[Git][java-team/libxstream-java][buster] 2 commits: CVE-2021-43859

Bastien Roucariès (@rouca) gitlab at salsa.debian.org
Mon Dec 23 12:22:24 GMT 2024



Bastien Roucariès pushed to branch buster at Debian Java Maintainers / libxstream-java


Commits:
6daaa9f0 by Bastien Roucariès at 2024-12-21T22:33:08+00:00
CVE-2021-43859

Update also CVE-2022-41966

- - - - -
2563aaae by Bastien Roucariès at 2024-12-21T22:40:52+00:00
CVE-2024-47072

- - - - -


5 changed files:

- debian/changelog
- + debian/patches/0007-CVE-2024-47072.patch
- + debian/patches/CVE-2021-43859.patch
- debian/patches/CVE-2022-41966.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,25 @@
+libxstream-java (1.4.11.1-1+deb10u5) buster-security; urgency=medium
+
+  * Team upload by ELTS team
+  * Fix CVE-2021-43859: XStream can cause a Denial of
+    Service by injecting highly recursive collections or maps.
+    The vulnerability may allow a remote attacker to allocate
+    100% CPU time on the target system depending on CPU type
+    or parallel execution of such a payload resulting in a
+    denial of service only by manipulating the processed
+    input stream.
+  * Fix CVE-2024-47072: XStream is vulnerable to a Denial
+    of Service attack due to stack overflow from a
+    manipulated binary input stream.
+    The vulnerability may allow a remote attacker to
+    terminate the application with a stack overflow error
+    resulting in a denial of service only by manipulating
+    the processed input stream when XStream is configured
+    to use the BinaryStreamDriver.
+    (Closes: #1087274)
+
+ -- Bastien Roucariès <rouca at debian.org>  Sat, 21 Dec 2024 22:32:56 +0000
+
 libxstream-java (1.4.11.1-1+deb10u4) buster-security; urgency=high
 
   * Team upload.


=====================================
debian/patches/0007-CVE-2024-47072.patch
=====================================
@@ -0,0 +1,90 @@
+From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca at debian.org>
+Date: Sat, 21 Dec 2024 20:41:16 +0000
+Subject: CVE-2024-47072
+
+This vulnerability may allow a remote attacker to terminate the application with a stack
+overflow error resulting in a denial of service only by manipulating the processed
+input stream when XStream is configured to use the BinaryStreamDriver.
+
+origin: backport, https://github.com/x-stream/xstream/commit/c8a939075f99895d76fe49de69d3570a3c401976
+bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087274
+bug-github: https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q
+bug: https://x-stream.github.io/CVE-2024-47072.html
+---
+ .../xstream/io/binary/BinaryStreamReader.java          | 14 ++++++++++----
+ .../xstream/io/binary/BinaryStreamTest.java            | 18 ++++++++++++++++++
+ 2 files changed, 28 insertions(+), 4 deletions(-)
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+index 2839651..7a7c76c 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
++++ b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+@@ -15,6 +15,7 @@ import com.thoughtworks.xstream.converters.ErrorWriter;
+ import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.StreamException;
++import com.thoughtworks.xstream.security.InputManipulationException;
+ 
+ import java.io.DataInputStream;
+ import java.io.IOException;
+@@ -150,14 +151,19 @@ public class BinaryStreamReader implements ExtendedHierarchicalStreamReader {
+     private Token readToken() {
+         if (pushback == null) {
+             try {
+-                Token token = tokenFormatter.read(in);
+-                switch (token.getType()) {
++                boolean mapping = false;
++                do {
++                    final Token token = tokenFormatter.read(in);
++                    switch (token.getType()) {
+                     case Token.TYPE_MAP_ID_TO_VALUE:
+                         idRegistry.put(token.getId(), token.getValue());
+-                        return readToken(); // Next one please.
++                        mapping ^= true;
++                        continue; // Next one please.
+                     default:
+                         return token;
+-                }
++                    }
++                } while (mapping);
++                throw new InputManipulationException("Binary stream will never have two mapping tokens in sequence");
+             } catch (IOException e) {
+                 throw new StreamException(e);
+             }
+diff --git a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
+index d34962b..0bdccff 100644
+--- a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
++++ b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
+@@ -19,9 +19,13 @@ import com.thoughtworks.xstream.io.xml.AbstractXMLReaderTest;
+ import com.thoughtworks.xstream.io.xml.Xpp3Driver;
+ 
+ import java.io.ByteArrayOutputStream;
++import java.io.InputStream;
+ import java.io.StringReader;
+ import java.io.ByteArrayInputStream;
+ 
++import com.thoughtworks.xstream.security.InputManipulationException;
++
++
+ public class BinaryStreamTest extends AbstractXMLReaderTest {
+ 
+     private HierarchicalStreamCopier copier = new HierarchicalStreamCopier();
+@@ -89,4 +93,18 @@ public class BinaryStreamTest extends AbstractXMLReaderTest {
+         }
+     }
+ 
++    @SuppressWarnings("resource")
++    public void testHandleMaliciousInputsOfIdMappingTokens() {
++        // Insert two successive id mapping tokens into the stream
++        final byte[] byteArray = new byte[8];
++        byteArray[0] = byteArray[4] = 10;
++        byteArray[1] = byteArray[5] = -127;
++
++        final InputStream in = new ByteArrayInputStream(byteArray);
++        try {
++            new BinaryStreamReader(in);
++            fail("Thrown " + InputManipulationException.class.getName() + " expected");
++        } catch (final InputManipulationException e) {
++        }
++    }
+ }


=====================================
debian/patches/CVE-2021-43859.patch
=====================================
@@ -0,0 +1,563 @@
+From: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
+Date: Sat, 21 Dec 2024 22:26:25 +0000
+Subject: CVE-2021-43859
+
+---
+ .../src/java/com/thoughtworks/xstream/XStream.java |  42 +++++-
+ .../collections/CollectionConverter.java           |   6 +-
+ .../converters/collections/MapConverter.java       |   6 +-
+ .../converters/extended/NamedMapConverter.java     |   5 +-
+ .../thoughtworks/xstream/core/SecurityUtils.java   |  56 ++++++++
+ .../xstream/core/TreeUnmarshaller.java             |   3 +
+ .../security/AbstractSecurityException.java        |  29 ++++
+ .../xstream/security/ForbiddenClassException.java  |   6 +-
+ .../security/InputManipulationException.java       |  27 ++++
+ .../acceptance/SecurityVulnerabilityTest.java      | 150 ++++++++++++++++++++-
+ 10 files changed, 318 insertions(+), 12 deletions(-)
+ create mode 100644 xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java
+ create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+ create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index f35d244..bccf8f4 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -153,6 +153,7 @@ import com.thoughtworks.xstream.mapper.SystemAttributeAliasingMapper;
+ import com.thoughtworks.xstream.mapper.XStream11XmlFriendlyMapper;
+ import com.thoughtworks.xstream.security.AnyTypePermission;
+ import com.thoughtworks.xstream.security.ArrayTypePermission;
++import com.thoughtworks.xstream.security.InputManipulationException;
+ import com.thoughtworks.xstream.security.ExplicitTypePermission;
+ import com.thoughtworks.xstream.security.InterfaceTypePermission;
+ import com.thoughtworks.xstream.security.NoPermission;
+@@ -316,6 +317,8 @@ public class XStream {
+ 
+     // CAUTION: The sequence of the fields is intentional for an optimal XML output of a
+     // self-serialization!
++    private int collectionUpdateLimit = 20;
++
+     private ReflectionProvider reflectionProvider;
+     private HierarchicalStreamDriver hierarchicalStreamDriver;
+     private ClassLoaderReference classLoaderReference;
+@@ -353,6 +356,9 @@ public class XStream {
+     public static final int PRIORITY_LOW = -10;
+     public static final int PRIORITY_VERY_LOW = -20;
+ 
++    public static final String COLLECTION_UPDATE_LIMIT = "XStreamCollectionUpdateLimit";
++    public static final String COLLECTION_UPDATE_SECONDS = "XStreamCollectionUpdateSeconds";
++
+     private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
+     private static final Pattern IGNORE_ALL = Pattern.compile(".*");
+ 
+@@ -1258,6 +1264,23 @@ public class XStream {
+         this.marshallingStrategy = marshallingStrategy;
+     }
+ 
++    /**
++     * Set time limit for adding elements to collections or maps.
++     * 
++     * Manipulated content may be used to create recursive hash code calculations or sort operations. An
++     * {@link InputManipulationException} is thrown, it the summed up time to add elements to collections or maps
++     * exceeds the provided limit.
++     * 
++     * Note, that the time to add an individual element is calculated in seconds, not milliseconds. However, attacks
++     * typically use objects with exponential growing calculation times.
++     * 
++     * @param maxSeconds limit in seconds or 0 to disable check
++     * @since upcoming
++     */
++    public void setCollectionUpdateLimit(int maxSeconds) {
++        collectionUpdateLimit = maxSeconds;
++    }
++
+     /**
+      * Serialize an object to a pretty-printed XML String.
+      *
+@@ -1479,6 +1502,13 @@ public class XStream {
+      */
+     public Object unmarshal(HierarchicalStreamReader reader, Object root, DataHolder dataHolder) {
+         try {
++            if (collectionUpdateLimit >= 0) {
++                if (dataHolder == null) {
++                    dataHolder = new MapBackedDataHolder();
++                }
++                dataHolder.put(COLLECTION_UPDATE_LIMIT, new Integer(collectionUpdateLimit));
++                dataHolder.put(COLLECTION_UPDATE_SECONDS, new Integer(0));
++            }
+             if (!securityInitialized && !securityWarningGiven) {
+                 securityWarningGiven = true;
+                 System.err.println("Security framework of XStream not initialized, XStream is probably vulnerable.");
+@@ -2189,15 +2219,23 @@ public class XStream {
+      * @see #createObjectInputStream(com.thoughtworks.xstream.io.HierarchicalStreamReader)
+      * @since 1.4.10
+      */
+-    public ObjectInputStream createObjectInputStream(final HierarchicalStreamReader reader, final DataHolder dataHolder)
++    public ObjectInputStream createObjectInputStream(final HierarchicalStreamReader reader, DataHolder dataHolder)
+             throws IOException {
++        if (collectionUpdateLimit >= 0) {
++            if (dataHolder == null) {
++                dataHolder = new MapBackedDataHolder();
++            }
++            dataHolder.put(COLLECTION_UPDATE_LIMIT, new Integer(collectionUpdateLimit));
++            dataHolder.put(COLLECTION_UPDATE_SECONDS, new Integer(0));
++        }
++        final DataHolder dh = dataHolder;
+         return new CustomObjectInputStream(new CustomObjectInputStream.StreamCallback() {
+             public Object readFromStream() throws EOFException {
+                 if (!reader.hasMoreChildren()) {
+                     throw new EOFException();
+                 }
+                 reader.moveDown();
+-                final Object result = unmarshal(reader, dataHolder);
++                final Object result = unmarshal(reader, dh);
+                 reader.moveUp();
+                 return result;
+             }
+diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java b/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java
+index 9447419..f3606f1 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java
++++ b/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java
+@@ -1,6 +1,6 @@
+ /*
+  * Copyright (C) 2003, 2004, 2005 Joe Walnes.
+- * Copyright (C) 2006, 2007, 2010, 2011, 2013, 2018 XStream Committers.
++ * Copyright (C) 2006, 2007, 2010, 2011, 2013, 2018, 2021 XStream Committers.
+  * All rights reserved.
+  *
+  * The software in this package is published under the terms of the BSD
+@@ -13,6 +13,7 @@ package com.thoughtworks.xstream.converters.collections;
+ 
+ import com.thoughtworks.xstream.converters.MarshallingContext;
+ import com.thoughtworks.xstream.converters.UnmarshallingContext;
++import com.thoughtworks.xstream.core.SecurityUtils;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+ import com.thoughtworks.xstream.mapper.Mapper;
+@@ -96,7 +97,10 @@ public class CollectionConverter extends AbstractCollectionConverter {
+     protected void addCurrentElementToCollection(HierarchicalStreamReader reader, UnmarshallingContext context,
+         Collection collection, Collection target) {
+         final Object item = readItem(reader, context, collection); // call readBareItem when deprecated method is removed
++
++        long now = System.currentTimeMillis();
+         target.add(item);
++        SecurityUtils.checkForCollectionDoSAttack(context, now);
+     }
+ 
+     protected Object createCollection(Class type) {
+diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java b/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java
+index af007f9..f93cec8 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java
++++ b/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java
+@@ -1,6 +1,6 @@
+ /*
+  * Copyright (C) 2003, 2004, 2005 Joe Walnes.
+- * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2012, 2013, 2018 XStream Committers.
++ * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2012, 2013, 2018, 2021 XStream Committers.
+  * All rights reserved.
+  *
+  * The software in this package is published under the terms of the BSD
+@@ -13,6 +13,7 @@ package com.thoughtworks.xstream.converters.collections;
+ 
+ import com.thoughtworks.xstream.converters.MarshallingContext;
+ import com.thoughtworks.xstream.converters.UnmarshallingContext;
++import com.thoughtworks.xstream.core.SecurityUtils;
+ import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamWriterHelper;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+@@ -104,7 +105,10 @@ public class MapConverter extends AbstractCollectionConverter {
+         Map map, Map target) {
+         final Object key = readCompleteItem(reader, context, map);
+         final Object value = readCompleteItem(reader, context, map);
++
++        long now = System.currentTimeMillis();
+         target.put(key, value);
++        SecurityUtils.checkForCollectionDoSAttack(context, now);
+     }
+ 
+     protected Object createCollection(Class type) {
+diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java b/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java
+index 4c5ec9c..5902148 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java
++++ b/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013, 2016, 2018 XStream Committers.
++ * Copyright (C) 2013, 2016, 2018, 2021 XStream Committers.
+  * All rights reserved.
+  *
+  * The software in this package is published under the terms of the BSD
+@@ -21,6 +21,7 @@ import com.thoughtworks.xstream.converters.SingleValueConverter;
+ import com.thoughtworks.xstream.converters.UnmarshallingContext;
+ import com.thoughtworks.xstream.converters.collections.MapConverter;
+ import com.thoughtworks.xstream.core.JVM;
++import com.thoughtworks.xstream.core.SecurityUtils;
+ import com.thoughtworks.xstream.core.util.HierarchicalStreams;
+ import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamWriterHelper;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+@@ -339,7 +340,9 @@ public class NamedMapConverter extends MapConverter {
+                 value = valueConverter.fromString(reader.getValue());
+             }
+ 
++            long now = System.currentTimeMillis();
+             target.put(key, value);
++            SecurityUtils.checkForCollectionDoSAttack(context, now);
+ 
+             if (entryName != null) {
+                 reader.moveUp();
+diff --git a/xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java b/xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java
+new file mode 100644
+index 0000000..0eedd52
+--- /dev/null
++++ b/xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java
+@@ -0,0 +1,56 @@
++/*
++ * Copyright (C) 2021 XStream Committers.
++ * All rights reserved.
++ *
++ * The software in this package is published under the terms of the BSD
++ * style license a copy of which has been included with this distribution in
++ * the LICENSE.txt file.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.core;
++
++import com.thoughtworks.xstream.XStream;
++import com.thoughtworks.xstream.converters.ConversionException;
++import com.thoughtworks.xstream.converters.UnmarshallingContext;
++import com.thoughtworks.xstream.security.InputManipulationException;
++
++
++/**
++ * Utility functions for security issues.
++ *
++ * @author Jörg Schaible
++ * @since upcoming
++ */
++public class SecurityUtils {
++
++    /**
++     * Check the consumed time adding elements to collections or maps.
++     * 
++     * Every custom converter should call this method after an unmarshalled element has been added to a collection or
++     * map. In case of an attack the operation will take too long, because the calculation of the hash code or the
++     * comparison of the elements in the collection operate on recursive structures.  
++     * 
++     * @param context the unmarshalling context
++     * @param start the timestamp just before the element was added to the collection or map
++     * @since upcoming
++     */
++    public static void checkForCollectionDoSAttack(final UnmarshallingContext context, final long start) {
++        final int diff = (int)((System.currentTimeMillis() - start) / 1000);
++        if (diff > 0) {
++            final Integer secondsUsed = (Integer)context.get(XStream.COLLECTION_UPDATE_SECONDS);
++            if (secondsUsed != null) {
++                final Integer limit = (Integer)context.get(XStream.COLLECTION_UPDATE_LIMIT);
++                if (limit == null) {
++                    throw new ConversionException("Missing limit for updating collections.");
++                }
++                final int seconds = secondsUsed.intValue() + diff;
++                if (seconds > limit.intValue()) {
++                    throw new InputManipulationException(
++                        "Denial of Service attack assumed. Adding elements to collections or maps exceeds " + limit.intValue() + " seconds.");
++                }
++                context.put(XStream.COLLECTION_UPDATE_SECONDS, new Integer(seconds));
++            }
++        }
++    }
++}
+diff --git a/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java b/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java
+index 0a5b3dc..ba80a31 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java
++++ b/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java
+@@ -25,6 +25,7 @@ import com.thoughtworks.xstream.core.util.HierarchicalStreams;
+ import com.thoughtworks.xstream.core.util.PrioritizedList;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.mapper.Mapper;
++import com.thoughtworks.xstream.security.AbstractSecurityException;
+ 
+ 
+ public class TreeUnmarshaller implements UnmarshallingContext {
+@@ -73,6 +74,8 @@ public class TreeUnmarshaller implements UnmarshallingContext {
+         } catch (final ConversionException conversionException) {
+             addInformationTo(conversionException, type, converter, parent);
+             throw conversionException;
++        } catch (AbstractSecurityException e) {
++            throw e;
+         } catch (RuntimeException e) {
+             ConversionException conversionException = new ConversionException(e);
+             addInformationTo(conversionException, type, converter, parent);
+diff --git a/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+new file mode 100644
+index 0000000..3ca6309
+--- /dev/null
++++ b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+@@ -0,0 +1,29 @@
++/*
++ * Copyright (C) 2021 XStream Committers.
++ * All rights reserved.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.security;
++
++import com.thoughtworks.xstream.XStreamException;
++
++
++/**
++ * General base class for a Security Exception in XStream.
++ * 
++ * @author Jörg Schaible
++ * @since upcoming
++ */
++public abstract class AbstractSecurityException extends XStreamException {
++    private static final long serialVersionUID = 20210921L;
++
++    /**
++     * Constructs a SecurityException.
++     * @param message the exception message
++     * @since upcoming
++     */
++    public AbstractSecurityException(final String message) {
++        super(message);
++    }
++}
+diff --git a/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java b/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java
+index 017fc30..2eded6c 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java
++++ b/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java
+@@ -1,20 +1,18 @@
+ /*
+- * Copyright (C) 2014 XStream Committers.
++ * Copyright (C) 2014, 2021 XStream Committers.
+  * All rights reserved.
+  *
+  * Created on 08. January 2014 by Joerg Schaible
+  */
+ package com.thoughtworks.xstream.security;
+ 
+-import com.thoughtworks.xstream.XStreamException;
+-
+ /**
+  * Exception thrown for a forbidden class.
+  * 
+  * @author Jörg Schaible
+  * @since 1.4.7
+  */
+-public class ForbiddenClassException extends XStreamException {
++public class ForbiddenClassException extends AbstractSecurityException {
+ 
+     /**
+      * Construct a ForbiddenClassException.
+diff --git a/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+new file mode 100644
+index 0000000..2d87f66
+--- /dev/null
++++ b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+@@ -0,0 +1,27 @@
++/*
++ * Copyright (C) 2021 XStream Committers.
++ * All rights reserved.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.security;
++
++
++/**
++ * Class for a Security Exception assuming input manipulation in XStream.
++ * 
++ * @author Jörg Schaible
++ * @since upcoming
++ */
++public class InputManipulationException extends AbstractSecurityException {
++    private static final long serialVersionUID = 20210921L;
++
++    /**
++     * Constructs a SecurityException.
++     * @param message the exception message
++     * @since upcoming
++     */
++    public InputManipulationException(final String message) {
++        super(message);
++    }
++}
+diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+index d387bcd..8201295 100644
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -18,12 +18,20 @@ import java.io.IOException;
+ import java.io.InputStream;
+ import java.io.OutputStream;
+ import java.util.Iterator;
++import java.util.HashMap;
++import java.util.HashSet;
++import java.util.Hashtable;
++import java.util.LinkedHashMap;
++import java.util.LinkedHashSet;
++import java.util.Map;
++import java.util.Set;
+ 
+ import com.thoughtworks.xstream.XStreamException;
+ import com.thoughtworks.xstream.converters.ConversionException;
+ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
+ import com.thoughtworks.xstream.security.AnyTypePermission;
+ import com.thoughtworks.xstream.security.ForbiddenClassException;
++import com.thoughtworks.xstream.security.InputManipulationException;
+ import com.thoughtworks.xstream.security.ProxyTypePermission;
+ 
+ 
+@@ -57,9 +65,9 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ 
+         try {
+             xstream.fromXML(xml);
+-            fail("Thrown " + XStreamException.class.getName() + " expected");
+-        } catch (final XStreamException e) {
+-            assertTrue(e.getMessage().contains(EventHandler.class.getName()));
++            fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
++        } catch (final ForbiddenClassException e) {
++            // OK
+         }
+         assertEquals(0, BUFFER.length());
+     }
+@@ -187,4 +195,140 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+             assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
+         }
+     }
++
++    public void testDoSAttackWithHashSet() {
++        final Set set = new HashSet();
++        Set s1 = set;
++        Set s2 = new HashSet();
++        for (int i = 0; i < 30; i++) {
++            final Set t1 = new HashSet();
++            final Set t2 = new HashSet();
++            t1.add("a");
++            t2.add("b");
++            s1.add(t1);
++            s1.add(t2);
++            s2.add(t2);
++            s2.add(t1);
++            s1 = t1;
++            s2 = t2;
++        }
++
++        xstream.setCollectionUpdateLimit(5);
++        final String xml = xstream.toXML(set);
++        try {
++            
++            xstream.fromXML(xml);
++            fail("Thrown " + InputManipulationException.class.getName() + " expected");
++        } catch (final InputManipulationException e) {
++            assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++        }
++    }
++
++    public void testDoSAttackWithLinkedHashSet() {
++        final Set set = new LinkedHashSet();
++        Set s1 = set;
++        Set s2 = new LinkedHashSet();
++        for (int i = 0; i < 30; i++) {
++            final Set t1 = new LinkedHashSet();
++            final Set t2 = new LinkedHashSet();
++            t1.add("a");
++            t2.add("b");
++            s1.add(t1);
++            s1.add(t2);
++            s2.add(t2);
++            s2.add(t1);
++            s1 = t1;
++            s2 = t2;
++        }
++
++        xstream.setCollectionUpdateLimit(5);
++        final String xml = xstream.toXML(set);
++        try {
++            xstream.fromXML(xml);
++            fail("Thrown " + InputManipulationException.class.getName() + " expected");
++        } catch (final InputManipulationException e) {
++            assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++        }
++    }
++
++    public void testDoSAttackWithHashMap() {
++        final Map map = new HashMap();
++        Map m1 = map;
++        Map m2 = new HashMap();
++        for (int i = 0; i < 25; i++) {
++            final Map t1 = new HashMap();
++            final Map t2 = new HashMap();
++            t1.put("a", "b");
++            t2.put("c", "d");
++            m1.put(t1, t2);
++            m1.put(t2, t1);
++            m2.put(t2, t1);
++            m2.put(t1, t2);
++            m1 = t1;
++            m2 = t2;
++        }
++        xstream.setCollectionUpdateLimit(5);
++
++        final String xml = xstream.toXML(map);
++        try {
++            xstream.fromXML(xml);
++            fail("Thrown " + InputManipulationException.class.getName() + " expected");
++        } catch (InputManipulationException e) {
++            assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++        }
++    }
++
++    public void testDoSAttackWithLinkedHashMap() {
++        final Map map = new LinkedHashMap();
++        Map m1 = map;
++        Map m2 = new LinkedHashMap();
++        for (int i = 0; i < 25; i++) {
++            final Map t1 = new LinkedHashMap();
++            final Map t2 = new LinkedHashMap();
++            t1.put("a", "b");
++            t2.put("c", "d");
++            m1.put(t1, t2);
++            m1.put(t2, t1);
++            m2.put(t2, t1);
++            m2.put(t1, t2);
++            m1 = t1;
++            m2 = t2;
++        }
++
++        xstream.setCollectionUpdateLimit(5);
++        final String xml = xstream.toXML(map);
++        try {
++            xstream.fromXML(xml);
++            fail("Thrown " + InputManipulationException.class.getName() + " expected");
++        } catch (final InputManipulationException e) {
++            assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++        }
++    }
++
++    public void testDoSAttackWithHashtable() {
++        final Map map = new Hashtable();
++        Map m1 = map;
++        Map m2 = new Hashtable();
++        for (int i = 0; i < 100; i++) {
++            final Map t1 = new Hashtable();
++            final Map t2 = new Hashtable();
++            t1.put("a", "b");
++            t2.put("c", "d");
++            m1.put(t1, t2);
++            m1.put(t2, t1);
++            m2.put(t2, t1);
++            m2.put(t1, t2);
++            m1 = t1;
++            m2 = t2;
++        }
++
++        xstream.setCollectionUpdateLimit(5);
++        final String xml = xstream.toXML(map);
++        try {
++            xstream.fromXML(xml);
++            fail("Thrown " + InputManipulationException.class.getName() + " expected");
++        } catch (final InputManipulationException e) {
++            assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
++        }
++    }
+ }


=====================================
debian/patches/CVE-2022-41966.patch
=====================================
@@ -1,23 +1,19 @@
 From: Markus Koschany <apo at debian.org>
-Date: Wed, 11 Jan 2023 14:49:56 +0100
+Date: Mon, 16 Jan 2023 09:27:04 +0100
 Subject: CVE-2022-41966
 
 Bug-Debian: https://bugs.debian.org/1027754
 Origin: https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391
 ---
  .../src/java/com/thoughtworks/xstream/XStream.java |  9 ++++--
- .../security/AbstractSecurityException.java        | 29 ++++++++++++++++++
- .../security/InputManipulationException.java       | 27 +++++++++++++++++
  .../acceptance/SecurityVulnerabilityTest.java      | 35 +++++++++++++++++++++-
- 4 files changed, 96 insertions(+), 4 deletions(-)
- create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
- create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+ 2 files changed, 40 insertions(+), 4 deletions(-)
 
 diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-index f35d244..792272c 100644
+index bccf8f4..e8e1409 100644
 --- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
 +++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-@@ -163,6 +163,7 @@ import com.thoughtworks.xstream.security.RegExpTypePermission;
+@@ -164,6 +164,7 @@ import com.thoughtworks.xstream.security.RegExpTypePermission;
  import com.thoughtworks.xstream.security.TypeHierarchyPermission;
  import com.thoughtworks.xstream.security.TypePermission;
  import com.thoughtworks.xstream.security.WildcardTypePermission;
@@ -25,7 +21,7 @@ index f35d244..792272c 100644
  
  
  /**
-@@ -1483,9 +1484,11 @@ public class XStream {
+@@ -1513,9 +1514,11 @@ public class XStream {
                  securityWarningGiven = true;
                  System.err.println("Security framework of XStream not initialized, XStream is probably vulnerable.");
              }
@@ -40,76 +36,8 @@ index f35d244..792272c 100644
          } catch (ConversionException e) {
              Package pkg = getClass().getPackage();
              String version = pkg != null ? pkg.getImplementationVersion() : null;
-diff --git a/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
-new file mode 100644
-index 0000000..777765a
---- /dev/null
-+++ b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
-@@ -0,0 +1,29 @@
-+/*
-+ * Copyright (C) 2021, 2022 XStream Committers.
-+ * All rights reserved.
-+ *
-+ * Created on 21. September 2021 by Joerg Schaible
-+ */
-+package com.thoughtworks.xstream.security;
-+
-+import com.thoughtworks.xstream.XStreamException;
-+
-+
-+/**
-+ * General base class for a Security Exception in XStream.
-+ * 
-+ * @author Jörg Schaible
-+ * @since 1.4.19
-+ */
-+public abstract class AbstractSecurityException extends XStreamException {
-+    private static final long serialVersionUID = 20210921L;
-+
-+    /**
-+     * Constructs a SecurityException.
-+     * @param message the exception message
-+     * @since 1.4.19
-+     */
-+    public AbstractSecurityException(final String message) {
-+        super(message);
-+    }
-+}
-diff --git a/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
-new file mode 100644
-index 0000000..80f492c
---- /dev/null
-+++ b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
-@@ -0,0 +1,27 @@
-+/*
-+ * Copyright (C) 2021, 2022 XStream Committers.
-+ * All rights reserved.
-+ *
-+ * Created on 21. September 2021 by Joerg Schaible
-+ */
-+package com.thoughtworks.xstream.security;
-+
-+
-+/**
-+ * Class for a Security Exception assuming input manipulation in XStream.
-+ * 
-+ * @author Jörg Schaible
-+ * @since 1.4.19
-+ */
-+public class InputManipulationException extends AbstractSecurityException {
-+    private static final long serialVersionUID = 20210921L;
-+
-+    /**
-+     * Constructs a SecurityException.
-+     * @param message the exception message
-+     * @since 1.4.19
-+     */
-+    public InputManipulationException(final String message) {
-+        super(message);
-+    }
-+}
 diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-index d387bcd..f21ea45 100644
+index 8201295..2f722ec 100644
 --- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
 +++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
 @@ -1,5 +1,5 @@
@@ -119,17 +47,17 @@ index d387bcd..f21ea45 100644
   * All rights reserved.
   *
   * The software in this package is published under the terms of the BSD
-@@ -25,6 +25,8 @@ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
- import com.thoughtworks.xstream.security.AnyTypePermission;
+@@ -33,6 +33,8 @@ import com.thoughtworks.xstream.security.AnyTypePermission;
  import com.thoughtworks.xstream.security.ForbiddenClassException;
+ import com.thoughtworks.xstream.security.InputManipulationException;
  import com.thoughtworks.xstream.security.ProxyTypePermission;
 +import com.thoughtworks.xstream.security.InputManipulationException;
 +
  
  
  /**
-@@ -187,4 +189,35 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
-             assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
+@@ -331,4 +333,35 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+             assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
          }
      }
 +


=====================================
debian/patches/series
=====================================
@@ -2,4 +2,6 @@
 enable-security-whitelist-by-default.patch
 SecurityVulnerabilityTest.patch
 debian-specific-whitelist-extension.patch
+CVE-2021-43859.patch
 CVE-2022-41966.patch
+0007-CVE-2024-47072.patch



View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/e6c1f198ba762e83ed908e13c67ddf2bc089b728...2563aaae63cc122376c61f1adf52ef4454d7b773

-- 
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/e6c1f198ba762e83ed908e13c67ddf2bc089b728...2563aaae63cc122376c61f1adf52ef4454d7b773
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20241223/549a33be/attachment.htm>


More information about the pkg-java-commits mailing list