Bug#949089: libxmlrpc3-java: CVE-2019-17570: deserialization of server-side exception from faultCause in XMLRPC error response

Salvatore Bonaccorso carnil at debian.org
Fri Jan 17 05:31:11 GMT 2020 

Hi Markus,

On Fri, Jan 17, 2020 at 01:04:10AM +0100, Markus Koschany wrote:
> Hi,
> 
> Am 16.01.20 um 21:27 schrieb Salvatore Bonaccorso:
> > Source: libxmlrpc3-java
> > Version: 3.1.3-9
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > 
> > Hi,
> > 
> > The following vulnerability was published for libxmlrpc3-java.
> > 
> > CVE-2019-17570[0]:
> > | Deserialization of server-side exception from faultCause in XMLRPC
> > | error response
> > 
> > That said, should libxmlrpc3-java rather be removed from unstable, and
> > not included in bullseye?
> 
> [...]
> 
> It looks like starjava-topcat is the only package that build-depends on
> libxmlrpc3-java at the moment (need to check that again). I think the
> issue itself can be fixed by the proposed Red Hat patch, making the use
> of some parts of the vulnerable method conditional on a set property.
> Since Apache xml-rpc is EOL it makes sense to remove it from Debian
> though. I will file a bug report for starjava-topcat and then let's see
> how it goes.

I did check yesterday for that to see what impact it would have on the
archive, and indeed the "only" package problem are as follows, as you
have already spotted:

| Will remove the following packages from sid:
| 
| libxmlrpc3-client-java |    3.1.3-9 | all
| libxmlrpc3-common-java |    3.1.3-9 | all
| libxmlrpc3-java |    3.1.3-9 | source
| libxmlrpc3-java-doc |    3.1.3-9 | all
| libxmlrpc3-server-java |    3.1.3-9 | all
| 
| Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
| 
| ------------------- Reason -------------------
| 
| ----------------------------------------------
| 
| Checking reverse dependencies...
| # Broken Build-Depends:
| starjava-topcat: libxmlrpc3-client-java
| 
| Dependency problem found.

The patch proposed by Red Hat looks straightforward (with my limited
understanding though), but might have as well potential for regression
reports, as it is disabling deserialization by default, i.e. only uses
it if isEnabledForExceptions is set.

So I'm wary yet on what to do for stable (and older releases and have
not done any marking yet in the security tracker.

Opinions on that?

Regards,
Salvatore

More information about the pkg-java-maintainers mailing list