[Git][java-team/libxstream-java][stretch] Import Debian changes 1.4.11.1-1+deb9u6
Markus Koschany (@apo)
gitlab at salsa.debian.org
Thu Jan 26 22:28:46 GMT 2023
Markus Koschany pushed to branch stretch at Debian Java Maintainers / libxstream-java
Commits:
b7c2d5b7 by Markus Koschany at 2023-01-26T23:28:16+01:00
Import Debian changes 1.4.11.1-1+deb9u6
libxstream-java (1.4.11.1-1+deb9u6) stretch-security; urgency=high
..
* Non-maintainer upload by the ELTS team.
* Fix CVE-2022-41966:
XStream serializes Java objects to XML and back again. Versions prior to
1.4.11.1-1+deb9u6 may allow a remote attacker to terminate the application
with a stack overflow error, resulting in a denial of service only via
manipulation of the processed input stream. The attack uses the hash code
implementation for collections and maps to force recursive hash calculation
causing a stack overflow. This issue is patched in version
1.4.11.1-1+deb9u6 which handles the stack overflow and raises an
InputManipulationException instead.
..
libxstream-java (1.4.11.1-1+deb9u5) stretch-security; urgency=high
..
* Non-maintainer upload by the LTS team.
* CVE-2021-43859: Prevent a potential remote denial of service (DoS) attack
that could have consumed 100% of the CPU resources. Xstream now monitors
and accumulates the time it takes to add elements to collections and throws
an exception if a set threshold is exceeded.
- - - - -
4 changed files:
- debian/changelog
- + debian/patches/CVE-2021-43859.patch
- + debian/patches/CVE-2022-41966.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,28 @@
+libxstream-java (1.4.11.1-1+deb9u6) stretch-security; urgency=high
+
+ * Non-maintainer upload by the ELTS team.
+ * Fix CVE-2022-41966:
+ XStream serializes Java objects to XML and back again. Versions prior to
+ 1.4.11.1-1+deb9u6 may allow a remote attacker to terminate the application
+ with a stack overflow error, resulting in a denial of service only via
+ manipulation of the processed input stream. The attack uses the hash code
+ implementation for collections and maps to force recursive hash calculation
+ causing a stack overflow. This issue is patched in version
+ 1.4.11.1-1+deb9u6 which handles the stack overflow and raises an
+ InputManipulationException instead.
+
+ -- Markus Koschany <apo at debian.org> Mon, 16 Jan 2023 12:21:09 +0100
+
+libxstream-java (1.4.11.1-1+deb9u5) stretch-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * CVE-2021-43859: Prevent a potential remote denial of service (DoS) attack
+ that could have consumed 100% of the CPU resources. Xstream now monitors
+ and accumulates the time it takes to add elements to collections and throws
+ an exception if a set threshold is exceeded.
+
+ -- Chris Lamb <lamby at debian.org> Mon, 14 Feb 2022 16:45:14 -0800
+
libxstream-java (1.4.11.1-1+deb9u4) stretch-security; urgency=high
* Non-maintainer upload by the LTS team.
=====================================
debian/patches/CVE-2021-43859.patch
=====================================
@@ -0,0 +1,520 @@
+--- libxstream-java-1.4.11.1.orig/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ libxstream-java-1.4.11.1/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -153,6 +153,7 @@ import com.thoughtworks.xstream.mapper.S
+ import com.thoughtworks.xstream.mapper.XStream11XmlFriendlyMapper;
+ import com.thoughtworks.xstream.security.AnyTypePermission;
+ import com.thoughtworks.xstream.security.ArrayTypePermission;
++import com.thoughtworks.xstream.security.InputManipulationException;
+ import com.thoughtworks.xstream.security.ExplicitTypePermission;
+ import com.thoughtworks.xstream.security.InterfaceTypePermission;
+ import com.thoughtworks.xstream.security.NoPermission;
+@@ -316,6 +317,8 @@ public class XStream {
+
+ // CAUTION: The sequence of the fields is intentional for an optimal XML output of a
+ // self-serialization!
++ private int collectionUpdateLimit = 20;
++
+ private ReflectionProvider reflectionProvider;
+ private HierarchicalStreamDriver hierarchicalStreamDriver;
+ private ClassLoaderReference classLoaderReference;
+@@ -353,6 +356,9 @@ public class XStream {
+ public static final int PRIORITY_LOW = -10;
+ public static final int PRIORITY_VERY_LOW = -20;
+
++ public static final String COLLECTION_UPDATE_LIMIT = "XStreamCollectionUpdateLimit";
++ public static final String COLLECTION_UPDATE_SECONDS = "XStreamCollectionUpdateSeconds";
++
+ private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
+ private static final Pattern IGNORE_ALL = Pattern.compile(".*");
+
+@@ -1259,6 +1265,23 @@ public class XStream {
+ }
+
+ /**
++ * Set time limit for adding elements to collections or maps.
++ *
++ * Manipulated content may be used to create recursive hash code calculations or sort operations. An
++ * {@link InputManipulationException} is thrown, it the summed up time to add elements to collections or maps
++ * exceeds the provided limit.
++ *
++ * Note, that the time to add an individual element is calculated in seconds, not milliseconds. However, attacks
++ * typically use objects with exponential growing calculation times.
++ *
++ * @param maxSeconds limit in seconds or 0 to disable check
++ * @since upcoming
++ */
++ public void setCollectionUpdateLimit(int maxSeconds) {
++ collectionUpdateLimit = maxSeconds;
++ }
++
++ /**
+ * Serialize an object to a pretty-printed XML String.
+ *
+ * @throws XStreamException if the object cannot be serialized
+@@ -1479,6 +1502,13 @@ public class XStream {
+ */
+ public Object unmarshal(HierarchicalStreamReader reader, Object root, DataHolder dataHolder) {
+ try {
++ if (collectionUpdateLimit >= 0) {
++ if (dataHolder == null) {
++ dataHolder = new MapBackedDataHolder();
++ }
++ dataHolder.put(COLLECTION_UPDATE_LIMIT, new Integer(collectionUpdateLimit));
++ dataHolder.put(COLLECTION_UPDATE_SECONDS, new Integer(0));
++ }
+ if (!securityInitialized && !securityWarningGiven) {
+ securityWarningGiven = true;
+ System.err.println("Security framework of XStream not initialized, XStream is probably vulnerable.");
+@@ -2189,15 +2219,23 @@ public class XStream {
+ * @see #createObjectInputStream(com.thoughtworks.xstream.io.HierarchicalStreamReader)
+ * @since 1.4.10
+ */
+- public ObjectInputStream createObjectInputStream(final HierarchicalStreamReader reader, final DataHolder dataHolder)
++ public ObjectInputStream createObjectInputStream(final HierarchicalStreamReader reader, DataHolder dataHolder)
+ throws IOException {
++ if (collectionUpdateLimit >= 0) {
++ if (dataHolder == null) {
++ dataHolder = new MapBackedDataHolder();
++ }
++ dataHolder.put(COLLECTION_UPDATE_LIMIT, new Integer(collectionUpdateLimit));
++ dataHolder.put(COLLECTION_UPDATE_SECONDS, new Integer(0));
++ }
++ final DataHolder dh = dataHolder;
+ return new CustomObjectInputStream(new CustomObjectInputStream.StreamCallback() {
+ public Object readFromStream() throws EOFException {
+ if (!reader.hasMoreChildren()) {
+ throw new EOFException();
+ }
+ reader.moveDown();
+- final Object result = unmarshal(reader, dataHolder);
++ final Object result = unmarshal(reader, dh);
+ reader.moveUp();
+ return result;
+ }
+--- libxstream-java-1.4.11.1.orig/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java
++++ libxstream-java-1.4.11.1/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java
+@@ -1,6 +1,6 @@
+ /*
+ * Copyright (C) 2003, 2004, 2005 Joe Walnes.
+- * Copyright (C) 2006, 2007, 2010, 2011, 2013, 2018 XStream Committers.
++ * Copyright (C) 2006, 2007, 2010, 2011, 2013, 2018, 2021 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+@@ -13,6 +13,7 @@ package com.thoughtworks.xstream.convert
+
+ import com.thoughtworks.xstream.converters.MarshallingContext;
+ import com.thoughtworks.xstream.converters.UnmarshallingContext;
++import com.thoughtworks.xstream.core.SecurityUtils;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+ import com.thoughtworks.xstream.mapper.Mapper;
+@@ -96,7 +97,10 @@ public class CollectionConverter extends
+ protected void addCurrentElementToCollection(HierarchicalStreamReader reader, UnmarshallingContext context,
+ Collection collection, Collection target) {
+ final Object item = readItem(reader, context, collection); // call readBareItem when deprecated method is removed
++
++ long now = System.currentTimeMillis();
+ target.add(item);
++ SecurityUtils.checkForCollectionDoSAttack(context, now);
+ }
+
+ protected Object createCollection(Class type) {
+--- libxstream-java-1.4.11.1.orig/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java
++++ libxstream-java-1.4.11.1/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java
+@@ -1,6 +1,6 @@
+ /*
+ * Copyright (C) 2003, 2004, 2005 Joe Walnes.
+- * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2012, 2013, 2018 XStream Committers.
++ * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2012, 2013, 2018, 2021 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+@@ -13,6 +13,7 @@ package com.thoughtworks.xstream.convert
+
+ import com.thoughtworks.xstream.converters.MarshallingContext;
+ import com.thoughtworks.xstream.converters.UnmarshallingContext;
++import com.thoughtworks.xstream.core.SecurityUtils;
+ import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamWriterHelper;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+@@ -104,7 +105,10 @@ public class MapConverter extends Abstra
+ Map map, Map target) {
+ final Object key = readCompleteItem(reader, context, map);
+ final Object value = readCompleteItem(reader, context, map);
++
++ long now = System.currentTimeMillis();
+ target.put(key, value);
++ SecurityUtils.checkForCollectionDoSAttack(context, now);
+ }
+
+ protected Object createCollection(Class type) {
+--- libxstream-java-1.4.11.1.orig/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java
++++ libxstream-java-1.4.11.1/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013, 2016, 2018 XStream Committers.
++ * Copyright (C) 2013, 2016, 2018, 2021 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+@@ -21,6 +21,7 @@ import com.thoughtworks.xstream.converte
+ import com.thoughtworks.xstream.converters.UnmarshallingContext;
+ import com.thoughtworks.xstream.converters.collections.MapConverter;
+ import com.thoughtworks.xstream.core.JVM;
++import com.thoughtworks.xstream.core.SecurityUtils;
+ import com.thoughtworks.xstream.core.util.HierarchicalStreams;
+ import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamWriterHelper;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+@@ -339,7 +340,9 @@ public class NamedMapConverter extends M
+ value = valueConverter.fromString(reader.getValue());
+ }
+
++ long now = System.currentTimeMillis();
+ target.put(key, value);
++ SecurityUtils.checkForCollectionDoSAttack(context, now);
+
+ if (entryName != null) {
+ reader.moveUp();
+--- /dev/null
++++ libxstream-java-1.4.11.1/xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java
+@@ -0,0 +1,56 @@
++/*
++ * Copyright (C) 2021 XStream Committers.
++ * All rights reserved.
++ *
++ * The software in this package is published under the terms of the BSD
++ * style license a copy of which has been included with this distribution in
++ * the LICENSE.txt file.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.core;
++
++import com.thoughtworks.xstream.XStream;
++import com.thoughtworks.xstream.converters.ConversionException;
++import com.thoughtworks.xstream.converters.UnmarshallingContext;
++import com.thoughtworks.xstream.security.InputManipulationException;
++
++
++/**
++ * Utility functions for security issues.
++ *
++ * @author Jörg Schaible
++ * @since upcoming
++ */
++public class SecurityUtils {
++
++ /**
++ * Check the consumed time adding elements to collections or maps.
++ *
++ * Every custom converter should call this method after an unmarshalled element has been added to a collection or
++ * map. In case of an attack the operation will take too long, because the calculation of the hash code or the
++ * comparison of the elements in the collection operate on recursive structures.
++ *
++ * @param context the unmarshalling context
++ * @param start the timestamp just before the element was added to the collection or map
++ * @since upcoming
++ */
++ public static void checkForCollectionDoSAttack(final UnmarshallingContext context, final long start) {
++ final int diff = (int)((System.currentTimeMillis() - start) / 1000);
++ if (diff > 0) {
++ final Integer secondsUsed = (Integer)context.get(XStream.COLLECTION_UPDATE_SECONDS);
++ if (secondsUsed != null) {
++ final Integer limit = (Integer)context.get(XStream.COLLECTION_UPDATE_LIMIT);
++ if (limit == null) {
++ throw new ConversionException("Missing limit for updating collections.");
++ }
++ final int seconds = secondsUsed.intValue() + diff;
++ if (seconds > limit.intValue()) {
++ throw new InputManipulationException(
++ "Denial of Service attack assumed. Adding elements to collections or maps exceeds " + limit.intValue() + " seconds.");
++ }
++ context.put(XStream.COLLECTION_UPDATE_SECONDS, new Integer(seconds));
++ }
++ }
++ }
++}
+--- libxstream-java-1.4.11.1.orig/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java
++++ libxstream-java-1.4.11.1/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java
+@@ -25,6 +25,7 @@ import com.thoughtworks.xstream.core.uti
+ import com.thoughtworks.xstream.core.util.PrioritizedList;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.mapper.Mapper;
++import com.thoughtworks.xstream.security.AbstractSecurityException;
+
+
+ public class TreeUnmarshaller implements UnmarshallingContext {
+@@ -73,6 +74,8 @@ public class TreeUnmarshaller implements
+ } catch (final ConversionException conversionException) {
+ addInformationTo(conversionException, type, converter, parent);
+ throw conversionException;
++ } catch (AbstractSecurityException e) {
++ throw e;
+ } catch (RuntimeException e) {
+ ConversionException conversionException = new ConversionException(e);
+ addInformationTo(conversionException, type, converter, parent);
+--- /dev/null
++++ libxstream-java-1.4.11.1/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+@@ -0,0 +1,29 @@
++/*
++ * Copyright (C) 2021 XStream Committers.
++ * All rights reserved.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.security;
++
++import com.thoughtworks.xstream.XStreamException;
++
++
++/**
++ * General base class for a Security Exception in XStream.
++ *
++ * @author Jörg Schaible
++ * @since upcoming
++ */
++public abstract class AbstractSecurityException extends XStreamException {
++ private static final long serialVersionUID = 20210921L;
++
++ /**
++ * Constructs a SecurityException.
++ * @param message the exception message
++ * @since upcoming
++ */
++ public AbstractSecurityException(final String message) {
++ super(message);
++ }
++}
+--- libxstream-java-1.4.11.1.orig/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java
++++ libxstream-java-1.4.11.1/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java
+@@ -1,20 +1,18 @@
+ /*
+- * Copyright (C) 2014 XStream Committers.
++ * Copyright (C) 2014, 2021 XStream Committers.
+ * All rights reserved.
+ *
+ * Created on 08. January 2014 by Joerg Schaible
+ */
+ package com.thoughtworks.xstream.security;
+
+-import com.thoughtworks.xstream.XStreamException;
+-
+ /**
+ * Exception thrown for a forbidden class.
+ *
+ * @author Jörg Schaible
+ * @since 1.4.7
+ */
+-public class ForbiddenClassException extends XStreamException {
++public class ForbiddenClassException extends AbstractSecurityException {
+
+ /**
+ * Construct a ForbiddenClassException.
+--- /dev/null
++++ libxstream-java-1.4.11.1/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+@@ -0,0 +1,27 @@
++/*
++ * Copyright (C) 2021 XStream Committers.
++ * All rights reserved.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.security;
++
++
++/**
++ * Class for a Security Exception assuming input manipulation in XStream.
++ *
++ * @author Jörg Schaible
++ * @since upcoming
++ */
++public class InputManipulationException extends AbstractSecurityException {
++ private static final long serialVersionUID = 20210921L;
++
++ /**
++ * Constructs a SecurityException.
++ * @param message the exception message
++ * @since upcoming
++ */
++ public InputManipulationException(final String message) {
++ super(message);
++ }
++}
+--- libxstream-java-1.4.11.1.orig/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ libxstream-java-1.4.11.1/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -18,12 +18,20 @@ import java.io.IOException;
+ import java.io.InputStream;
+ import java.io.OutputStream;
+ import java.util.Iterator;
++import java.util.HashMap;
++import java.util.HashSet;
++import java.util.Hashtable;
++import java.util.LinkedHashMap;
++import java.util.LinkedHashSet;
++import java.util.Map;
++import java.util.Set;
+
+ import com.thoughtworks.xstream.XStreamException;
+ import com.thoughtworks.xstream.converters.ConversionException;
+ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
+ import com.thoughtworks.xstream.security.AnyTypePermission;
+ import com.thoughtworks.xstream.security.ForbiddenClassException;
++import com.thoughtworks.xstream.security.InputManipulationException;
+ import com.thoughtworks.xstream.security.ProxyTypePermission;
+
+
+@@ -57,9 +65,9 @@ public class SecurityVulnerabilityTest e
+
+ try {
+ xstream.fromXML(xml);
+- fail("Thrown " + XStreamException.class.getName() + " expected");
+- } catch (final XStreamException e) {
+- assertTrue(e.getMessage().contains(EventHandler.class.getName()));
++ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
++ } catch (final ForbiddenClassException e) {
++ // OK
+ }
+ assertEquals(0, BUFFER.length());
+ }
+@@ -187,4 +195,140 @@ public class SecurityVulnerabilityTest e
+ assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
+ }
+ }
++
++ public void testDoSAttackWithHashSet() {
++ final Set set = new HashSet();
++ Set s1 = set;
++ Set s2 = new HashSet();
++ for (int i = 0; i < 30; i++) {
++ final Set t1 = new HashSet();
++ final Set t2 = new HashSet();
++ t1.add("a");
++ t2.add("b");
++ s1.add(t1);
++ s1.add(t2);
++ s2.add(t2);
++ s2.add(t1);
++ s1 = t1;
++ s2 = t2;
++ }
++
++ xstream.setCollectionUpdateLimit(5);
++ final String xml = xstream.toXML(set);
++ try {
++
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (final InputManipulationException e) {
++ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++ }
++ }
++
++ public void testDoSAttackWithLinkedHashSet() {
++ final Set set = new LinkedHashSet();
++ Set s1 = set;
++ Set s2 = new LinkedHashSet();
++ for (int i = 0; i < 30; i++) {
++ final Set t1 = new LinkedHashSet();
++ final Set t2 = new LinkedHashSet();
++ t1.add("a");
++ t2.add("b");
++ s1.add(t1);
++ s1.add(t2);
++ s2.add(t2);
++ s2.add(t1);
++ s1 = t1;
++ s2 = t2;
++ }
++
++ xstream.setCollectionUpdateLimit(5);
++ final String xml = xstream.toXML(set);
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (final InputManipulationException e) {
++ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++ }
++ }
++
++ public void testDoSAttackWithHashMap() {
++ final Map map = new HashMap();
++ Map m1 = map;
++ Map m2 = new HashMap();
++ for (int i = 0; i < 25; i++) {
++ final Map t1 = new HashMap();
++ final Map t2 = new HashMap();
++ t1.put("a", "b");
++ t2.put("c", "d");
++ m1.put(t1, t2);
++ m1.put(t2, t1);
++ m2.put(t2, t1);
++ m2.put(t1, t2);
++ m1 = t1;
++ m2 = t2;
++ }
++ xstream.setCollectionUpdateLimit(5);
++
++ final String xml = xstream.toXML(map);
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (InputManipulationException e) {
++ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++ }
++ }
++
++ public void testDoSAttackWithLinkedHashMap() {
++ final Map map = new LinkedHashMap();
++ Map m1 = map;
++ Map m2 = new LinkedHashMap();
++ for (int i = 0; i < 25; i++) {
++ final Map t1 = new LinkedHashMap();
++ final Map t2 = new LinkedHashMap();
++ t1.put("a", "b");
++ t2.put("c", "d");
++ m1.put(t1, t2);
++ m1.put(t2, t1);
++ m2.put(t2, t1);
++ m2.put(t1, t2);
++ m1 = t1;
++ m2 = t2;
++ }
++
++ xstream.setCollectionUpdateLimit(5);
++ final String xml = xstream.toXML(map);
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (final InputManipulationException e) {
++ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++ }
++ }
++
++ public void testDoSAttackWithHashtable() {
++ final Map map = new Hashtable();
++ Map m1 = map;
++ Map m2 = new Hashtable();
++ for (int i = 0; i < 100; i++) {
++ final Map t1 = new Hashtable();
++ final Map t2 = new Hashtable();
++ t1.put("a", "b");
++ t2.put("c", "d");
++ m1.put(t1, t2);
++ m1.put(t2, t1);
++ m2.put(t2, t1);
++ m2.put(t1, t2);
++ m1 = t1;
++ m2 = t2;
++ }
++
++ xstream.setCollectionUpdateLimit(5);
++ final String xml = xstream.toXML(map);
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (final InputManipulationException e) {
++ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++ }
++ }
+ }
=====================================
debian/patches/CVE-2022-41966.patch
=====================================
@@ -0,0 +1,94 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 16 Jan 2023 09:27:04 +0100
+Subject: CVE-2022-41966
+
+Bug-Debian: https://bugs.debian.org/1027754
+Origin: https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391
+---
+ .../src/java/com/thoughtworks/xstream/XStream.java | 9 ++++--
+ .../acceptance/SecurityVulnerabilityTest.java | 35 +++++++++++++++++++++-
+ 2 files changed, 40 insertions(+), 4 deletions(-)
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index fdeb7a2..31ea16b 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -164,6 +164,7 @@ import com.thoughtworks.xstream.security.RegExpTypePermission;
+ import com.thoughtworks.xstream.security.TypeHierarchyPermission;
+ import com.thoughtworks.xstream.security.TypePermission;
+ import com.thoughtworks.xstream.security.WildcardTypePermission;
++import com.thoughtworks.xstream.security.InputManipulationException;
+
+
+ /**
+@@ -1513,9 +1514,11 @@ public class XStream {
+ securityWarningGiven = true;
+ System.err.println("Security framework of XStream not initialized, XStream is probably vulnerable.");
+ }
+- return marshallingStrategy.unmarshal(
+- root, reader, dataHolder, converterLookup, mapper);
+-
++ try {
++ return marshallingStrategy.unmarshal(root, reader, dataHolder, converterLookup, mapper);
++ } catch (final StackOverflowError e) {
++ throw new InputManipulationException("Possible Denial of Service attack by Stack Overflow");
++ }
+ } catch (ConversionException e) {
+ Package pkg = getClass().getPackage();
+ String version = pkg != null ? pkg.getImplementationVersion() : null;
+diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+index 8201295..2f722ec 100644
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013, 2014, 2017, 2018, 2020, 2021 XStream Committers.
++ * Copyright (C) 2013, 2014, 2017, 2018, 2020, 2021, 2022 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+@@ -33,6 +33,8 @@ import com.thoughtworks.xstream.security.AnyTypePermission;
+ import com.thoughtworks.xstream.security.ForbiddenClassException;
+ import com.thoughtworks.xstream.security.InputManipulationException;
+ import com.thoughtworks.xstream.security.ProxyTypePermission;
++import com.thoughtworks.xstream.security.InputManipulationException;
++
+
+
+ /**
+@@ -331,4 +333,35 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
+ }
+ }
++
++ public void testStackOverflowWithRecursiveHashSet() {
++ final String xml = ""
++ + "<set>\n"
++ + " <set>\n"
++ + " <set>\n"
++ + " <set>\n"
++ + " <set>\n"
++ + " <set>\n"
++ + " <string>a</string>\n"
++ + " </set>\n"
++ + " <set>\n"
++ + " <string>b</string>\n"
++ + " </set>\n"
++ + " </set>\n"
++ + " <set>\n"
++ + " <string>c</string>\n"
++ + " <set reference=\"../../../set/set[2]\"/>\n"
++ + " </set>\n"
++ + " </set>\n"
++ + " </set>\n"
++ + " </set>\n"
++ + "</set>";
++
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (final InputManipulationException e) {
++ assertTrue(e.getMessage().indexOf("Stack Overflow") >= 0);
++ }
++ }
+ }
=====================================
debian/patches/series
=====================================
@@ -2,3 +2,5 @@
enable-security-whitelist-by-default.patch
SecurityVulnerabilityTest.patch
debian-specific-whitelist-extension.patch
+CVE-2021-43859.patch
+CVE-2022-41966.patch
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/commit/b7c2d5b7d0522b084f6158453abace1351881cbc
--
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/commit/b7c2d5b7d0522b084f6158453abace1351881cbc
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230126/54782368/attachment.htm>
More information about the pkg-java-commits
mailing list