[Git][java-team/libxstream-java][jessie] Import Debian changes 1.4.11.1-1+deb8u7

Markus Koschany (@apo) gitlab at salsa.debian.org
Tue Apr 22 21:31:59 BST 2025 


Markus Koschany pushed to branch jessie at Debian Java Maintainers / libxstream-java


Commits:
b7d0667b by Markus Koschany at 2025-04-22T22:31:42+02:00
Import Debian changes 1.4.11.1-1+deb8u7

libxstream-java (1.4.11.1-1+deb8u7) jessie-security; urgency=high
.
  * Non-maintainer upload by the ELTS team.
  * Fix CVE-2024-47072:
    XStream is a simple library to serialize objects to XML and back again.
    This vulnerability may allow a remote attacker to terminate the application
    with a stack overflow error resulting in a denial of service only by
    manipulating the processed input stream when XStream is configured to use
    the BinaryStreamDriver. XStream has been patched to detect the
    manipulation in the binary input stream causing the the stack overflow and
    raises an InputManipulationException instead.

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2024-47072.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,17 @@
+libxstream-java (1.4.11.1-1+deb8u7) jessie-security; urgency=high
+
+  * Non-maintainer upload by the ELTS team.
+  * Fix CVE-2024-47072:
+    XStream is a simple library to serialize objects to XML and back again.
+    This vulnerability may allow a remote attacker to terminate the application
+    with a stack overflow error resulting in a denial of service only by
+    manipulating the processed input stream when XStream is configured to use
+    the BinaryStreamDriver. XStream has been patched to detect the
+    manipulation in the binary input stream causing the the stack overflow and
+    raises an InputManipulationException instead.
+
+ -- Markus Koschany <apo at debian.org>  Tue, 22 Apr 2025 08:29:26 +0200
+
 libxstream-java (1.4.11.1-1+deb8u6) jessie-security; urgency=high
 
   * Non-maintainer upload by the ELTS team.


=====================================
debian/patches/CVE-2024-47072.patch
=====================================
@@ -0,0 +1,92 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 9 Apr 2025 17:37:27 +0200
+Subject: CVE-2024-47072
+
+Bug-Debian: https://bugs.debian.org/1087274
+Origin: https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a
+---
+ .../xstream/io/binary/BinaryStreamReader.java          | 18 ++++++++++++------
+ .../xstream/io/binary/BinaryStreamTest.java            | 15 +++++++++++++++
+ 2 files changed, 27 insertions(+), 6 deletions(-)
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+index 2839651..cd870cd 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
++++ b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+@@ -1,6 +1,6 @@
+ /*
+  * Copyright (C) 2006 Joe Walnes.
+- * Copyright (C) 2006, 2007, 2011, 2013 XStream Committers.
++ * Copyright (C) 2006, 2007, 2011, 2013, 2024 XStream Committers.
+  * All rights reserved.
+  *
+  * The software in this package is published under the terms of the BSD
+@@ -15,6 +15,7 @@ import com.thoughtworks.xstream.converters.ErrorWriter;
+ import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.StreamException;
++import com.thoughtworks.xstream.security.InputManipulationException;
+ 
+ import java.io.DataInputStream;
+ import java.io.IOException;
+@@ -150,15 +151,20 @@ public class BinaryStreamReader implements ExtendedHierarchicalStreamReader {
+     private Token readToken() {
+         if (pushback == null) {
+             try {
+-                Token token = tokenFormatter.read(in);
+-                switch (token.getType()) {
++                boolean mapping = false;
++                do {
++                    final Token token = tokenFormatter.read(in);
++                    switch (token.getType()) {
+                     case Token.TYPE_MAP_ID_TO_VALUE:
+                         idRegistry.put(token.getId(), token.getValue());
+-                        return readToken(); // Next one please.
++                        mapping ^= true;
++                        continue; // Next one please.
+                     default:
+                         return token;
+-                }
+-            } catch (IOException e) {
++                    }
++                } while (mapping);
++                throw new InputManipulationException("Binary stream will never have two mapping tokens in sequence");
++            } catch (final IOException e) {
+                 throw new StreamException(e);
+             }
+         } else {
+diff --git a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
+index d34962b..e78289f 100644
+--- a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
++++ b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
+@@ -17,10 +17,12 @@ import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+ import com.thoughtworks.xstream.io.copy.HierarchicalStreamCopier;
+ import com.thoughtworks.xstream.io.xml.AbstractXMLReaderTest;
+ import com.thoughtworks.xstream.io.xml.Xpp3Driver;
++import com.thoughtworks.xstream.security.InputManipulationException;
+ 
+ import java.io.ByteArrayOutputStream;
+ import java.io.StringReader;
+ import java.io.ByteArrayInputStream;
++import java.io.InputStream;
+ 
+ public class BinaryStreamTest extends AbstractXMLReaderTest {
+ 
+@@ -89,4 +91,17 @@ public class BinaryStreamTest extends AbstractXMLReaderTest {
+         }
+     }
+ 
++    public void testHandleMaliciousInputsOfIdMappingTokens() {
++        // Insert two successive id mapping tokens into the stream
++        final byte[] byteArray = new byte[8];
++        byteArray[0] = byteArray[4] = 10;
++        byteArray[1] = byteArray[5] = -127;
++
++        final InputStream in = new ByteArrayInputStream(byteArray);
++        try {
++            new BinaryStreamReader(in);
++            fail("Thrown " + InputManipulationException.class.getName() + " expected");
++        } catch (final InputManipulationException e) {
++        }
++    }
+ }


=====================================
debian/patches/series
=====================================
@@ -5,3 +5,4 @@ debian-specific-whitelist-extension.patch
 CVE-2021-43859.patch
 CVE-2022-41966.patch
 profile.patch
+CVE-2024-47072.patch



View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/commit/b7d0667b70598f1c5863217984479a4b55a31a1c

-- 
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/commit/b7d0667b70598f1c5863217984479a4b55a31a1c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20250422/90331068/attachment.htm>

More information about the pkg-java-commits mailing list