | 27 +++++++++++++++++
+ .../acceptance/SecurityVulnerabilityTest.java | 35 +++++++++++++++++++++-
+ 4 files changed, 96 insertions(+), 4 deletions(-)
+ create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+ create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index f35d244..792272c 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -163,6 +163,7 @@ import com.thoughtworks.xstream.security.RegExpTypePermission;
+ import com.thoughtworks.xstream.security.TypeHierarchyPermission;
+ import com.thoughtworks.xstream.security.TypePermission;
+ import com.thoughtworks.xstream.security.WildcardTypePermission;
++import com.thoughtworks.xstream.security.InputManipulationException;
+
+
+ /**
+@@ -1483,9 +1484,11 @@ public class XStream {
+ securityWarningGiven = true;
+ System.err.println("Security framework of XStream not initialized, XStream is probably vulnerable.");
+ }
+- return marshallingStrategy.unmarshal(
+- root, reader, dataHolder, converterLookup, mapper);
+-
++ try {
++ return marshallingStrategy.unmarshal(root, reader, dataHolder, converterLookup, mapper);
++ } catch (final StackOverflowError e) {
++ throw new InputManipulationException("Possible Denial of Service attack by Stack Overflow");
++ }
+ } catch (ConversionException e) {
+ Package pkg = getClass().getPackage();
+ String version = pkg != null ? pkg.getImplementationVersion() : null;
+diff --git a/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+new file mode 100644
+index 0000000..777765a
+--- /dev/null
++++ b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+@@ -0,0 +1,29 @@
++/*
++ * Copyright (C) 2021, 2022 XStream Committers.
++ * All rights reserved.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.security;
++
++import com.thoughtworks.xstream.XStreamException;
++
++
++/**
++ * General base class for a Security Exception in XStream.
++ *
++ * @author Jörg Schaible
++ * @since 1.4.19
++ */
++public abstract class AbstractSecurityException extends XStreamException {
++ private static final long serialVersionUID = 20210921L;
++
++ /**
++ * Constructs a SecurityException.
++ * @param message the exception message
++ * @since 1.4.19
++ */
++ public AbstractSecurityException(final String message) {
++ super(message);
++ }
++}
+diff --git a/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+new file mode 100644
+index 0000000..80f492c
+--- /dev/null
++++ b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+@@ -0,0 +1,27 @@
++/*
++ * Copyright (C) 2021, 2022 XStream Committers.
++ * All rights reserved.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.security;
++
++
++/**
++ * Class for a Security Exception assuming input manipulation in XStream.
++ *
++ * @author Jörg Schaible
++ * @since 1.4.19
++ */
++public class InputManipulationException extends AbstractSecurityException {
++ private static final long serialVersionUID = 20210921L;
++
++ /**
++ * Constructs a SecurityException.
++ * @param message the exception message
++ * @since 1.4.19
++ */
++ public InputManipulationException(final String message) {
++ super(message);
++ }
++}
+diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+index d387bcd..f21ea45 100644
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013, 2014, 2017, 2018, 2020, 2021 XStream Committers.
++ * Copyright (C) 2013, 2014, 2017, 2018, 2020, 2021, 2022 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+@@ -25,6 +25,8 @@ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
+ import com.thoughtworks.xstream.security.AnyTypePermission;
+ import com.thoughtworks.xstream.security.ForbiddenClassException;
+ import com.thoughtworks.xstream.security.ProxyTypePermission;
++import com.thoughtworks.xstream.security.InputManipulationException;
++
+
+
+ /**
+@@ -187,4 +189,35 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
+ }
+ }
++
++ public void testStackOverflowWithRecursiveHashSet() {
++ final String xml = ""
++ + "<set>\n"
++ + " <set>\n"
++ + " <set>\n"
++ + " <set>\n"
++ + " <set>\n"
++ + " <set>\n"
++ + " <string>a</string>\n"
++ + " </set>\n"
++ + " <set>\n"
++ + " <string>b</string>\n"
++ + " </set>\n"
++ + " </set>\n"
++ + " <set>\n"
++ + " <string>c</string>\n"
++ + " <set reference=\"../../../set/set[2]\"/>\n"
++ + " </set>\n"
++ + " </set>\n"
++ + " </set>\n"
++ + " </set>\n"
++ + "</set>";
++
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (final InputManipulationException e) {
++ assertTrue(e.getMessage().indexOf("Stack Overflow") >= 0);
++ }
++ }
+ }
=====================================
debian/patches/series
=====================================
@@ -2,3 +2,4 @@
enable-security-whitelist-by-default.patch
SecurityVulnerabilityTest.patch
debian-specific-whitelist-extension.patch
+CVE-2022-41966.patch
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/2415f7f7a4c52202c9b162e8fee83d73b06141d6...e6c1f198ba762e83ed908e13c67ddf2bc089b728
--
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/2415f7f7a4c52202c9b162e8fee83d73b06141d6...e6c1f198ba762e83ed908e13c67ddf2bc089b728
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230111/034004c0/attachment.htm>
More information about the pkg-java-commits
mailing list