Bug#995205: jsap: does not correctly initialize the security framework of xstream

Markus Koschany apo at debian.org
Mon Sep 27 22:21:34 BST 2021 

Source: jsap
Version: 2.1-4
Severity: normal
X-Debbugs-Cc: apo at debian.org

Dear maintainer,

libxstream-java has been upgraded to version 1.4.18. XStream now uses
a whitelist as the default for its security framework. For instance jsap
will fail when you try to read arguments from a jsap file like


Before
======

# java -cp .:/usr/share/java/xstream.jar com.martiansoftware.jsap.examples.Manual_HelloWorld_9
Security framework of XStream not explicitly initialized, using predefined black list on your own risk.
Hi, World!

Now
===

# java -cp .:/usr/share/java/xstream.jar com.martiansoftware.jsap.examples.Manual_HelloWorld_9
Exception in thread "main" com.thoughtworks.xstream.security.ForbiddenClassException: com.martiansoftware.jsap.xml.JSAPConfig
	at com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26)
	at com.thoughtworks.xstream.mapper.SecurityMapper.realClass(SecurityMapper.java:74)
	at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125)
	at com.thoughtworks.xstream.mapper.CachingMapper.realClass(CachingMapper.java:47)
	at com.thoughtworks.xstream.core.util.HierarchicalStreams.readClassType(HierarchicalStreams.java:29)
	at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:133)
	at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
	at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1482)
	at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1462)
	at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1333)
	at com.martiansoftware.jsap.xml.JSAPConfig.configure(JSAPConfig.java:42)
	at com.martiansoftware.jsap.JSAP.<init>(JSAP.java:366)
	at com.martiansoftware.jsap.examples.Manual_HelloWorld_9.main(Manual_HelloWorld_9.java:22)

Please find attached a patch that allows all classes from the com.martiansoftware.jsap.xml package

Regards,

Markus

-- System Information:
Debian Release: 11.0
  APT prefers stable-security
  APT policy: (900, 'stable-security'), (900, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
diff -Nru jsap-2.1/debian/changelog jsap-2.1/debian/changelog
--- jsap-2.1/debian/changelog	2021-08-15 14:19:53.000000000 +0200
+++ jsap-2.1/debian/changelog	2021-09-27 22:36:22.000000000 +0200
@@ -1,3 +1,10 @@
+jsap (2.1-4.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * 
+
+ -- Markus Koschany <apo at debian.org>  Mon, 27 Sep 2021 22:36:22 +0200
+
 jsap (2.1-4) unstable; urgency=medium
 
   * Setting Salsa VCS paths
diff -Nru jsap-2.1/debian/patches/series jsap-2.1/debian/patches/series
--- jsap-2.1/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ jsap-2.1/debian/patches/series	2021-09-27 22:36:22.000000000 +0200
@@ -0,0 +1 @@
+xstream-1.4.18.patch
diff -Nru jsap-2.1/debian/patches/xstream-1.4.18.patch jsap-2.1/debian/patches/xstream-1.4.18.patch
--- jsap-2.1/debian/patches/xstream-1.4.18.patch	1970-01-01 01:00:00.000000000 +0100
+++ jsap-2.1/debian/patches/xstream-1.4.18.patch	2021-09-27 22:36:22.000000000 +0200
@@ -0,0 +1,20 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 27 Sep 2021 22:35:30 +0200
+Subject: xstream 1.4.18
+
+---
+ src/java/com/martiansoftware/jsap/xml/JSAPXStream.java | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/java/com/martiansoftware/jsap/xml/JSAPXStream.java b/src/java/com/martiansoftware/jsap/xml/JSAPXStream.java
+index 5f19a37..2206d63 100644
+--- a/src/java/com/martiansoftware/jsap/xml/JSAPXStream.java
++++ b/src/java/com/martiansoftware/jsap/xml/JSAPXStream.java
+@@ -19,6 +19,7 @@ class JSAPXStream extends XStream {
+ 
+ 	public JSAPXStream() {
+ 		super(new DomDriver());
++		allowTypesByWildcard(new String[] {JSAPXStream.class.getPackage().getName()+".*" });
+ 		alias("jsap", JSAPConfig.class);
+ 		alias("flaggedOption", FlaggedOptionConfig.class);
+ 		alias("unflaggedOption", UnflaggedOptionConfig.class);

More information about the pkg-java-maintainers mailing list