[Git][java-team/libxstream-java][buster] 2 commits: CVE-2021-43859
Bastien Roucariès (@rouca)
gitlab at salsa.debian.org
Mon Dec 23 12:22:24 GMT 2024
Bastien Roucariès pushed to branch buster at Debian Java Maintainers / libxstream-java
Commits:
6daaa9f0 by Bastien Roucariès at 2024-12-21T22:33:08+00:00
CVE-2021-43859
Update also CVE-2022-41966
- - - - -
2563aaae by Bastien Roucariès at 2024-12-21T22:40:52+00:00
CVE-2024-47072
- - - - -
5 changed files:
- debian/changelog
- + debian/patches/0007-CVE-2024-47072.patch
- + debian/patches/CVE-2021-43859.patch
- debian/patches/CVE-2022-41966.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,25 @@
+libxstream-java (1.4.11.1-1+deb10u5) buster-security; urgency=medium
+
+ * Team upload by ELTS team
+ * Fix CVE-2021-43859: XStream can cause a Denial of
+ Service by injecting highly recursive collections or maps.
+ The vulnerability may allow a remote attacker to allocate
+ 100% CPU time on the target system depending on CPU type
+ or parallel execution of such a payload resulting in a
+ denial of service only by manipulating the processed
+ input stream.
+ * Fix CVE-2024-47072: XStream is vulnerable to a Denial
+ of Service attack due to stack overflow from a
+ manipulated binary input stream.
+ The vulnerability may allow a remote attacker to
+ terminate the application with a stack overflow error
+ resulting in a denial of service only by manipulating
+ the processed input stream when XStream is configured
+ to use the BinaryStreamDriver.
+ (Closes: #1087274)
+
+ -- Bastien Roucariès <rouca at debian.org> Sat, 21 Dec 2024 22:32:56 +0000
+
libxstream-java (1.4.11.1-1+deb10u4) buster-security; urgency=high
* Team upload.
=====================================
debian/patches/0007-CVE-2024-47072.patch
=====================================
@@ -0,0 +1,90 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca at debian.org>
+Date: Sat, 21 Dec 2024 20:41:16 +0000
+Subject: CVE-2024-47072
+
+This vulnerability may allow a remote attacker to terminate the application with a stack
+overflow error resulting in a denial of service only by manipulating the processed
+input stream when XStream is configured to use the BinaryStreamDriver.
+
+origin: backport, https://github.com/x-stream/xstream/commit/c8a939075f99895d76fe49de69d3570a3c401976
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087274
+bug-github: https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q
+bug: https://x-stream.github.io/CVE-2024-47072.html
+---
+ .../xstream/io/binary/BinaryStreamReader.java | 14 ++++++++++----
+ .../xstream/io/binary/BinaryStreamTest.java | 18 ++++++++++++++++++
+ 2 files changed, 28 insertions(+), 4 deletions(-)
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+index 2839651..7a7c76c 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
++++ b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+@@ -15,6 +15,7 @@ import com.thoughtworks.xstream.converters.ErrorWriter;
+ import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.StreamException;
++import com.thoughtworks.xstream.security.InputManipulationException;
+
+ import java.io.DataInputStream;
+ import java.io.IOException;
+@@ -150,14 +151,19 @@ public class BinaryStreamReader implements ExtendedHierarchicalStreamReader {
+ private Token readToken() {
+ if (pushback == null) {
+ try {
+- Token token = tokenFormatter.read(in);
+- switch (token.getType()) {
++ boolean mapping = false;
++ do {
++ final Token token = tokenFormatter.read(in);
++ switch (token.getType()) {
+ case Token.TYPE_MAP_ID_TO_VALUE:
+ idRegistry.put(token.getId(), token.getValue());
+- return readToken(); // Next one please.
++ mapping ^= true;
++ continue; // Next one please.
+ default:
+ return token;
+- }
++ }
++ } while (mapping);
++ throw new InputManipulationException("Binary stream will never have two mapping tokens in sequence");
+ } catch (IOException e) {
+ throw new StreamException(e);
+ }
+diff --git a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
+index d34962b..0bdccff 100644
+--- a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
++++ b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
+@@ -19,9 +19,13 @@ import com.thoughtworks.xstream.io.xml.AbstractXMLReaderTest;
+ import com.thoughtworks.xstream.io.xml.Xpp3Driver;
+
+ import java.io.ByteArrayOutputStream;
++import java.io.InputStream;
+ import java.io.StringReader;
+ import java.io.ByteArrayInputStream;
+
++import com.thoughtworks.xstream.security.InputManipulationException;
++
++
+ public class BinaryStreamTest extends AbstractXMLReaderTest {
+
+ private HierarchicalStreamCopier copier = new HierarchicalStreamCopier();
+@@ -89,4 +93,18 @@ public class BinaryStreamTest extends AbstractXMLReaderTest {
+ }
+ }
+
++ @SuppressWarnings("resource")
++ public void testHandleMaliciousInputsOfIdMappingTokens() {
++ // Insert two successive id mapping tokens into the stream
++ final byte[] byteArray = new byte[8];
++ byteArray[0] = byteArray[4] = 10;
++ byteArray[1] = byteArray[5] = -127;
++
++ final InputStream in = new ByteArrayInputStream(byteArray);
++ try {
++ new BinaryStreamReader(in);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (final InputManipulationException e) {
++ }
++ }
+ }
=====================================
debian/patches/CVE-2021-43859.patch
=====================================
@@ -0,0 +1,563 @@
+From: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
+Date: Sat, 21 Dec 2024 22:26:25 +0000
+Subject: CVE-2021-43859
+
+---
+ .../src/java/com/thoughtworks/xstream/XStream.java | 42 +++++-
+ .../collections/CollectionConverter.java | 6 +-
+ .../converters/collections/MapConverter.java | 6 +-
+ .../converters/extended/NamedMapConverter.java | 5 +-
+ .../thoughtworks/xstream/core/SecurityUtils.java | 56 ++++++++
+ .../xstream/core/TreeUnmarshaller.java | 3 +
+ .../security/AbstractSecurityException.java | 29 ++++
+ .../xstream/security/ForbiddenClassException.java | 6 +-
+ .../security/InputManipulationException.java | 27 ++++
+ .../acceptance/SecurityVulnerabilityTest.java | 150 ++++++++++++++++++++-
+ 10 files changed, 318 insertions(+), 12 deletions(-)
+ create mode 100644 xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java
+ create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+ create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index f35d244..bccf8f4 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -153,6 +153,7 @@ import com.thoughtworks.xstream.mapper.SystemAttributeAliasingMapper;
+ import com.thoughtworks.xstream.mapper.XStream11XmlFriendlyMapper;
+ import com.thoughtworks.xstream.security.AnyTypePermission;
+ import com.thoughtworks.xstream.security.ArrayTypePermission;
++import com.thoughtworks.xstream.security.InputManipulationException;
+ import com.thoughtworks.xstream.security.ExplicitTypePermission;
+ import com.thoughtworks.xstream.security.InterfaceTypePermission;
+ import com.thoughtworks.xstream.security.NoPermission;
+@@ -316,6 +317,8 @@ public class XStream {
+
+ // CAUTION: The sequence of the fields is intentional for an optimal XML output of a
+ // self-serialization!
++ private int collectionUpdateLimit = 20;
++
+ private ReflectionProvider reflectionProvider;
+ private HierarchicalStreamDriver hierarchicalStreamDriver;
+ private ClassLoaderReference classLoaderReference;
+@@ -353,6 +356,9 @@ public class XStream {
+ public static final int PRIORITY_LOW = -10;
+ public static final int PRIORITY_VERY_LOW = -20;
+
++ public static final String COLLECTION_UPDATE_LIMIT = "XStreamCollectionUpdateLimit";
++ public static final String COLLECTION_UPDATE_SECONDS = "XStreamCollectionUpdateSeconds";
++
+ private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
+ private static final Pattern IGNORE_ALL = Pattern.compile(".*");
+
+@@ -1258,6 +1264,23 @@ public class XStream {
+ this.marshallingStrategy = marshallingStrategy;
+ }
+
++ /**
++ * Set time limit for adding elements to collections or maps.
++ *
++ * Manipulated content may be used to create recursive hash code calculations or sort operations. An
++ * {@link InputManipulationException} is thrown, it the summed up time to add elements to collections or maps
++ * exceeds the provided limit.
++ *
++ * Note, that the time to add an individual element is calculated in seconds, not milliseconds. However, attacks
++ * typically use objects with exponential growing calculation times.
++ *
++ * @param maxSeconds limit in seconds or 0 to disable check
++ * @since upcoming
++ */
++ public void setCollectionUpdateLimit(int maxSeconds) {
++ collectionUpdateLimit = maxSeconds;
++ }
++
+ /**
+ * Serialize an object to a pretty-printed XML String.
+ *
+@@ -1479,6 +1502,13 @@ public class XStream {
+ */
+ public Object unmarshal(HierarchicalStreamReader reader, Object root, DataHolder dataHolder) {
+ try {
++ if (collectionUpdateLimit >= 0) {
++ if (dataHolder == null) {
++ dataHolder = new MapBackedDataHolder();
++ }
++ dataHolder.put(COLLECTION_UPDATE_LIMIT, new Integer(collectionUpdateLimit));
++ dataHolder.put(COLLECTION_UPDATE_SECONDS, new Integer(0));
++ }
+ if (!securityInitialized && !securityWarningGiven) {
+ securityWarningGiven = true;
+ System.err.println("Security framework of XStream not initialized, XStream is probably vulnerable.");
+@@ -2189,15 +2219,23 @@ public class XStream {
+ * @see #createObjectInputStream(com.thoughtworks.xstream.io.HierarchicalStreamReader)
+ * @since 1.4.10
+ */
+- public ObjectInputStream createObjectInputStream(final HierarchicalStreamReader reader, final DataHolder dataHolder)
++ public ObjectInputStream createObjectInputStream(final HierarchicalStreamReader reader, DataHolder dataHolder)
+ throws IOException {
++ if (collectionUpdateLimit >= 0) {
++ if (dataHolder == null) {
++ dataHolder = new MapBackedDataHolder();
++ }
++ dataHolder.put(COLLECTION_UPDATE_LIMIT, new Integer(collectionUpdateLimit));
++ dataHolder.put(COLLECTION_UPDATE_SECONDS, new Integer(0));
++ }
++ final DataHolder dh = dataHolder;
+ return new CustomObjectInputStream(new CustomObjectInputStream.StreamCallback() {
+ public Object readFromStream() throws EOFException {
+ if (!reader.hasMoreChildren()) {
+ throw new EOFException();
+ }
+ reader.moveDown();
+- final Object result = unmarshal(reader, dataHolder);
++ final Object result = unmarshal(reader, dh);
+ reader.moveUp();
+ return result;
+ }
+diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java b/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java
+index 9447419..f3606f1 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java
++++ b/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java
+@@ -1,6 +1,6 @@
+ /*
+ * Copyright (C) 2003, 2004, 2005 Joe Walnes.
+- * Copyright (C) 2006, 2007, 2010, 2011, 2013, 2018 XStream Committers.
++ * Copyright (C) 2006, 2007, 2010, 2011, 2013, 2018, 2021 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+@@ -13,6 +13,7 @@ package com.thoughtworks.xstream.converters.collections;
+
+ import com.thoughtworks.xstream.converters.MarshallingContext;
+ import com.thoughtworks.xstream.converters.UnmarshallingContext;
++import com.thoughtworks.xstream.core.SecurityUtils;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+ import com.thoughtworks.xstream.mapper.Mapper;
+@@ -96,7 +97,10 @@ public class CollectionConverter extends AbstractCollectionConverter {
+ protected void addCurrentElementToCollection(HierarchicalStreamReader reader, UnmarshallingContext context,
+ Collection collection, Collection target) {
+ final Object item = readItem(reader, context, collection); // call readBareItem when deprecated method is removed
++
++ long now = System.currentTimeMillis();
+ target.add(item);
++ SecurityUtils.checkForCollectionDoSAttack(context, now);
+ }
+
+ protected Object createCollection(Class type) {
+diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java b/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java
+index af007f9..f93cec8 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java
++++ b/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java
+@@ -1,6 +1,6 @@
+ /*
+ * Copyright (C) 2003, 2004, 2005 Joe Walnes.
+- * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2012, 2013, 2018 XStream Committers.
++ * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2012, 2013, 2018, 2021 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+@@ -13,6 +13,7 @@ package com.thoughtworks.xstream.converters.collections;
+
+ import com.thoughtworks.xstream.converters.MarshallingContext;
+ import com.thoughtworks.xstream.converters.UnmarshallingContext;
++import com.thoughtworks.xstream.core.SecurityUtils;
+ import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamWriterHelper;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+@@ -104,7 +105,10 @@ public class MapConverter extends AbstractCollectionConverter {
+ Map map, Map target) {
+ final Object key = readCompleteItem(reader, context, map);
+ final Object value = readCompleteItem(reader, context, map);
++
++ long now = System.currentTimeMillis();
+ target.put(key, value);
++ SecurityUtils.checkForCollectionDoSAttack(context, now);
+ }
+
+ protected Object createCollection(Class type) {
+diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java b/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java
+index 4c5ec9c..5902148 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java
++++ b/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013, 2016, 2018 XStream Committers.
++ * Copyright (C) 2013, 2016, 2018, 2021 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+@@ -21,6 +21,7 @@ import com.thoughtworks.xstream.converters.SingleValueConverter;
+ import com.thoughtworks.xstream.converters.UnmarshallingContext;
+ import com.thoughtworks.xstream.converters.collections.MapConverter;
+ import com.thoughtworks.xstream.core.JVM;
++import com.thoughtworks.xstream.core.SecurityUtils;
+ import com.thoughtworks.xstream.core.util.HierarchicalStreams;
+ import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamWriterHelper;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+@@ -339,7 +340,9 @@ public class NamedMapConverter extends MapConverter {
+ value = valueConverter.fromString(reader.getValue());
+ }
+
++ long now = System.currentTimeMillis();
+ target.put(key, value);
++ SecurityUtils.checkForCollectionDoSAttack(context, now);
+
+ if (entryName != null) {
+ reader.moveUp();
+diff --git a/xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java b/xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java
+new file mode 100644
+index 0000000..0eedd52
+--- /dev/null
++++ b/xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java
+@@ -0,0 +1,56 @@
++/*
++ * Copyright (C) 2021 XStream Committers.
++ * All rights reserved.
++ *
++ * The software in this package is published under the terms of the BSD
++ * style license a copy of which has been included with this distribution in
++ * the LICENSE.txt file.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.core;
++
++import com.thoughtworks.xstream.XStream;
++import com.thoughtworks.xstream.converters.ConversionException;
++import com.thoughtworks.xstream.converters.UnmarshallingContext;
++import com.thoughtworks.xstream.security.InputManipulationException;
++
++
++/**
++ * Utility functions for security issues.
++ *
++ * @author Jörg Schaible
++ * @since upcoming
++ */
++public class SecurityUtils {
++
++ /**
++ * Check the consumed time adding elements to collections or maps.
++ *
++ * Every custom converter should call this method after an unmarshalled element has been added to a collection or
++ * map. In case of an attack the operation will take too long, because the calculation of the hash code or the
++ * comparison of the elements in the collection operate on recursive structures.
++ *
++ * @param context the unmarshalling context
++ * @param start the timestamp just before the element was added to the collection or map
++ * @since upcoming
++ */
++ public static void checkForCollectionDoSAttack(final UnmarshallingContext context, final long start) {
++ final int diff = (int)((System.currentTimeMillis() - start) / 1000);
++ if (diff > 0) {
++ final Integer secondsUsed = (Integer)context.get(XStream.COLLECTION_UPDATE_SECONDS);
++ if (secondsUsed != null) {
++ final Integer limit = (Integer)context.get(XStream.COLLECTION_UPDATE_LIMIT);
++ if (limit == null) {
++ throw new ConversionException("Missing limit for updating collections.");
++ }
++ final int seconds = secondsUsed.intValue() + diff;
++ if (seconds > limit.intValue()) {
++ throw new InputManipulationException(
++ "Denial of Service attack assumed. Adding elements to collections or maps exceeds " + limit.intValue() + " seconds.");
++ }
++ context.put(XStream.COLLECTION_UPDATE_SECONDS, new Integer(seconds));
++ }
++ }
++ }
++}
+diff --git a/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java b/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java
+index 0a5b3dc..ba80a31 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java
++++ b/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java
+@@ -25,6 +25,7 @@ import com.thoughtworks.xstream.core.util.HierarchicalStreams;
+ import com.thoughtworks.xstream.core.util.PrioritizedList;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.mapper.Mapper;
++import com.thoughtworks.xstream.security.AbstractSecurityException;
+
+
+ public class TreeUnmarshaller implements UnmarshallingContext {
+@@ -73,6 +74,8 @@ public class TreeUnmarshaller implements UnmarshallingContext {
+ } catch (final ConversionException conversionException) {
+ addInformationTo(conversionException, type, converter, parent);
+ throw conversionException;
++ } catch (AbstractSecurityException e) {
++ throw e;
+ } catch (RuntimeException e) {
+ ConversionException conversionException = new ConversionException(e);
+ addInformationTo(conversionException, type, converter, parent);
+diff --git a/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+new file mode 100644
+index 0000000..3ca6309
+--- /dev/null
++++ b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+@@ -0,0 +1,29 @@
++/*
++ * Copyright (C) 2021 XStream Committers.
++ * All rights reserved.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.security;
++
++import com.thoughtworks.xstream.XStreamException;
++
++
++/**
++ * General base class for a Security Exception in XStream.
++ *
++ * @author Jörg Schaible
++ * @since upcoming
++ */
++public abstract class AbstractSecurityException extends XStreamException {
++ private static final long serialVersionUID = 20210921L;
++
++ /**
++ * Constructs a SecurityException.
++ * @param message the exception message
++ * @since upcoming
++ */
++ public AbstractSecurityException(final String message) {
++ super(message);
++ }
++}
+diff --git a/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java b/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java
+index 017fc30..2eded6c 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java
++++ b/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java
+@@ -1,20 +1,18 @@
+ /*
+- * Copyright (C) 2014 XStream Committers.
++ * Copyright (C) 2014, 2021 XStream Committers.
+ * All rights reserved.
+ *
+ * Created on 08. January 2014 by Joerg Schaible
+ */
+ package com.thoughtworks.xstream.security;
+
+-import com.thoughtworks.xstream.XStreamException;
+-
+ /**
+ * Exception thrown for a forbidden class.
+ *
+ * @author Jörg Schaible
+ * @since 1.4.7
+ */
+-public class ForbiddenClassException extends XStreamException {
++public class ForbiddenClassException extends AbstractSecurityException {
+
+ /**
+ * Construct a ForbiddenClassException.
+diff --git a/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+new file mode 100644
+index 0000000..2d87f66
+--- /dev/null
++++ b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+@@ -0,0 +1,27 @@
++/*
++ * Copyright (C) 2021 XStream Committers.
++ * All rights reserved.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.security;
++
++
++/**
++ * Class for a Security Exception assuming input manipulation in XStream.
++ *
++ * @author Jörg Schaible
++ * @since upcoming
++ */
++public class InputManipulationException extends AbstractSecurityException {
++ private static final long serialVersionUID = 20210921L;
++
++ /**
++ * Constructs a SecurityException.
++ * @param message the exception message
++ * @since upcoming
++ */
++ public InputManipulationException(final String message) {
++ super(message);
++ }
++}
+diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+index d387bcd..8201295 100644
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -18,12 +18,20 @@ import java.io.IOException;
+ import java.io.InputStream;
+ import java.io.OutputStream;
+ import java.util.Iterator;
++import java.util.HashMap;
++import java.util.HashSet;
++import java.util.Hashtable;
++import java.util.LinkedHashMap;
++import java.util.LinkedHashSet;
++import java.util.Map;
++import java.util.Set;
+
+ import com.thoughtworks.xstream.XStreamException;
+ import com.thoughtworks.xstream.converters.ConversionException;
+ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
+ import com.thoughtworks.xstream.security.AnyTypePermission;
+ import com.thoughtworks.xstream.security.ForbiddenClassException;
++import com.thoughtworks.xstream.security.InputManipulationException;
+ import com.thoughtworks.xstream.security.ProxyTypePermission;
+
+
+@@ -57,9 +65,9 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+
+ try {
+ xstream.fromXML(xml);
+- fail("Thrown " + XStreamException.class.getName() + " expected");
+- } catch (final XStreamException e) {
+- assertTrue(e.getMessage().contains(EventHandler.class.getName()));
++ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
++ } catch (final ForbiddenClassException e) {
++ // OK
+ }
+ assertEquals(0, BUFFER.length());
+ }
+@@ -187,4 +195,140 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
+ }
+ }
++
++ public void testDoSAttackWithHashSet() {
++ final Set set = new HashSet();
++ Set s1 = set;
++ Set s2 = new HashSet();
++ for (int i = 0; i < 30; i++) {
++ final Set t1 = new HashSet();
++ final Set t2 = new HashSet();
++ t1.add("a");
++ t2.add("b");
++ s1.add(t1);
++ s1.add(t2);
++ s2.add(t2);
++ s2.add(t1);
++ s1 = t1;
++ s2 = t2;
++ }
++
++ xstream.setCollectionUpdateLimit(5);
++ final String xml = xstream.toXML(set);
++ try {
++
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (final InputManipulationException e) {
++ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++ }
++ }
++
++ public void testDoSAttackWithLinkedHashSet() {
++ final Set set = new LinkedHashSet();
++ Set s1 = set;
++ Set s2 = new LinkedHashSet();
++ for (int i = 0; i < 30; i++) {
++ final Set t1 = new LinkedHashSet();
++ final Set t2 = new LinkedHashSet();
++ t1.add("a");
++ t2.add("b");
++ s1.add(t1);
++ s1.add(t2);
++ s2.add(t2);
++ s2.add(t1);
++ s1 = t1;
++ s2 = t2;
++ }
++
++ xstream.setCollectionUpdateLimit(5);
++ final String xml = xstream.toXML(set);
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (final InputManipulationException e) {
++ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++ }
++ }
++
++ public void testDoSAttackWithHashMap() {
++ final Map map = new HashMap();
++ Map m1 = map;
++ Map m2 = new HashMap();
++ for (int i = 0; i < 25; i++) {
++ final Map t1 = new HashMap();
++ final Map t2 = new HashMap();
++ t1.put("a", "b");
++ t2.put("c", "d");
++ m1.put(t1, t2);
++ m1.put(t2, t1);
++ m2.put(t2, t1);
++ m2.put(t1, t2);
++ m1 = t1;
++ m2 = t2;
++ }
++ xstream.setCollectionUpdateLimit(5);
++
++ final String xml = xstream.toXML(map);
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (InputManipulationException e) {
++ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++ }
++ }
++
++ public void testDoSAttackWithLinkedHashMap() {
++ final Map map = new LinkedHashMap();
++ Map m1 = map;
++ Map m2 = new LinkedHashMap();
++ for (int i = 0; i < 25; i++) {
++ final Map t1 = new LinkedHashMap();
++ final Map t2 = new LinkedHashMap();
++ t1.put("a", "b");
++ t2.put("c", "d");
++ m1.put(t1, t2);
++ m1.put(t2, t1);
++ m2.put(t2, t1);
++ m2.put(t1, t2);
++ m1 = t1;
++ m2 = t2;
++ }
++
++ xstream.setCollectionUpdateLimit(5);
++ final String xml = xstream.toXML(map);
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (final InputManipulationException e) {
++ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++ }
++ }
++
++ public void testDoSAttackWithHashtable() {
++ final Map map = new Hashtable();
++ Map m1 = map;
++ Map m2 = new Hashtable();
++ for (int i = 0; i < 100; i++) {
++ final Map t1 = new Hashtable();
++ final Map t2 = new Hashtable();
++ t1.put("a", "b");
++ t2.put("c", "d");
++ m1.put(t1, t2);
++ m1.put(t2, t1);
++ m2.put(t2, t1);
++ m2.put(t1, t2);
++ m1 = t1;
++ m2 = t2;
++ }
++
++ xstream.setCollectionUpdateLimit(5);
++ final String xml = xstream.toXML(map);
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + InputManipulationException.class.getName() + " expected");
++ } catch (final InputManipulationException e) {
++ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++ }
++ }
+ }
=====================================
debian/patches/CVE-2022-41966.patch
=====================================
@@ -1,23 +1,19 @@
From: Markus Koschany <apo at debian.org>
-Date: Wed, 11 Jan 2023 14:49:56 +0100
+Date: Mon, 16 Jan 2023 09:27:04 +0100
Subject: CVE-2022-41966
Bug-Debian: https://bugs.debian.org/1027754
Origin: https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391
---
.../src/java/com/thoughtworks/xstream/XStream.java | 9 ++++--
- .../security/AbstractSecurityException.java | 29 ++++++++++++++++++
- .../security/InputManipulationException.java | 27 +++++++++++++++++
.../acceptance/SecurityVulnerabilityTest.java | 35 +++++++++++++++++++++-
- 4 files changed, 96 insertions(+), 4 deletions(-)
- create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
- create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+ 2 files changed, 40 insertions(+), 4 deletions(-)
diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-index f35d244..792272c 100644
+index bccf8f4..e8e1409 100644
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-@@ -163,6 +163,7 @@ import com.thoughtworks.xstream.security.RegExpTypePermission;
+@@ -164,6 +164,7 @@ import com.thoughtworks.xstream.security.RegExpTypePermission;
import com.thoughtworks.xstream.security.TypeHierarchyPermission;
import com.thoughtworks.xstream.security.TypePermission;
import com.thoughtworks.xstream.security.WildcardTypePermission;
@@ -25,7 +21,7 @@ index f35d244..792272c 100644
/**
-@@ -1483,9 +1484,11 @@ public class XStream {
+@@ -1513,9 +1514,11 @@ public class XStream {
securityWarningGiven = true;
System.err.println("Security framework of XStream not initialized, XStream is probably vulnerable.");
}
@@ -40,76 +36,8 @@ index f35d244..792272c 100644
} catch (ConversionException e) {
Package pkg = getClass().getPackage();
String version = pkg != null ? pkg.getImplementationVersion() : null;
-diff --git a/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
-new file mode 100644
-index 0000000..777765a
---- /dev/null
-+++ b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
-@@ -0,0 +1,29 @@
-+/*
-+ * Copyright (C) 2021, 2022 XStream Committers.
-+ * All rights reserved.
-+ *
-+ * Created on 21. September 2021 by Joerg Schaible
-+ */
-+package com.thoughtworks.xstream.security;
-+
-+import com.thoughtworks.xstream.XStreamException;
-+
-+
-+/**
-+ * General base class for a Security Exception in XStream.
-+ *
-+ * @author Jörg Schaible
-+ * @since 1.4.19
-+ */
-+public abstract class AbstractSecurityException extends XStreamException {
-+ private static final long serialVersionUID = 20210921L;
-+
-+ /**
-+ * Constructs a SecurityException.
-+ * @param message the exception message
-+ * @since 1.4.19
-+ */
-+ public AbstractSecurityException(final String message) {
-+ super(message);
-+ }
-+}
-diff --git a/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
-new file mode 100644
-index 0000000..80f492c
---- /dev/null
-+++ b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
-@@ -0,0 +1,27 @@
-+/*
-+ * Copyright (C) 2021, 2022 XStream Committers.
-+ * All rights reserved.
-+ *
-+ * Created on 21. September 2021 by Joerg Schaible
-+ */
-+package com.thoughtworks.xstream.security;
-+
-+
-+/**
-+ * Class for a Security Exception assuming input manipulation in XStream.
-+ *
-+ * @author Jörg Schaible
-+ * @since 1.4.19
-+ */
-+public class InputManipulationException extends AbstractSecurityException {
-+ private static final long serialVersionUID = 20210921L;
-+
-+ /**
-+ * Constructs a SecurityException.
-+ * @param message the exception message
-+ * @since 1.4.19
-+ */
-+ public InputManipulationException(final String message) {
-+ super(message);
-+ }
-+}
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-index d387bcd..f21ea45 100644
+index 8201295..2f722ec 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -1,5 +1,5 @@
@@ -119,17 +47,17 @@ index d387bcd..f21ea45 100644
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
-@@ -25,6 +25,8 @@ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
- import com.thoughtworks.xstream.security.AnyTypePermission;
+@@ -33,6 +33,8 @@ import com.thoughtworks.xstream.security.AnyTypePermission;
import com.thoughtworks.xstream.security.ForbiddenClassException;
+ import com.thoughtworks.xstream.security.InputManipulationException;
import com.thoughtworks.xstream.security.ProxyTypePermission;
+import com.thoughtworks.xstream.security.InputManipulationException;
+
/**
-@@ -187,4 +189,35 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
+@@ -331,4 +333,35 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
}
}
+
=====================================
debian/patches/series
=====================================
@@ -2,4 +2,6 @@
enable-security-whitelist-by-default.patch
SecurityVulnerabilityTest.patch
debian-specific-whitelist-extension.patch
+CVE-2021-43859.patch
CVE-2022-41966.patch
+0007-CVE-2024-47072.patch
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/e6c1f198ba762e83ed908e13c67ddf2bc089b728...2563aaae63cc122376c61f1adf52ef4454d7b773
--
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/e6c1f198ba762e83ed908e13c67ddf2bc089b728...2563aaae63cc122376c61f1adf52ef4454d7b773
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20241223/549a33be/attachment.htm>
More information about the pkg-java-commits
mailing list