[Git][java-team/libxstream-java][buster] Import Debian changes 1.4.11.1-1+deb10u5
Markus Koschany (@apo)
gitlab at salsa.debian.org
Tue Apr 22 21:31:57 BST 2025
Markus Koschany pushed to branch buster at Debian Java Maintainers / libxstream-java
Commits:
113ff6cd by Markus Koschany at 2025-04-22T22:29:47+02:00
Import Debian changes 1.4.11.1-1+deb10u5
libxstream-java (1.4.11.1-1+deb10u5) buster-security; urgency=high
.
* Team upload.
* Fix CVE-2024-47072:
XStream is a simple library to serialize objects to XML and back again.
This vulnerability may allow a remote attacker to terminate the application
with a stack overflow error resulting in a denial of service only by
manipulating the processed input stream when XStream is configured to use
the BinaryStreamDriver. XStream has been patched to detect the
manipulation in the binary input stream causing the the stack overflow and
raises an InputManipulationException instead.
- - - - -
5 changed files:
- debian/changelog
- − debian/patches/CVE-2021-43859.patch
- debian/patches/CVE-2022-41966.patch
- debian/patches/0007-CVE-2024-47072.patch → debian/patches/CVE-2024-47072.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,24 +1,16 @@
-libxstream-java (1.4.11.1-1+deb10u5) buster-security; urgency=medium
-
- * Team upload by ELTS team
- * Fix CVE-2021-43859: XStream can cause a Denial of
- Service by injecting highly recursive collections or maps.
- The vulnerability may allow a remote attacker to allocate
- 100% CPU time on the target system depending on CPU type
- or parallel execution of such a payload resulting in a
- denial of service only by manipulating the processed
- input stream.
- * Fix CVE-2024-47072: XStream is vulnerable to a Denial
- of Service attack due to stack overflow from a
- manipulated binary input stream.
- The vulnerability may allow a remote attacker to
- terminate the application with a stack overflow error
- resulting in a denial of service only by manipulating
- the processed input stream when XStream is configured
- to use the BinaryStreamDriver.
- (Closes: #1087274)
-
- -- Bastien Roucariès <rouca at debian.org> Sat, 21 Dec 2024 22:32:56 +0000
+libxstream-java (1.4.11.1-1+deb10u5) buster-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2024-47072:
+ XStream is a simple library to serialize objects to XML and back again.
+ This vulnerability may allow a remote attacker to terminate the application
+ with a stack overflow error resulting in a denial of service only by
+ manipulating the processed input stream when XStream is configured to use
+ the BinaryStreamDriver. XStream has been patched to detect the
+ manipulation in the binary input stream causing the the stack overflow and
+ raises an InputManipulationException instead.
+
+ -- Markus Koschany <apo at debian.org> Tue, 22 Apr 2025 07:45:44 +0200
libxstream-java (1.4.11.1-1+deb10u4) buster-security; urgency=high
=====================================
debian/patches/CVE-2021-43859.patch deleted
=====================================
@@ -1,563 +0,0 @@
-From: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
-Date: Sat, 21 Dec 2024 22:26:25 +0000
-Subject: CVE-2021-43859
-
----
- .../src/java/com/thoughtworks/xstream/XStream.java | 42 +++++-
- .../collections/CollectionConverter.java | 6 +-
- .../converters/collections/MapConverter.java | 6 +-
- .../converters/extended/NamedMapConverter.java | 5 +-
- .../thoughtworks/xstream/core/SecurityUtils.java | 56 ++++++++
- .../xstream/core/TreeUnmarshaller.java | 3 +
- .../security/AbstractSecurityException.java | 29 ++++
- .../xstream/security/ForbiddenClassException.java | 6 +-
- .../security/InputManipulationException.java | 27 ++++
- .../acceptance/SecurityVulnerabilityTest.java | 150 ++++++++++++++++++++-
- 10 files changed, 318 insertions(+), 12 deletions(-)
- create mode 100644 xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java
- create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
- create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
-
-diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-index f35d244..bccf8f4 100644
---- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
-+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-@@ -153,6 +153,7 @@ import com.thoughtworks.xstream.mapper.SystemAttributeAliasingMapper;
- import com.thoughtworks.xstream.mapper.XStream11XmlFriendlyMapper;
- import com.thoughtworks.xstream.security.AnyTypePermission;
- import com.thoughtworks.xstream.security.ArrayTypePermission;
-+import com.thoughtworks.xstream.security.InputManipulationException;
- import com.thoughtworks.xstream.security.ExplicitTypePermission;
- import com.thoughtworks.xstream.security.InterfaceTypePermission;
- import com.thoughtworks.xstream.security.NoPermission;
-@@ -316,6 +317,8 @@ public class XStream {
-
- // CAUTION: The sequence of the fields is intentional for an optimal XML output of a
- // self-serialization!
-+ private int collectionUpdateLimit = 20;
-+
- private ReflectionProvider reflectionProvider;
- private HierarchicalStreamDriver hierarchicalStreamDriver;
- private ClassLoaderReference classLoaderReference;
-@@ -353,6 +356,9 @@ public class XStream {
- public static final int PRIORITY_LOW = -10;
- public static final int PRIORITY_VERY_LOW = -20;
-
-+ public static final String COLLECTION_UPDATE_LIMIT = "XStreamCollectionUpdateLimit";
-+ public static final String COLLECTION_UPDATE_SECONDS = "XStreamCollectionUpdateSeconds";
-+
- private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
- private static final Pattern IGNORE_ALL = Pattern.compile(".*");
-
-@@ -1258,6 +1264,23 @@ public class XStream {
- this.marshallingStrategy = marshallingStrategy;
- }
-
-+ /**
-+ * Set time limit for adding elements to collections or maps.
-+ *
-+ * Manipulated content may be used to create recursive hash code calculations or sort operations. An
-+ * {@link InputManipulationException} is thrown, it the summed up time to add elements to collections or maps
-+ * exceeds the provided limit.
-+ *
-+ * Note, that the time to add an individual element is calculated in seconds, not milliseconds. However, attacks
-+ * typically use objects with exponential growing calculation times.
-+ *
-+ * @param maxSeconds limit in seconds or 0 to disable check
-+ * @since upcoming
-+ */
-+ public void setCollectionUpdateLimit(int maxSeconds) {
-+ collectionUpdateLimit = maxSeconds;
-+ }
-+
- /**
- * Serialize an object to a pretty-printed XML String.
- *
-@@ -1479,6 +1502,13 @@ public class XStream {
- */
- public Object unmarshal(HierarchicalStreamReader reader, Object root, DataHolder dataHolder) {
- try {
-+ if (collectionUpdateLimit >= 0) {
-+ if (dataHolder == null) {
-+ dataHolder = new MapBackedDataHolder();
-+ }
-+ dataHolder.put(COLLECTION_UPDATE_LIMIT, new Integer(collectionUpdateLimit));
-+ dataHolder.put(COLLECTION_UPDATE_SECONDS, new Integer(0));
-+ }
- if (!securityInitialized && !securityWarningGiven) {
- securityWarningGiven = true;
- System.err.println("Security framework of XStream not initialized, XStream is probably vulnerable.");
-@@ -2189,15 +2219,23 @@ public class XStream {
- * @see #createObjectInputStream(com.thoughtworks.xstream.io.HierarchicalStreamReader)
- * @since 1.4.10
- */
-- public ObjectInputStream createObjectInputStream(final HierarchicalStreamReader reader, final DataHolder dataHolder)
-+ public ObjectInputStream createObjectInputStream(final HierarchicalStreamReader reader, DataHolder dataHolder)
- throws IOException {
-+ if (collectionUpdateLimit >= 0) {
-+ if (dataHolder == null) {
-+ dataHolder = new MapBackedDataHolder();
-+ }
-+ dataHolder.put(COLLECTION_UPDATE_LIMIT, new Integer(collectionUpdateLimit));
-+ dataHolder.put(COLLECTION_UPDATE_SECONDS, new Integer(0));
-+ }
-+ final DataHolder dh = dataHolder;
- return new CustomObjectInputStream(new CustomObjectInputStream.StreamCallback() {
- public Object readFromStream() throws EOFException {
- if (!reader.hasMoreChildren()) {
- throw new EOFException();
- }
- reader.moveDown();
-- final Object result = unmarshal(reader, dataHolder);
-+ final Object result = unmarshal(reader, dh);
- reader.moveUp();
- return result;
- }
-diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java b/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java
-index 9447419..f3606f1 100644
---- a/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java
-+++ b/xstream/src/java/com/thoughtworks/xstream/converters/collections/CollectionConverter.java
-@@ -1,6 +1,6 @@
- /*
- * Copyright (C) 2003, 2004, 2005 Joe Walnes.
-- * Copyright (C) 2006, 2007, 2010, 2011, 2013, 2018 XStream Committers.
-+ * Copyright (C) 2006, 2007, 2010, 2011, 2013, 2018, 2021 XStream Committers.
- * All rights reserved.
- *
- * The software in this package is published under the terms of the BSD
-@@ -13,6 +13,7 @@ package com.thoughtworks.xstream.converters.collections;
-
- import com.thoughtworks.xstream.converters.MarshallingContext;
- import com.thoughtworks.xstream.converters.UnmarshallingContext;
-+import com.thoughtworks.xstream.core.SecurityUtils;
- import com.thoughtworks.xstream.io.HierarchicalStreamReader;
- import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
- import com.thoughtworks.xstream.mapper.Mapper;
-@@ -96,7 +97,10 @@ public class CollectionConverter extends AbstractCollectionConverter {
- protected void addCurrentElementToCollection(HierarchicalStreamReader reader, UnmarshallingContext context,
- Collection collection, Collection target) {
- final Object item = readItem(reader, context, collection); // call readBareItem when deprecated method is removed
-+
-+ long now = System.currentTimeMillis();
- target.add(item);
-+ SecurityUtils.checkForCollectionDoSAttack(context, now);
- }
-
- protected Object createCollection(Class type) {
-diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java b/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java
-index af007f9..f93cec8 100644
---- a/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java
-+++ b/xstream/src/java/com/thoughtworks/xstream/converters/collections/MapConverter.java
-@@ -1,6 +1,6 @@
- /*
- * Copyright (C) 2003, 2004, 2005 Joe Walnes.
-- * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2012, 2013, 2018 XStream Committers.
-+ * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2012, 2013, 2018, 2021 XStream Committers.
- * All rights reserved.
- *
- * The software in this package is published under the terms of the BSD
-@@ -13,6 +13,7 @@ package com.thoughtworks.xstream.converters.collections;
-
- import com.thoughtworks.xstream.converters.MarshallingContext;
- import com.thoughtworks.xstream.converters.UnmarshallingContext;
-+import com.thoughtworks.xstream.core.SecurityUtils;
- import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamWriterHelper;
- import com.thoughtworks.xstream.io.HierarchicalStreamReader;
- import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
-@@ -104,7 +105,10 @@ public class MapConverter extends AbstractCollectionConverter {
- Map map, Map target) {
- final Object key = readCompleteItem(reader, context, map);
- final Object value = readCompleteItem(reader, context, map);
-+
-+ long now = System.currentTimeMillis();
- target.put(key, value);
-+ SecurityUtils.checkForCollectionDoSAttack(context, now);
- }
-
- protected Object createCollection(Class type) {
-diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java b/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java
-index 4c5ec9c..5902148 100644
---- a/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java
-+++ b/xstream/src/java/com/thoughtworks/xstream/converters/extended/NamedMapConverter.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (C) 2013, 2016, 2018 XStream Committers.
-+ * Copyright (C) 2013, 2016, 2018, 2021 XStream Committers.
- * All rights reserved.
- *
- * The software in this package is published under the terms of the BSD
-@@ -21,6 +21,7 @@ import com.thoughtworks.xstream.converters.SingleValueConverter;
- import com.thoughtworks.xstream.converters.UnmarshallingContext;
- import com.thoughtworks.xstream.converters.collections.MapConverter;
- import com.thoughtworks.xstream.core.JVM;
-+import com.thoughtworks.xstream.core.SecurityUtils;
- import com.thoughtworks.xstream.core.util.HierarchicalStreams;
- import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamWriterHelper;
- import com.thoughtworks.xstream.io.HierarchicalStreamReader;
-@@ -339,7 +340,9 @@ public class NamedMapConverter extends MapConverter {
- value = valueConverter.fromString(reader.getValue());
- }
-
-+ long now = System.currentTimeMillis();
- target.put(key, value);
-+ SecurityUtils.checkForCollectionDoSAttack(context, now);
-
- if (entryName != null) {
- reader.moveUp();
-diff --git a/xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java b/xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java
-new file mode 100644
-index 0000000..0eedd52
---- /dev/null
-+++ b/xstream/src/java/com/thoughtworks/xstream/core/SecurityUtils.java
-@@ -0,0 +1,56 @@
-+/*
-+ * Copyright (C) 2021 XStream Committers.
-+ * All rights reserved.
-+ *
-+ * The software in this package is published under the terms of the BSD
-+ * style license a copy of which has been included with this distribution in
-+ * the LICENSE.txt file.
-+ *
-+ * Created on 21. September 2021 by Joerg Schaible
-+ */
-+package com.thoughtworks.xstream.core;
-+
-+import com.thoughtworks.xstream.XStream;
-+import com.thoughtworks.xstream.converters.ConversionException;
-+import com.thoughtworks.xstream.converters.UnmarshallingContext;
-+import com.thoughtworks.xstream.security.InputManipulationException;
-+
-+
-+/**
-+ * Utility functions for security issues.
-+ *
-+ * @author Jörg Schaible
-+ * @since upcoming
-+ */
-+public class SecurityUtils {
-+
-+ /**
-+ * Check the consumed time adding elements to collections or maps.
-+ *
-+ * Every custom converter should call this method after an unmarshalled element has been added to a collection or
-+ * map. In case of an attack the operation will take too long, because the calculation of the hash code or the
-+ * comparison of the elements in the collection operate on recursive structures.
-+ *
-+ * @param context the unmarshalling context
-+ * @param start the timestamp just before the element was added to the collection or map
-+ * @since upcoming
-+ */
-+ public static void checkForCollectionDoSAttack(final UnmarshallingContext context, final long start) {
-+ final int diff = (int)((System.currentTimeMillis() - start) / 1000);
-+ if (diff > 0) {
-+ final Integer secondsUsed = (Integer)context.get(XStream.COLLECTION_UPDATE_SECONDS);
-+ if (secondsUsed != null) {
-+ final Integer limit = (Integer)context.get(XStream.COLLECTION_UPDATE_LIMIT);
-+ if (limit == null) {
-+ throw new ConversionException("Missing limit for updating collections.");
-+ }
-+ final int seconds = secondsUsed.intValue() + diff;
-+ if (seconds > limit.intValue()) {
-+ throw new InputManipulationException(
-+ "Denial of Service attack assumed. Adding elements to collections or maps exceeds " + limit.intValue() + " seconds.");
-+ }
-+ context.put(XStream.COLLECTION_UPDATE_SECONDS, new Integer(seconds));
-+ }
-+ }
-+ }
-+}
-diff --git a/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java b/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java
-index 0a5b3dc..ba80a31 100644
---- a/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java
-+++ b/xstream/src/java/com/thoughtworks/xstream/core/TreeUnmarshaller.java
-@@ -25,6 +25,7 @@ import com.thoughtworks.xstream.core.util.HierarchicalStreams;
- import com.thoughtworks.xstream.core.util.PrioritizedList;
- import com.thoughtworks.xstream.io.HierarchicalStreamReader;
- import com.thoughtworks.xstream.mapper.Mapper;
-+import com.thoughtworks.xstream.security.AbstractSecurityException;
-
-
- public class TreeUnmarshaller implements UnmarshallingContext {
-@@ -73,6 +74,8 @@ public class TreeUnmarshaller implements UnmarshallingContext {
- } catch (final ConversionException conversionException) {
- addInformationTo(conversionException, type, converter, parent);
- throw conversionException;
-+ } catch (AbstractSecurityException e) {
-+ throw e;
- } catch (RuntimeException e) {
- ConversionException conversionException = new ConversionException(e);
- addInformationTo(conversionException, type, converter, parent);
-diff --git a/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
-new file mode 100644
-index 0000000..3ca6309
---- /dev/null
-+++ b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
-@@ -0,0 +1,29 @@
-+/*
-+ * Copyright (C) 2021 XStream Committers.
-+ * All rights reserved.
-+ *
-+ * Created on 21. September 2021 by Joerg Schaible
-+ */
-+package com.thoughtworks.xstream.security;
-+
-+import com.thoughtworks.xstream.XStreamException;
-+
-+
-+/**
-+ * General base class for a Security Exception in XStream.
-+ *
-+ * @author Jörg Schaible
-+ * @since upcoming
-+ */
-+public abstract class AbstractSecurityException extends XStreamException {
-+ private static final long serialVersionUID = 20210921L;
-+
-+ /**
-+ * Constructs a SecurityException.
-+ * @param message the exception message
-+ * @since upcoming
-+ */
-+ public AbstractSecurityException(final String message) {
-+ super(message);
-+ }
-+}
-diff --git a/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java b/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java
-index 017fc30..2eded6c 100644
---- a/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java
-+++ b/xstream/src/java/com/thoughtworks/xstream/security/ForbiddenClassException.java
-@@ -1,20 +1,18 @@
- /*
-- * Copyright (C) 2014 XStream Committers.
-+ * Copyright (C) 2014, 2021 XStream Committers.
- * All rights reserved.
- *
- * Created on 08. January 2014 by Joerg Schaible
- */
- package com.thoughtworks.xstream.security;
-
--import com.thoughtworks.xstream.XStreamException;
--
- /**
- * Exception thrown for a forbidden class.
- *
- * @author Jörg Schaible
- * @since 1.4.7
- */
--public class ForbiddenClassException extends XStreamException {
-+public class ForbiddenClassException extends AbstractSecurityException {
-
- /**
- * Construct a ForbiddenClassException.
-diff --git a/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
-new file mode 100644
-index 0000000..2d87f66
---- /dev/null
-+++ b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
-@@ -0,0 +1,27 @@
-+/*
-+ * Copyright (C) 2021 XStream Committers.
-+ * All rights reserved.
-+ *
-+ * Created on 21. September 2021 by Joerg Schaible
-+ */
-+package com.thoughtworks.xstream.security;
-+
-+
-+/**
-+ * Class for a Security Exception assuming input manipulation in XStream.
-+ *
-+ * @author Jörg Schaible
-+ * @since upcoming
-+ */
-+public class InputManipulationException extends AbstractSecurityException {
-+ private static final long serialVersionUID = 20210921L;
-+
-+ /**
-+ * Constructs a SecurityException.
-+ * @param message the exception message
-+ * @since upcoming
-+ */
-+ public InputManipulationException(final String message) {
-+ super(message);
-+ }
-+}
-diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-index d387bcd..8201295 100644
---- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-@@ -18,12 +18,20 @@ import java.io.IOException;
- import java.io.InputStream;
- import java.io.OutputStream;
- import java.util.Iterator;
-+import java.util.HashMap;
-+import java.util.HashSet;
-+import java.util.Hashtable;
-+import java.util.LinkedHashMap;
-+import java.util.LinkedHashSet;
-+import java.util.Map;
-+import java.util.Set;
-
- import com.thoughtworks.xstream.XStreamException;
- import com.thoughtworks.xstream.converters.ConversionException;
- import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
- import com.thoughtworks.xstream.security.AnyTypePermission;
- import com.thoughtworks.xstream.security.ForbiddenClassException;
-+import com.thoughtworks.xstream.security.InputManipulationException;
- import com.thoughtworks.xstream.security.ProxyTypePermission;
-
-
-@@ -57,9 +65,9 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
-
- try {
- xstream.fromXML(xml);
-- fail("Thrown " + XStreamException.class.getName() + " expected");
-- } catch (final XStreamException e) {
-- assertTrue(e.getMessage().contains(EventHandler.class.getName()));
-+ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
-+ } catch (final ForbiddenClassException e) {
-+ // OK
- }
- assertEquals(0, BUFFER.length());
- }
-@@ -187,4 +195,140 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
- }
- }
-+
-+ public void testDoSAttackWithHashSet() {
-+ final Set set = new HashSet();
-+ Set s1 = set;
-+ Set s2 = new HashSet();
-+ for (int i = 0; i < 30; i++) {
-+ final Set t1 = new HashSet();
-+ final Set t2 = new HashSet();
-+ t1.add("a");
-+ t2.add("b");
-+ s1.add(t1);
-+ s1.add(t2);
-+ s2.add(t2);
-+ s2.add(t1);
-+ s1 = t1;
-+ s2 = t2;
-+ }
-+
-+ xstream.setCollectionUpdateLimit(5);
-+ final String xml = xstream.toXML(set);
-+ try {
-+
-+ xstream.fromXML(xml);
-+ fail("Thrown " + InputManipulationException.class.getName() + " expected");
-+ } catch (final InputManipulationException e) {
-+ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
-+ }
-+ }
-+
-+ public void testDoSAttackWithLinkedHashSet() {
-+ final Set set = new LinkedHashSet();
-+ Set s1 = set;
-+ Set s2 = new LinkedHashSet();
-+ for (int i = 0; i < 30; i++) {
-+ final Set t1 = new LinkedHashSet();
-+ final Set t2 = new LinkedHashSet();
-+ t1.add("a");
-+ t2.add("b");
-+ s1.add(t1);
-+ s1.add(t2);
-+ s2.add(t2);
-+ s2.add(t1);
-+ s1 = t1;
-+ s2 = t2;
-+ }
-+
-+ xstream.setCollectionUpdateLimit(5);
-+ final String xml = xstream.toXML(set);
-+ try {
-+ xstream.fromXML(xml);
-+ fail("Thrown " + InputManipulationException.class.getName() + " expected");
-+ } catch (final InputManipulationException e) {
-+ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
-+ }
-+ }
-+
-+ public void testDoSAttackWithHashMap() {
-+ final Map map = new HashMap();
-+ Map m1 = map;
-+ Map m2 = new HashMap();
-+ for (int i = 0; i < 25; i++) {
-+ final Map t1 = new HashMap();
-+ final Map t2 = new HashMap();
-+ t1.put("a", "b");
-+ t2.put("c", "d");
-+ m1.put(t1, t2);
-+ m1.put(t2, t1);
-+ m2.put(t2, t1);
-+ m2.put(t1, t2);
-+ m1 = t1;
-+ m2 = t2;
-+ }
-+ xstream.setCollectionUpdateLimit(5);
-+
-+ final String xml = xstream.toXML(map);
-+ try {
-+ xstream.fromXML(xml);
-+ fail("Thrown " + InputManipulationException.class.getName() + " expected");
-+ } catch (InputManipulationException e) {
-+ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
-+ }
-+ }
-+
-+ public void testDoSAttackWithLinkedHashMap() {
-+ final Map map = new LinkedHashMap();
-+ Map m1 = map;
-+ Map m2 = new LinkedHashMap();
-+ for (int i = 0; i < 25; i++) {
-+ final Map t1 = new LinkedHashMap();
-+ final Map t2 = new LinkedHashMap();
-+ t1.put("a", "b");
-+ t2.put("c", "d");
-+ m1.put(t1, t2);
-+ m1.put(t2, t1);
-+ m2.put(t2, t1);
-+ m2.put(t1, t2);
-+ m1 = t1;
-+ m2 = t2;
-+ }
-+
-+ xstream.setCollectionUpdateLimit(5);
-+ final String xml = xstream.toXML(map);
-+ try {
-+ xstream.fromXML(xml);
-+ fail("Thrown " + InputManipulationException.class.getName() + " expected");
-+ } catch (final InputManipulationException e) {
-+ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
-+ }
-+ }
-+
-+ public void testDoSAttackWithHashtable() {
-+ final Map map = new Hashtable();
-+ Map m1 = map;
-+ Map m2 = new Hashtable();
-+ for (int i = 0; i < 100; i++) {
-+ final Map t1 = new Hashtable();
-+ final Map t2 = new Hashtable();
-+ t1.put("a", "b");
-+ t2.put("c", "d");
-+ m1.put(t1, t2);
-+ m1.put(t2, t1);
-+ m2.put(t2, t1);
-+ m2.put(t1, t2);
-+ m1 = t1;
-+ m2 = t2;
-+ }
-+
-+ xstream.setCollectionUpdateLimit(5);
-+ final String xml = xstream.toXML(map);
-+ try {
-+ xstream.fromXML(xml);
-+ fail("Thrown " + InputManipulationException.class.getName() + " expected");
-+ } catch (final InputManipulationException e) {
-+ assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
-+ }
-+ }
- }
=====================================
debian/patches/CVE-2022-41966.patch
=====================================
@@ -1,19 +1,23 @@
From: Markus Koschany <apo at debian.org>
-Date: Mon, 16 Jan 2023 09:27:04 +0100
+Date: Wed, 11 Jan 2023 14:49:56 +0100
Subject: CVE-2022-41966
Bug-Debian: https://bugs.debian.org/1027754
Origin: https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391
---
.../src/java/com/thoughtworks/xstream/XStream.java | 9 ++++--
+ .../security/AbstractSecurityException.java | 29 ++++++++++++++++++
+ .../security/InputManipulationException.java | 27 +++++++++++++++++
.../acceptance/SecurityVulnerabilityTest.java | 35 +++++++++++++++++++++-
- 2 files changed, 40 insertions(+), 4 deletions(-)
+ 4 files changed, 96 insertions(+), 4 deletions(-)
+ create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+ create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-index bccf8f4..e8e1409 100644
+index f35d244..792272c 100644
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
-@@ -164,6 +164,7 @@ import com.thoughtworks.xstream.security.RegExpTypePermission;
+@@ -163,6 +163,7 @@ import com.thoughtworks.xstream.security.RegExpTypePermission;
import com.thoughtworks.xstream.security.TypeHierarchyPermission;
import com.thoughtworks.xstream.security.TypePermission;
import com.thoughtworks.xstream.security.WildcardTypePermission;
@@ -21,7 +25,7 @@ index bccf8f4..e8e1409 100644
/**
-@@ -1513,9 +1514,11 @@ public class XStream {
+@@ -1483,9 +1484,11 @@ public class XStream {
securityWarningGiven = true;
System.err.println("Security framework of XStream not initialized, XStream is probably vulnerable.");
}
@@ -36,8 +40,76 @@ index bccf8f4..e8e1409 100644
} catch (ConversionException e) {
Package pkg = getClass().getPackage();
String version = pkg != null ? pkg.getImplementationVersion() : null;
+diff --git a/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+new file mode 100644
+index 0000000..777765a
+--- /dev/null
++++ b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+@@ -0,0 +1,29 @@
++/*
++ * Copyright (C) 2021, 2022 XStream Committers.
++ * All rights reserved.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.security;
++
++import com.thoughtworks.xstream.XStreamException;
++
++
++/**
++ * General base class for a Security Exception in XStream.
++ *
++ * @author Jörg Schaible
++ * @since 1.4.19
++ */
++public abstract class AbstractSecurityException extends XStreamException {
++ private static final long serialVersionUID = 20210921L;
++
++ /**
++ * Constructs a SecurityException.
++ * @param message the exception message
++ * @since 1.4.19
++ */
++ public AbstractSecurityException(final String message) {
++ super(message);
++ }
++}
+diff --git a/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+new file mode 100644
+index 0000000..80f492c
+--- /dev/null
++++ b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+@@ -0,0 +1,27 @@
++/*
++ * Copyright (C) 2021, 2022 XStream Committers.
++ * All rights reserved.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.security;
++
++
++/**
++ * Class for a Security Exception assuming input manipulation in XStream.
++ *
++ * @author Jörg Schaible
++ * @since 1.4.19
++ */
++public class InputManipulationException extends AbstractSecurityException {
++ private static final long serialVersionUID = 20210921L;
++
++ /**
++ * Constructs a SecurityException.
++ * @param message the exception message
++ * @since 1.4.19
++ */
++ public InputManipulationException(final String message) {
++ super(message);
++ }
++}
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
-index 8201295..2f722ec 100644
+index d387bcd..f21ea45 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -1,5 +1,5 @@
@@ -47,17 +119,17 @@ index 8201295..2f722ec 100644
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
-@@ -33,6 +33,8 @@ import com.thoughtworks.xstream.security.AnyTypePermission;
+@@ -25,6 +25,8 @@ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
+ import com.thoughtworks.xstream.security.AnyTypePermission;
import com.thoughtworks.xstream.security.ForbiddenClassException;
- import com.thoughtworks.xstream.security.InputManipulationException;
import com.thoughtworks.xstream.security.ProxyTypePermission;
+import com.thoughtworks.xstream.security.InputManipulationException;
+
/**
-@@ -331,4 +333,35 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
- assertTrue("Limit expected in message", e.getMessage().contains("exceeds 5 seconds"));
+@@ -187,4 +189,35 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
}
}
+
=====================================
debian/patches/0007-CVE-2024-47072.patch → debian/patches/CVE-2024-47072.patch
=====================================
@@ -1,24 +1,26 @@
-From: =?utf-8?q?Bastien_Roucari=C3=A8s?= <rouca at debian.org>
-Date: Sat, 21 Dec 2024 20:41:16 +0000
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 9 Apr 2025 17:37:27 +0200
Subject: CVE-2024-47072
-This vulnerability may allow a remote attacker to terminate the application with a stack
-overflow error resulting in a denial of service only by manipulating the processed
-input stream when XStream is configured to use the BinaryStreamDriver.
-
-origin: backport, https://github.com/x-stream/xstream/commit/c8a939075f99895d76fe49de69d3570a3c401976
-bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1087274
-bug-github: https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q
-bug: https://x-stream.github.io/CVE-2024-47072.html
+Bug-Debian: https://bugs.debian.org/1087274
+Origin: https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a
---
- .../xstream/io/binary/BinaryStreamReader.java | 14 ++++++++++----
- .../xstream/io/binary/BinaryStreamTest.java | 18 ++++++++++++++++++
- 2 files changed, 28 insertions(+), 4 deletions(-)
+ .../xstream/io/binary/BinaryStreamReader.java | 18 ++++++++++++------
+ .../xstream/io/binary/BinaryStreamTest.java | 15 +++++++++++++++
+ 2 files changed, 27 insertions(+), 6 deletions(-)
diff --git a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
-index 2839651..7a7c76c 100644
+index 2839651..cd870cd 100644
--- a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+++ b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+@@ -1,6 +1,6 @@
+ /*
+ * Copyright (C) 2006 Joe Walnes.
+- * Copyright (C) 2006, 2007, 2011, 2013 XStream Committers.
++ * Copyright (C) 2006, 2007, 2011, 2013, 2024 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
@@ -15,6 +15,7 @@ import com.thoughtworks.xstream.converters.ErrorWriter;
import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamReader;
import com.thoughtworks.xstream.io.HierarchicalStreamReader;
@@ -27,7 +29,7 @@ index 2839651..7a7c76c 100644
import java.io.DataInputStream;
import java.io.IOException;
-@@ -150,14 +151,19 @@ public class BinaryStreamReader implements ExtendedHierarchicalStreamReader {
+@@ -150,15 +151,20 @@ public class BinaryStreamReader implements ExtendedHierarchicalStreamReader {
private Token readToken() {
if (pushback == null) {
try {
@@ -45,35 +47,35 @@ index 2839651..7a7c76c 100644
default:
return token;
- }
+- } catch (IOException e) {
+ }
+ } while (mapping);
+ throw new InputManipulationException("Binary stream will never have two mapping tokens in sequence");
- } catch (IOException e) {
++ } catch (final IOException e) {
throw new StreamException(e);
}
+ } else {
diff --git a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
-index d34962b..0bdccff 100644
+index d34962b..e78289f 100644
--- a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
-@@ -19,9 +19,13 @@ import com.thoughtworks.xstream.io.xml.AbstractXMLReaderTest;
+@@ -17,10 +17,12 @@ import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+ import com.thoughtworks.xstream.io.copy.HierarchicalStreamCopier;
+ import com.thoughtworks.xstream.io.xml.AbstractXMLReaderTest;
import com.thoughtworks.xstream.io.xml.Xpp3Driver;
++import com.thoughtworks.xstream.security.InputManipulationException;
import java.io.ByteArrayOutputStream;
-+import java.io.InputStream;
import java.io.StringReader;
import java.io.ByteArrayInputStream;
++import java.io.InputStream;
-+import com.thoughtworks.xstream.security.InputManipulationException;
-+
-+
public class BinaryStreamTest extends AbstractXMLReaderTest {
- private HierarchicalStreamCopier copier = new HierarchicalStreamCopier();
-@@ -89,4 +93,18 @@ public class BinaryStreamTest extends AbstractXMLReaderTest {
+@@ -89,4 +91,17 @@ public class BinaryStreamTest extends AbstractXMLReaderTest {
}
}
-+ @SuppressWarnings("resource")
+ public void testHandleMaliciousInputsOfIdMappingTokens() {
+ // Insert two successive id mapping tokens into the stream
+ final byte[] byteArray = new byte[8];
=====================================
debian/patches/series
=====================================
@@ -2,6 +2,5 @@
enable-security-whitelist-by-default.patch
SecurityVulnerabilityTest.patch
debian-specific-whitelist-extension.patch
-CVE-2021-43859.patch
CVE-2022-41966.patch
-0007-CVE-2024-47072.patch
+CVE-2024-47072.patch
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/commit/113ff6cd76a04dd9dbeabd3b463a4046f92c142e
--
View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/commit/113ff6cd76a04dd9dbeabd3b463a4046f92c142e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20250422/a0a59f97/attachment.htm>
More information about the pkg-java-commits
mailing list