[Git][java-team/libxstream-java][bullseye] 2 commits: CVE-2021-43859
Bastien Roucariès (@rouca)
gitlab at salsa.debian.org
Sat Dec 21 21:59:08 GMT 2024
Bastien Roucariès pushed to branch bullseye at Debian Java Maintainers / libxstream-java
Commits:
aab9f896 by Bastien Roucariès at 2024-12-21T19:11:26+00:00
CVE-2021-43859
- - - - -
c9a036c3 by Bastien Roucariès at 2024-12-21T20:50:44+00:00
CVE-2024-47072
- - - - -
4 changed files:
- debian/changelog
- + debian/patches/0007-CVE-2021-43859.patch
- + debian/patches/0008-CVE-2024-47072.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,21 @@
+libxstream-java (1.4.15-3+deb11u3) bullseye-security; urgency=medium
+
+ * Team upload by LTS team
+ * Fix CVE-2021-43859: Denial of Service (DoS) by injecting
+ highly recursive collections or maps. The vulnerability
+ may allow a remote attacker to allocate 100% CPU time
+ on the target system depending on CPU type or parallel
+ execution of such a payload resulting in a denial of
+ service only by manipulating the processed input stream.
+ * Fix CVE-2021-43859: This vulnerability may allow a remote
+ attacker to terminate the application with a stack
+ overflow error resulting in a denial of service only by
+ manipulating the processed input stream when XStream
+ is configured to use the BinaryStreamDriver
+ (Closes: #1087274)
+
+ -- Bastien Roucariès <rouca at debian.org> Sat, 21 Dec 2024 18:58:45 +0000
+
libxstream-java (1.4.15-3+deb11u2) bullseye-security; urgency=high
* Team upload.
=====================================
debian/patches/0007-CVE-2021-43859.patch
=====================================
@@ -0,0 +1,495 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca at debian.org>
+Date: Sat, 21 Dec 2024 18:46:41 +0000
+Subject: CVE-2021-43859
+
+origin: https://github.com/x-stream/xstream/commit/e8e88621ba1c85ac3b8620337dd672e0c0c3a846
+bug: https://x-stream.github.io/CVE-2021-43859.html
+bug-github: https://github.com/x-stream/xstream/security/advisories/GHSA-rmr5-cpv2-vgjf
+---
+ .../src/java/com/thoughtworks/xstream/XStream.java | 42 +++++-
+ .../collections/CollectionConverter.java | 6 +-
+ .../converters/collections/MapConverter.java | 6 +-
+ .../converters/extended/NamedMapConverter.java | 5 +-
+ .../thoughtworks/xstream/core/SecurityUtils.java | 57 ++++++++
+ .../xstream/core/TreeUnmarshaller.java | 3 +
+ .../xstream/security/ForbiddenClassException.java | 6 +-
+ .../acceptance/SecurityVulnerabilityTest.java | 150 ++++++++++++++++++++-
+ 8 files changed, 263 insertions(+), 12 deletions(-)
+ create mode 100644 xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index 24c51cf..566af8e 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -152,6 +152,7 @@ import com.thoughtworks.xstream.mapper.SystemAttributeAliasingMapper;
+ import com.thoughtworks.xstream.mapper.XStream11XmlFriendlyMapper;
+ import com.thoughtworks.xstream.security.AnyTypePermission;
+ import com.thoughtworks.xstream.security.ArrayTypePermission;
++import com.thoughtworks.xstream.security.InputManipulationException;
+ import com.thoughtworks.xstream.security.ExplicitTypePermission;
+ import com.thoughtworks.xstream.security.InterfaceTypePermission;
+ import com.thoughtworks.xstream.security.NoPermission;
+@@ -297,6 +298,8 @@ public class XStream {
+
+ // CAUTION: The sequence of the fields is intentional for an optimal XML output of a
+ // self-serialization!
++ private int collectionUpdateLimit = 20;
++
+ private ReflectionProvider reflectionProvider;
+ private HierarchicalStreamDriver hierarchicalStreamDriver;
+ private ClassLoaderReference classLoaderReference;
+@@ -334,6 +337,9 @@ public class XStream {
+ public static final int PRIORITY_LOW = -10;
+ public static final int PRIORITY_VERY_LOW = -20;
+
++ public static final String COLLECTION_UPDATE_LIMIT = "XStreamCollectionUpdateLimit";
++ public static final String COLLECTION_UPDATE_SECONDS = "XStreamCollectionUpdateSeconds";
++
+ private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
+ private static final Pattern IGNORE_ALL = Pattern.compile(".*");
+ private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
+@@ -1187,6 +1193,23 @@ public class XStream {
+ this.marshallingStrategy = marshallingStrategy;
+ }
+
++ /**
++ * Set time limit for adding elements to collections or maps.
++ *
++ * Manipulated content may be used to create recursive hash code calculations or sort operations. An
++ * {@link InputManipulationException} is thrown, it the summed up time to add elements to collections or maps
++ * exceeds the provided limit.
++ *
++ * Note, that the time to add an individual element is calculated in seconds, not milliseconds. However, attacks
++ * typically use objects with exponential growing calculation times.
++ *
++ * @param maxSeconds limit in seconds or 0 to disable check
++ * @since upcoming
++ */
++ public void setCollectionUpdateLimit(int maxSeconds) {
++ collectionUpdateLimit = maxSeconds;
++ }
++
+ /**
+ * Serialize an object to a pretty-printed XML String.
+ *
+@@ -1393,6 +1416,13 @@ public class XStream {
+ */
+ public Object unmarshal(HierarchicalStreamReader reader, Object root, DataHolder dataHolder) {
+ try {
++ if (collectionUpdateLimit >= 0) {
++ if (dataHolder == null) {
++ dataHolder = new MapBackedDataHolder();
++ }
++ dataHolder.put(COLLECTION_UPDATE_LIMIT, new Integer(collectionUpdateLimit));
++ dataHolder.put(COLLECTION_UPDATE_SECONDS, new Integer(0));
++ }
+ if (!securityInitialized && !securityWarningGiven) {
+ securityWarningGiven = true;
+ System.err
+@@ -2068,15 +2098,23 @@ public class XStream {
+ * @see #createObjectInputStream(com.thoughtworks.xstream.io.HierarchicalStreamReader)
+ * @since 1.4.10
+ */
+- public ObjectInputStream createObjectInputStream(final HierarchicalStreamReader reader, final DataHolder dataHolder)
++ public ObjectInputStream createObjectInputStream(final HierarchicalStreamReader reader, DataHolder dataHolder)
+ throws IOException {
++ if (collectionUpdateLimit >= 0) {
++ if (dataHolder == null) {
++ dataHolder = new MapBackedDataHolder();
++ }
++ dataHolder.put(COLLECTION_UPDATE_LIMIT, new Integer(collectionUpdateLimit));
++ dataHolder.put(COLLECTION_UPDATE_SECONDS, new Integer(0));
++ }
++ final DataHolder dh = dataHolder;
+ return new CustomObjectInputStream(new CustomObjectInputStream.StreamCallback() {
+ public Object readFromStream() throws EOFException {
+ if (!reader.hasMoreChildren()) {
+ throw new EOFException();
+ }
+ reader.moveDown();
+- final Object result = unmarshal(reader, null, dataHolder);
++ final Object result = unmarshal(reader, null, dh);
+ reader.moveUp();
+ return result;
+ }
+diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java b/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java
+index 9447419..f3606f1 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java
++++ b/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java
+@@ -1,6 +1,6 @@
+ /*
+ * Copyright (C) 2003, 2004, 2005 Joe Walnes.
+- * Copyright (C) 2006, 2007, 2010, 2011, 2013, 2018 XStream Committers.
++ * Copyright (C) 2006, 2007, 2010, 2011, 2013, 2018, 2021 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+@@ -13,6 +13,7 @@ package com.thoughtworks.xstream.converters.collections;
+
+ import com.thoughtworks.xstream.converters.MarshallingContext;
+ import com.thoughtworks.xstream.converters.UnmarshallingContext;
++import com.thoughtworks.xstream.core.SecurityUtils;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+ import com.thoughtworks.xstream.mapper.Mapper;
+@@ -96,7 +97,10 @@ public class CollectionConverter extends AbstractCollectionConverter {
+ protected void addCurrentElementToCollection(HierarchicalStreamReader reader, UnmarshallingContext context,
+ Collection collection, Collection target) {
+ final Object item = readItem(reader, context, collection); // call readBareItem when deprecated method is removed
++
++ long now = System.currentTimeMillis();
+ target.add(item);
++ SecurityUtils.checkForCollectionDoSAttack(context, now);
+ }
+
+ protected Object createCollection(Class type) {
+diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java b/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java
+index af007f9..f93cec8 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java
++++ b/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java
+@@ -1,6 +1,6 @@
+ /*
+ * Copyright (C) 2003, 2004, 2005 Joe Walnes.
+- * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2012, 2013, 2018 XStream Committers.
++ * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2012, 2013, 2018, 2021 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+@@ -13,6 +13,7 @@ package com.thoughtworks.xstream.converters.collections;
+
+ import com.thoughtworks.xstream.converters.MarshallingContext;
+ import com.thoughtworks.xstream.converters.UnmarshallingContext;
++import com.thoughtworks.xstream.core.SecurityUtils;
+ import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamWriterHelper;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+@@ -104,7 +105,10 @@ public class MapConverter extends AbstractCollectionConverter {
+ Map map, Map target) {
+ final Object key = readCompleteItem(reader, context, map);
+ final Object value = readCompleteItem(reader, context, map);
++
++ long now = System.currentTimeMillis();
+ target.put(key, value);
++ SecurityUtils.checkForCollectionDoSAttack(context, now);
+ }
+
+ protected Object createCollection(Class type) {
+diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java b/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java
+index 4c5ec9c..5902148 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java
++++ b/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013, 2016, 2018 XStream Committers.
++ * Copyright (C) 2013, 2016, 2018, 2021 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+@@ -21,6 +21,7 @@ import com.thoughtworks.xstream.converters.SingleValueConverter;
+ import com.thoughtworks.xstream.converters.UnmarshallingContext;
+ import com.thoughtworks.xstream.converters.collections.MapConverter;
+ import com.thoughtworks.xstream.core.JVM;
++import com.thoughtworks.xstream.core.SecurityUtils;
+ import com.thoughtworks.xstream.core.util.HierarchicalStreams;
+ import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamWriterHelper;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+@@ -339,7 +340,9 @@ public class NamedMapConverter extends MapConverter {
+ value = valueConverter.fromString(reader.getValue());
+ }
+
++ long now = System.currentTimeMillis();
+ target.put(key, value);
++ SecurityUtils.checkForCollectionDoSAttack(context, now);
+
+ if (entryName != null) {
+ reader.moveUp();
+diff --git a/xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java b/xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java
+new file mode 100644
+index 0000000..4462e96
+--- /dev/null
++++ b/xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java
+@@ -0,0 +1,57 @@
++/*
++ * Copyright (C) 2021 XStream Committers.
++ * All rights reserved.
++ *
++ * The software in this package is published under the terms of the BSD
++ * style license a copy of which has been included with this distribution in
++ * the LICENSE.txt file.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.core;
++
++import com.thoughtworks.xstream.XStream;
++import com.thoughtworks.xstream.converters.ConversionException;
++import com.thoughtworks.xstream.converters.UnmarshallingContext;
++import com.thoughtworks.xstream.security.InputManipulationException;
++
++
++/**
++ * Utility functions for security issues.
++ *
++ * @author Jörg Schaible
++ * @since upcoming
++ */
++public class SecurityUtils {
++
++ /**
++ * Check the consumed time adding elements to collections or maps.
++ *
++ * Every custom converter should call this method after an unmarshalled element has been added to a collection or
++ * map. In case of an attack the operation will take too long, because the calculation of the hash code or the
++ * comparison of the elements in the collection operate on recursive structures.
++ *
++ * @param context the unmarshalling context
++ * @param start the timestamp just before the element was added to the collection or map
++ * @since upcoming
++ */
++ public static void checkForCollectionDoSAttack(final UnmarshallingContext context, final long start) {
++ final int diff = (int)((System.currentTimeMillis() - start) / 1000);
++ if (diff > 0) {
++ final Integer secondsUsed = (Integer)context.get(XStream.COLLECTION_UPDATE_SECONDS);
++ if (secondsUsed != null) {
++ final Integer limit = (Integer)context.get(XStream.COLLECTION_UPDATE_LIMIT);
++ if (limit == null) {
++ throw new ConversionException("Missing limit for updating collections.");
++ }
++ final int seconds = secondsUsed.intValue() + diff;
++ if (seconds > limit.intValue()) {
++ throw new InputManipulationException(
++ "Denial of Service attack assumed. Adding elements to collections or maps exceeds " + limit.intValue() + " seconds.");
++ }
++ context.put(XStream.COLLECTION_UPDATE_SECONDS, new Integer(seconds));
++ }
++ }
++ }
++}
++
+diff --git a/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java b/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java
+index 0a5b3dc..ba80a31 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java
++++ b/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java
+@@ -25,6 +25,7 @@ import com.thoughtworks.xstream.core.util.HierarchicalStreams;
+ import com.thoughtworks.xstream.core.util.PrioritizedList;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.mapper.Mapper;
++import com.thoughtworks.xstream.security.AbstractSecurityException;
+
+
+ public class TreeUnmarshaller implements UnmarshallingContext {
+@@ -73,6 +74,8 @@ public class TreeUnmarshaller implements UnmarshallingContext {
+ } catch (final ConversionException conversionException) {
+ addInformationTo(conversionException, type, converter, parent);
+ throw conversionException;
++ } catch (AbstractSecurityException e) {
++ throw e;
+ } catch (RuntimeException e) {
+ ConversionException conversionException = new ConversionException(e);
+ addInformationTo(conversionException, type, converter, parent);
+diff --git a/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java b/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java
+index 017fc30..2eded6c 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java
++++ b/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java
+@@ -1,20 +1,18 @@
+ /*
+- * Copyright (C) 2014 XStream Committers.
++ * Copyright (C) 2014, 2021 XStream Committers.
+ * All rights reserved.
+ *
+ * Created on 08. January 2014 by Joerg Schaible
+ */
+ package com.thoughtworks.xstream.security;
+
+-import com.thoughtworks.xstream.XStreamException;
+-
+ /**
+ * Exception thrown for a forbidden class.
+ *
+ * @author Jörg Schaible
+ * @since 1.4.7
+ */
+-public class ForbiddenClassException extends XStreamException {
++public class ForbiddenClassException extends AbstractSecurityException {
+
+ /**
+ * Construct a ForbiddenClassException.
+diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+index f21ea45..1545e40 100644
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -18,12 +18,20 @@ import java.io.IOException;
+ import java.io.InputStream;
+ import java.io.OutputStream;
+ import java.util.Iterator;
++import java.util.HashMap;
++import java.util.HashSet;
++import java.util.Hashtable;
++import java.util.LinkedHashMap;
++import java.util.LinkedHashSet;
++import java.util.Map;
++import java.util.Set;
+
+ import com.thoughtworks.xstream.XStreamException;
+ import com.thoughtworks.xstream.converters.ConversionException;
+ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
+ import com.thoughtworks.xstream.security.AnyTypePermission;
+ import com.thoughtworks.xstream.security.ForbiddenClassException;
++import com.thoughtworks.xstream.security.InputManipulationException;
+ import com.thoughtworks.xstream.security.ProxyTypePermission;
+ import com.thoughtworks.xstream.security.InputManipulationException;
+
+@@ -59,9 +67,9 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+
+ try {
+ xstream.fromXML(xml);
+- fail("Thrown " + XStreamException.class.getName() + " expected");
+- } catch (final XStreamException e) {
+- assertTrue(e.getMessage().contains(EventHandler.class.getName()));
++ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
++ } catch (final ForbiddenClassException e) {
++ // OK
+ }
+ assertEquals(0, BUFFER.length());
+ }
+@@ -220,4 +228,140 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ assertTrue(e.getMessage().indexOf("Stack Overflow") >= 0);
+ }
+ }
++
++ public void testDoSAttackWithHashSet() {
++ final Set set = new HashSet();
++ Set s1 = set;
++ Set s2 = new HashSet();
++ for (int i = 0; i < 30; i++) {
++ final Set t1 = new HashSet();
++ final Set t2 = new HashSet();
++ t1.add("a");
++ t2.add("b");
++ s1.add(t1);
++ s1.add(t2);
++ s2.add(t2);
++ s2.add(t1);
++ s1 = t1;
++ s2 = t2;
++ }
++
++ xstream.setCollectionUpdateLimit(5);
++ final String xml = xstream.toXML(set);
++ try {
++
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (final InputManipulationException e) {
++ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++ }
++ }
++
++ public void testDoSAttackWithLinkedHashSet() {
++ final Set set = new LinkedHashSet();
++ Set s1 = set;
++ Set s2 = new LinkedHashSet();
++ for (int i = 0; i < 30; i++) {
++ final Set t1 = new LinkedHashSet();
++ final Set t2 = new LinkedHashSet();
++ t1.add("a");
++ t2.add("b");
++ s1.add(t1);
++ s1.add(t2);
++ s2.add(t2);
++ s2.add(t1);
++ s1 = t1;
++ s2 = t2;
++ }
++
++ xstream.setCollectionUpdateLimit(5);
++ final String xml = xstream.toXML(set);
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (final InputManipulationException e) {
++ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++ }
++ }
++
++ public void testDoSAttackWithHashMap() {
++ final Map map = new HashMap();
++ Map m1 = map;
++ Map m2 = new HashMap();
++ for (int i = 0; i < 25; i++) {
++ final Map t1 = new HashMap();
++ final Map t2 = new HashMap();
++ t1.put("a", "b");
++ t2.put("c", "d");
++ m1.put(t1, t2);
++ m1.put(t2, t1);
++ m2.put(t2, t1);
++ m2.put(t1, t2);
++ m1 = t1;
++ m2 = t2;
++ }
++ xstream.setCollectionUpdateLimit(5);
++
++ final String xml = xstream.toXML(map);
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (InputManipulationException e) {
++ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++ }
++ }
++
++ public void testDoSAttackWithLinkedHashMap() {
++ final Map map = new LinkedHashMap();
++ Map m1 = map;
++ Map m2 = new LinkedHashMap();
++ for (int i = 0; i < 25; i++) {
++ final Map t1 = new LinkedHashMap();
++ final Map t2 = new LinkedHashMap();
++ t1.put("a", "b");
++ t2.put("c", "d");
++ m1.put(t1, t2);
++ m1.put(t2, t1);
++ m2.put(t2, t1);
++ m2.put(t1, t2);
++ m1 = t1;
++ m2 = t2;
++ }
++
++ xstream.setCollectionUpdateLimit(5);
++ final String xml = xstream.toXML(map);
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (final InputManipulationException e) {
++ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++ }
++ }
++
++ public void testDoSAttackWithHashtable() {
++ final Map map = new Hashtable();
++ Map m1 = map;
++ Map m2 = new Hashtable();
++ for (int i = 0; i < 100; i++) {
++ final Map t1 = new Hashtable();
++ final Map t2 = new Hashtable();
++ t1.put("a", "b");
++ t2.put("c", "d");
++ m1.put(t1, t2);
++ m1.put(t2, t1);
++ m2.put(t2, t1);
++ m2.put(t1, t2);
++ m1 = t1;
++ m2 = t2;
++ }
++
++ xstream.setCollectionUpdateLimit(5);
++ final String xml = xstream.toXML(map);
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (final InputManipulationException e) {
++ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++ }
++ }
+ }
=====================================
debian/patches/0008-CVE-2024-47072.patch
=====================================
@@ -0,0 +1,90 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca at debian.org>
+Date: Sat, 21 Dec 2024 20:41:16 +0000
+Subject: CVE-2024-47072
+
+This vulnerability may allow a remote attacker to terminate the application with a stack
+overflow error resulting in a denial of service only by manipulating the processed
+input stream when XStream is configured to use the BinaryStreamDriver.
+
+origin: backport, https://github.com/x-stream/xstream/commit/c8a939075f99895d76fe49de69d3570a3c401976
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087274
+bug-github: https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q
+bug: https://x-stream.github.io/CVE-2024-47072.html
+---
+ .../xstream/io/binary/BinaryStreamReader.java | 14 ++++++++++----
+ .../xstream/io/binary/BinaryStreamTest.java | 18 ++++++++++++++++++
+ 2 files changed, 28 insertions(+), 4 deletions(-)
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+index 2839651..7a7c76c 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
++++ b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+@@ -15,6 +15,7 @@ import com.thoughtworks.xstream.converters.ErrorWriter;
+ import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.StreamException;
++import com.thoughtworks.xstream.security.InputManipulationException;
+
+ import java.io.DataInputStream;
+ import java.io.IOException;
+@@ -150,14 +151,19 @@ public class BinaryStreamReader implements ExtendedHierarchicalStreamReader {
+ private Token readToken() {
+ if (pushback == null) {
+ try {
+- Token token = tokenFormatter.read(in);
+- switch (token.getType()) {
++ boolean mapping = false;
++ do {
++ final Token token = tokenFormatter.read(in);
++ switch (token.getType()) {
+ case Token.TYPE_MAP_ID_TO_VALUE:
+ idRegistry.put(token.getId(), token.getValue());
+- return readToken(); // Next one please.
++ mapping ^= true;
++ continue; // Next one please.
+ default:
+ return token;
+- }
++ }
++ } while (mapping);
++ throw new InputManipulationException("Binary stream will never have two mapping tokens in sequence");
+ } catch (IOException e) {
+ throw new StreamException(e);
+ }
+diff --git a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
+index d34962b..0bdccff 100644
+--- a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
++++ b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
+@@ -19,9 +19,13 @@ import com.thoughtworks.xstream.io.xml.AbstractXMLReaderTest;
+ import com.thoughtworks.xstream.io.xml.Xpp3Driver;
+
+ import java.io.ByteArrayOutputStream;
++import java.io.InputStream;
+ import java.io.StringReader;
+ import java.io.ByteArrayInputStream;
+
++import com.thoughtworks.xstream.security.InputManipulationException;
++
++
+ public class BinaryStreamTest extends AbstractXMLReaderTest {
+
+ private HierarchicalStreamCopier copier = new HierarchicalStreamCopier();
+@@ -89,4 +93,18 @@ public class BinaryStreamTest extends AbstractXMLReaderTest {
+ }
+ }
+
++ @SuppressWarnings("resource")
++ public void testHandleMaliciousInputsOfIdMappingTokens() {
++ // Insert two successive id mapping tokens into the stream
++ final byte[] byteArray = new byte[8];
++ byteArray[0] = byteArray[4] = 10;
++ byteArray[1] = byteArray[5] = -127;
++
++ final InputStream in = new ByteArrayInputStream(byteArray);
++ try {
++ new BinaryStreamReader(in);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (final InputManipulationException e) {
++ }
++ }
+ }
=====================================
debian/patches/series
=====================================
@@ -4,3 +4,5 @@ enable-security-whitelist-by-default.patch
SecurityVulnerabilityTest.patch
debian-specific-whitelist-extension.patch
CVE-2022-41966.patch
+0007-CVE-2021-43859.patch
+0008-CVE-2024-47072.patch
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/146532f1b36c3f2e9394dce53a31b7b4bb7d586f...c9a036c3cbbd30bdfbc7a88bfadf8020d8e6e7f8
--
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/146532f1b36c3f2e9394dce53a31b7b4bb7d586f...c9a036c3cbbd30bdfbc7a88bfadf8020d8e6e7f8
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20241221/bacac90f/attachment.htm>
More information about the pkg-java-commits
mailing list