[Git][java-team/libxstream-java][buster] 4 commits: Fix CVE-2022-41966

Markus Koschany (@apo) gitlab at salsa.debian.org
Wed Jan 11 13:59:52 GMT 2023 


Markus Koschany pushed to branch buster at Debian Java Maintainers / libxstream-java


Commits:
0d3481f9 by Markus Koschany at 2023-01-11T14:28:48+01:00
Fix CVE-2022-41966

- - - - -
88ee8c54 by Markus Koschany at 2023-01-11T14:48:33+01:00
Remove CVE-2022-41966.patch

- - - - -
c28ffde1 by Markus Koschany at 2023-01-11T14:51:50+01:00
Refresh CVE-2022-41966.patch

- - - - -
e6c1f198 by Markus Koschany at 2023-01-11T14:55:15+01:00
Update changelog

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2022-41966.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,24 @@
+libxstream-java (1.4.11.1-1+deb10u4) buster-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2022-41966:
+    XStream serializes Java objects to XML and back again. Versions prior to
+    1.4.11.1-1+deb10u4 may allow a remote attacker to terminate the application
+    with a stack overflow error, resulting in a denial of service only via
+    manipulation of the processed input stream. The attack uses the hash code
+    implementation for collections and maps to force recursive hash calculation
+    causing a stack overflow. This issue is patched in version
+    1.4.11.1-1+deb10u4 which handles the stack overflow and raises an
+    InputManipulationException instead. A potential workaround for users who
+    only use HashMap or HashSet and whose XML refers these only as default map
+    or set, is to change the default implementation of java.util.Map and
+    java.util per the code example in the referenced advisory. However, this
+    implies that your application does not care about the implementation of the
+    map and all elements are
+    comparable. (Closes: #1027754)
+
+ -- Markus Koschany <apo at debian.org>  Wed, 11 Jan 2023 14:52:21 +0100
+
 libxstream-java (1.4.11.1-1+deb10u3) buster-security; urgency=high
 
   * Team upload.


=====================================
debian/patches/CVE-2022-41966.patch
=====================================
@@ -0,0 +1,166 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 11 Jan 2023 14:49:56 +0100
+Subject: CVE-2022-41966
+
+Bug-Debian: https://bugs.debian.org/1027754
+Origin: https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391
+---
+ .../src/java/com/thoughtworks/xstream/XStream.java |  9 ++++--
+ .../security/AbstractSecurityException.java        | 29 ++++++++++++++++++
+ .../security/InputManipulationException.java       | 27 +++++++++++++++++
+ .../acceptance/SecurityVulnerabilityTest.java      | 35 +++++++++++++++++++++-
+ 4 files changed, 96 insertions(+), 4 deletions(-)
+ create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+ create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index f35d244..792272c 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -163,6 +163,7 @@ import com.thoughtworks.xstream.security.RegExpTypePermission;
+ import com.thoughtworks.xstream.security.TypeHierarchyPermission;
+ import com.thoughtworks.xstream.security.TypePermission;
+ import com.thoughtworks.xstream.security.WildcardTypePermission;
++import com.thoughtworks.xstream.security.InputManipulationException;
+ 
+ 
+ /**
+@@ -1483,9 +1484,11 @@ public class XStream {
+                 securityWarningGiven = true;
+                 System.err.println("Security framework of XStream not initialized, XStream is probably vulnerable.");
+             }
+-            return marshallingStrategy.unmarshal(
+-                root, reader, dataHolder, converterLookup, mapper);
+-
++            try {
++                return marshallingStrategy.unmarshal(root, reader, dataHolder, converterLookup, mapper);
++            } catch (final StackOverflowError e) {
++                throw new InputManipulationException("Possible Denial of Service attack by Stack Overflow");
++            }
+         } catch (ConversionException e) {
+             Package pkg = getClass().getPackage();
+             String version = pkg != null ? pkg.getImplementationVersion() : null;
+diff --git a/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+new file mode 100644
+index 0000000..777765a
+--- /dev/null
++++ b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+@@ -0,0 +1,29 @@
++/*
++ * Copyright (C) 2021, 2022 XStream Committers.
++ * All rights reserved.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.security;
++
++import com.thoughtworks.xstream.XStreamException;
++
++
++/**
++ * General base class for a Security Exception in XStream.
++ * 
++ * @author Jörg Schaible
++ * @since 1.4.19
++ */
++public abstract class AbstractSecurityException extends XStreamException {
++    private static final long serialVersionUID = 20210921L;
++
++    /**
++     * Constructs a SecurityException.
++     * @param message the exception message
++     * @since 1.4.19
++     */
++    public AbstractSecurityException(final String message) {
++        super(message);
++    }
++}
+diff --git a/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+new file mode 100644
+index 0000000..80f492c
+--- /dev/null
++++ b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+@@ -0,0 +1,27 @@
++/*
++ * Copyright (C) 2021, 2022 XStream Committers.
++ * All rights reserved.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.security;
++
++
++/**
++ * Class for a Security Exception assuming input manipulation in XStream.
++ * 
++ * @author Jörg Schaible
++ * @since 1.4.19
++ */
++public class InputManipulationException extends AbstractSecurityException {
++    private static final long serialVersionUID = 20210921L;
++
++    /**
++     * Constructs a SecurityException.
++     * @param message the exception message
++     * @since 1.4.19
++     */
++    public InputManipulationException(final String message) {
++        super(message);
++    }
++}
+diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+index d387bcd..f21ea45 100644
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013, 2014, 2017, 2018, 2020, 2021 XStream Committers.
++ * Copyright (C) 2013, 2014, 2017, 2018, 2020, 2021, 2022 XStream Committers.
+  * All rights reserved.
+  *
+  * The software in this package is published under the terms of the BSD
+@@ -25,6 +25,8 @@ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
+ import com.thoughtworks.xstream.security.AnyTypePermission;
+ import com.thoughtworks.xstream.security.ForbiddenClassException;
+ import com.thoughtworks.xstream.security.ProxyTypePermission;
++import com.thoughtworks.xstream.security.InputManipulationException;
++
+ 
+ 
+ /**
+@@ -187,4 +189,35 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+             assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
+         }
+     }
++
++    public void testStackOverflowWithRecursiveHashSet() {
++        final String xml = ""
++            + "<set>\n"
++            + "  <set>\n"
++            + "    <set>\n"
++            + "      <set>\n"
++            + "        <set>\n"
++            + "          <set>\n"
++            + "            <string>a</string>\n"
++            + "          </set>\n"
++            + "          <set>\n"
++            + "            <string>b</string>\n"
++            + "          </set>\n"
++            + "        </set>\n"
++            + "        <set>\n"
++            + "          <string>c</string>\n"
++            + "          <set reference=\"../../../set/set[2]\"/>\n"
++            + "        </set>\n"
++            + "      </set>\n"
++            + "    </set>\n"
++            + "  </set>\n"
++            + "</set>";
++
++        try {
++            xstream.fromXML(xml);
++            fail("Thrown " + InputManipulationException.class.getName() + " expected");
++        } catch (final InputManipulationException e) {
++            assertTrue(e.getMessage().indexOf("Stack Overflow") >= 0);
++        }
++    }
+ }


=====================================
debian/patches/series
=====================================
@@ -2,3 +2,4 @@
 enable-security-whitelist-by-default.patch
 SecurityVulnerabilityTest.patch
 debian-specific-whitelist-extension.patch
+CVE-2022-41966.patch



View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/2415f7f7a4c52202c9b162e8fee83d73b06141d6...e6c1f198ba762e83ed908e13c67ddf2bc089b728

-- 
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/2415f7f7a4c52202c9b162e8fee83d73b06141d6...e6c1f198ba762e83ed908e13c67ddf2bc089b728
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230111/034004c0/attachment.htm>

More information about the pkg-java-commits mailing list