Bug#1003826: buster-pu: package libjackson-json-java/1.9.13-2~deb10u1
Adrian Bunk
bunk at debian.org
Sun Jan 16 12:17:22 GMT 2022
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org at packages.debian.org
Usertags: pu
* Add upstream fixes.
- Serializing types for deeply nested Maps.
- Set Secure Processing flag on DocumentBuilderFactory.
- Set setExpandEntityReferences(false). (Fixes: CVE-2019-10172)
- WriteRawValue surrogate pair fix.
- Fix deserialization.
- All known security fixes. (Fixes: CVE-2017-15095 and CVE-2017-7525)
* Update Standards-Version to 4.5.0
Except for Standards-Version and the dh compat bump reverted
in this backport, the bullseye package was the buster package
with several bugfixes applied (including fixes for 3 CVEs).
-------------- next part --------------
diff -Nru libjackson-json-java-1.9.13/debian/changelog libjackson-json-java-1.9.13/debian/changelog
--- libjackson-json-java-1.9.13/debian/changelog 2018-12-31 00:28:06.000000000 +0200
+++ libjackson-json-java-1.9.13/debian/changelog 2022-01-16 14:04:02.000000000 +0200
@@ -1,3 +1,27 @@
+libjackson-json-java (1.9.13-2~deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * Rebuild for buster.
+ - Revert the debhelper compat bump.
+
+ -- Adrian Bunk <bunk at debian.org> Sun, 16 Jan 2022 14:04:02 +0200
+
+libjackson-json-java (1.9.13-2) unstable; urgency=medium
+
+ * Team upload.
+ * Add upstream fixes.
+ - Serializing types for deeply nested Maps.
+ - Set Secure Processing flag on DocumentBuilderFactory.
+ - Set setExpandEntityReferences(false). (Fixes: CVE-2019-10172)
+ - WriteRawValue surrogate pair fix.
+ - Fix deserialization.
+ - All known security fixes. (Fixes: CVE-2017-15095 and CVE-2017-7525)
+ * Update Standards-Version to 4.5.0
+ * Use debhelper-compat.
+ - Update compat level to 13.
+
+ -- Sudip Mukherjee <sudipm.mukherjee at gmail.com> Sat, 19 Sep 2020 20:20:21 +0100
+
libjackson-json-java (1.9.13-1) unstable; urgency=medium
* Team upload.
diff -Nru libjackson-json-java-1.9.13/debian/control libjackson-json-java-1.9.13/debian/control
--- libjackson-json-java-1.9.13/debian/control 2018-12-31 00:15:15.000000000 +0200
+++ libjackson-json-java-1.9.13/debian/control 2022-01-16 14:04:02.000000000 +0200
@@ -18,7 +18,7 @@
libjoda-time-java,
maven-repo-helper (>= 1.5~),
libnet-luminis-build-plugin-java (>= 0.2.0-3)
-Standards-Version: 4.3.0
+Standards-Version: 4.5.0
Vcs-Git: https://salsa.debian.org/java-team/libjackson-json-java.git
Vcs-Browser: https://salsa.debian.org/java-team/libjackson-json-java
Homepage: https://github.com/FasterXML/jackson
diff -Nru libjackson-json-java-1.9.13/debian/patches/0001-fixed-234.patch libjackson-json-java-1.9.13/debian/patches/0001-fixed-234.patch
--- libjackson-json-java-1.9.13/debian/patches/0001-fixed-234.patch 1970-01-01 02:00:00.000000000 +0200
+++ libjackson-json-java-1.9.13/debian/patches/0001-fixed-234.patch 2020-09-18 19:10:06.000000000 +0300
@@ -0,0 +1,113 @@
+From 8404cf0b1fb700e5a179abd71137f3057846b80f Mon Sep 17 00:00:00 2001
+From: cowtowncoder <cowtowncoder at cc757fca-8a48-0410-80b4-e22f7f27f4c6>
+Date: Tue, 13 Aug 2013 04:26:38 +0000
+Subject: [PATCH] fixed #234
+
+---
+
+upstream link: https://github.com/FasterXML/jackson-1/commit/8404cf0b1fb700e5a179abd71137f3057846b80f
+
+diff --git a/src/mapper/java/org/codehaus/jackson/map/ser/std/MapSerializer.java b/src/mapper/java/org/codehaus/jackson/map/ser/std/MapSerializer.java
+index c2c447cb..041da2f4 100644
+--- a/src/mapper/java/org/codehaus/jackson/map/ser/std/MapSerializer.java
++++ b/src/mapper/java/org/codehaus/jackson/map/ser/std/MapSerializer.java
+@@ -344,7 +344,11 @@ public class MapSerializer
+ if (cc == prevValueClass) {
+ currSerializer = prevValueSerializer;
+ } else {
+- currSerializer = provider.findValueSerializer(cc, _property);
++ if (_valueType.hasGenericTypes()) {
++ currSerializer = provider.findValueSerializer(provider.constructSpecializedType(_valueType, cc), _property);
++ } else {
++ currSerializer = provider.findValueSerializer(cc, _property);
++ }
+ prevValueSerializer = currSerializer;
+ prevValueClass = cc;
+ }
+@@ -417,6 +421,5 @@ public class MapSerializer
+ }
+ return result.serializer;
+ }
+-
+ }
+
+diff --git a/src/test/org/codehaus/jackson/map/jsontype/TestDefaultForMaps.java b/src/test/org/codehaus/jackson/map/jsontype/TestDefaultForMaps.java
+index 15be85e4..97741a35 100644
+--- a/src/test/org/codehaus/jackson/map/jsontype/TestDefaultForMaps.java
++++ b/src/test/org/codehaus/jackson/map/jsontype/TestDefaultForMaps.java
+@@ -39,6 +39,33 @@ public class TestDefaultForMaps
+ public Map<MapKey,List<Object>> map;
+ }
+
++ // // For #234
++
++ static class ItemList {
++ public String value;
++ public List<ItemList> childItems = new LinkedList<ItemList>();
++
++ public void addChildItem(ItemList l) { childItems.add(l); }
++ }
++
++ static class ItemMap
++ {
++ public String value;
++
++ public Map<String, List<ItemMap>> childItems = new HashMap<String, List<ItemMap>>();
++
++ public void addChildItem(String key, ItemMap childItem) {
++ List<ItemMap> items;
++ if (childItems.containsKey(key)) {
++ items = childItems.get(key);
++ } else {
++ items = new ArrayList<ItemMap>();
++ }
++ items.add(childItem);
++ childItems.put(key, items);
++ }
++ }
++
+ /*
+ /**********************************************************
+ /* Unit tests
+@@ -94,4 +121,38 @@ public class TestDefaultForMaps
+ return TypeNameIdResolver.construct(mapper.getDeserializationConfig(),
+ TypeFactory.defaultInstance().constructType(Object.class), subtypes, forSerialization, !forSerialization);
+ }
++
++ // // For #234:
++
++ public void testList() throws Exception
++ {
++ final ObjectMapper mapper = new ObjectMapper();
++ mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.OBJECT_AND_NON_CONCRETE, JsonTypeInfo.As.PROPERTY);
++ ItemList child = new ItemList();
++ child.value = "I am child";
++
++ ItemList parent = new ItemList();
++ parent.value = "I am parent";
++ parent.addChildItem(child);
++ String json = mapper.writerWithDefaultPrettyPrinter().writeValueAsString(parent);
++
++ Object o = mapper.readValue(json, ItemList.class);
++ assertNotNull(o);
++ }
++
++ public void testMap() throws Exception
++ {
++ final ObjectMapper mapper = new ObjectMapper();
++ mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.OBJECT_AND_NON_CONCRETE, JsonTypeInfo.As.PROPERTY);
++ ItemMap child = new ItemMap();
++ child.value = "I am child";
++
++ ItemMap parent = new ItemMap();
++ parent.value = "I am parent";
++ parent.addChildItem("child", child);
++
++ String json = mapper.writerWithDefaultPrettyPrinter().writeValueAsString(parent);
++ Object o = mapper.readValue(json, ItemMap.class);
++ assertNotNull(o);
++ }
+ }
+--
+2.20.1
+
diff -Nru libjackson-json-java-1.9.13/debian/patches/0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch libjackson-json-java-1.9.13/debian/patches/0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch
--- libjackson-json-java-1.9.13/debian/patches/0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch 1970-01-01 02:00:00.000000000 +0200
+++ libjackson-json-java-1.9.13/debian/patches/0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch 2020-09-18 21:20:41.000000000 +0300
@@ -0,0 +1,54 @@
+From 54c6bc36aa57741ea669ad110ce28acaa1600864 Mon Sep 17 00:00:00 2001
+From: PJ Fanning <pj.fanning at workday.com>
+Date: Fri, 1 Jul 2016 01:49:46 +0100
+Subject: [PATCH] Set Secure Processing flag on DocumentBuilderFactory
+
+---
+
+unstream link: https://github.com/FasterXML/jackson-1/commit/54c6bc36aa57741ea669ad110ce28acaa1600864
+
+ .../java/org/codehaus/jackson/map/ext/DOMDeserializer.java | 7 +++++++
+ .../codehaus/jackson/xc/DomElementJsonDeserializer.java | 1 +
+ 2 files changed, 8 insertions(+)
+
+diff --git a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
+index 50e6016c..3a486b9e 100644
+--- a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
++++ b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
+@@ -2,7 +2,9 @@ package org.codehaus.jackson.map.ext;
+
+ import java.io.StringReader;
+
++import javax.xml.XMLConstants;
+ import javax.xml.parsers.DocumentBuilderFactory;
++import javax.xml.parsers.ParserConfigurationException;
+
+ import org.codehaus.jackson.map.DeserializationContext;
+ import org.codehaus.jackson.map.deser.std.FromStringDeserializer;
+@@ -22,6 +24,11 @@ public abstract class DOMDeserializer<T> extends FromStringDeserializer<T>
+ _parserFactory = DocumentBuilderFactory.newInstance();
+ // yup, only cave men do XML without recognizing namespaces...
+ _parserFactory.setNamespaceAware(true);
++ try {
++ _parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
++ } catch(ParserConfigurationException pce) {
++ System.err.println("[DOMDeserializer] Problem setting SECURE_PROCESSING_FEATURE: " + pce.toString());
++ }
+ }
+
+ protected DOMDeserializer(Class<T> cls) { super(cls); }
+diff --git a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
+index cf9c073d..ccd631aa 100644
+--- a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
++++ b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
+@@ -30,6 +30,7 @@ public class DomElementJsonDeserializer
+ try {
+ DocumentBuilderFactory bf = DocumentBuilderFactory.newInstance();
+ bf.setNamespaceAware(true);
++ bf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ builder = bf.newDocumentBuilder();
+ } catch (ParserConfigurationException e) {
+ throw new RuntimeException();
+--
+2.20.1
+
diff -Nru libjackson-json-java-1.9.13/debian/patches/0003-setExpandEntityReferences-false.patch libjackson-json-java-1.9.13/debian/patches/0003-setExpandEntityReferences-false.patch
--- libjackson-json-java-1.9.13/debian/patches/0003-setExpandEntityReferences-false.patch 1970-01-01 02:00:00.000000000 +0200
+++ libjackson-json-java-1.9.13/debian/patches/0003-setExpandEntityReferences-false.patch 2020-09-18 21:20:41.000000000 +0300
@@ -0,0 +1,45 @@
+From 2361ec46b5fbf940bafe8247e421e64f9cb7f7b1 Mon Sep 17 00:00:00 2001
+From: PJ Fanning <pj.fanning at workday.com>
+Date: Fri, 1 Jul 2016 22:57:06 +0100
+Subject: [PATCH] setExpandEntityReferences(false)
+
+---
+
+upstream link: https://github.com/FasterXML/jackson-1/commit/2361ec46b5fbf940bafe8247e421e64f9cb7f7b1
+
+ .../java/org/codehaus/jackson/map/ext/DOMDeserializer.java | 1 +
+ .../org/codehaus/jackson/xc/DomElementJsonDeserializer.java | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
+index 3a486b9e..97f76af9 100644
+--- a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
++++ b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
+@@ -24,6 +24,7 @@ public abstract class DOMDeserializer<T> extends FromStringDeserializer<T>
+ _parserFactory = DocumentBuilderFactory.newInstance();
+ // yup, only cave men do XML without recognizing namespaces...
+ _parserFactory.setNamespaceAware(true);
++ _parserFactory.setExpandEntityReferences(false);
+ try {
+ _parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch(ParserConfigurationException pce) {
+diff --git a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
+index ccd631aa..8b1de578 100644
+--- a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
++++ b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
+@@ -30,10 +30,11 @@ public class DomElementJsonDeserializer
+ try {
+ DocumentBuilderFactory bf = DocumentBuilderFactory.newInstance();
+ bf.setNamespaceAware(true);
++ bf.setExpandEntityReferences(false);
+ bf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ builder = bf.newDocumentBuilder();
+ } catch (ParserConfigurationException e) {
+- throw new RuntimeException();
++ throw new RuntimeException("Problem creating DocumentBuilder: " + e.toString());
+ }
+ }
+
+--
+2.20.1
+
diff -Nru libjackson-json-java-1.9.13/debian/patches/0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch libjackson-json-java-1.9.13/debian/patches/0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch
--- libjackson-json-java-1.9.13/debian/patches/0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch 1970-01-01 02:00:00.000000000 +0200
+++ libjackson-json-java-1.9.13/debian/patches/0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch 2020-09-18 21:20:41.000000000 +0300
@@ -0,0 +1,90 @@
+From 298849da99b27d86fe581781086fb39809cd83bf Mon Sep 17 00:00:00 2001
+From: Marcin Szczepanski <mszczepanski at atlassian.com>
+Date: Mon, 11 Jul 2016 10:33:52 +1000
+Subject: [PATCH] Backport writeRawValue surrogate pair fix from 2.x
+
+This is a backport of a Jackson 2.x fix:
+https://github.com/FasterXML/jackson-core/commit/5e14c461c04f71fc3f35a5ac2e75ed2df0d7c462
+---
+
+upstream link: https://github.com/FasterXML/jackson-1/commit/298849da99b27d86fe581781086fb39809cd83bf
+
+ .../codehaus/jackson/impl/Utf8Generator.java | 6 ++---
+ .../jackson/impl/TestUtf8Generator.java | 24 +++++++++++++++++++
+ 2 files changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/src/java/org/codehaus/jackson/impl/Utf8Generator.java b/src/java/org/codehaus/jackson/impl/Utf8Generator.java
+index ccc25cd3..8ac6bd00 100644
+--- a/src/java/org/codehaus/jackson/impl/Utf8Generator.java
++++ b/src/java/org/codehaus/jackson/impl/Utf8Generator.java
+@@ -754,7 +754,7 @@ public class Utf8Generator
+ _outputBuffer[_outputTail++] = (byte) (0xc0 | (ch >> 6));
+ _outputBuffer[_outputTail++] = (byte) (0x80 | (ch & 0x3f));
+ } else {
+- _outputRawMultiByteChar(ch, cbuf, offset, len);
++ offset = _outputRawMultiByteChar(ch, cbuf, offset, len);
+ }
+ }
+ }
+@@ -812,7 +812,7 @@ public class Utf8Generator
+ bbuf[_outputTail++] = (byte) (0xc0 | (ch >> 6));
+ bbuf[_outputTail++] = (byte) (0x80 | (ch & 0x3f));
+ } else {
+- _outputRawMultiByteChar(ch, cbuf, offset, len);
++ offset = _outputRawMultiByteChar(ch, cbuf, offset, len);
+ }
+ }
+ }
+@@ -1643,7 +1643,7 @@ public class Utf8Generator
+ if (ch >= SURR1_FIRST) {
+ if (ch <= SURR2_LAST) { // yes, outside of BMP
+ // Do we have second part?
+- if (inputOffset >= inputLen) { // nope... have to note down
++ if (inputOffset >= inputLen || cbuf == null) { // nope... have to note down
+ _reportError("Split surrogate on writeRaw() input (last character)");
+ }
+ _outputSurrogates(ch, cbuf[inputOffset]);
+diff --git a/src/test/org/codehaus/jackson/impl/TestUtf8Generator.java b/src/test/org/codehaus/jackson/impl/TestUtf8Generator.java
+index c4e12c3a..48461376 100644
+--- a/src/test/org/codehaus/jackson/impl/TestUtf8Generator.java
++++ b/src/test/org/codehaus/jackson/impl/TestUtf8Generator.java
+@@ -2,7 +2,10 @@ package org.codehaus.jackson.impl;
+
+ import java.io.ByteArrayOutputStream;
+
++import org.codehaus.jackson.JsonFactory;
+ import org.codehaus.jackson.JsonGenerator;
++import org.codehaus.jackson.JsonParser;
++import org.codehaus.jackson.JsonToken;
+ import org.codehaus.jackson.io.IOContext;
+ import org.codehaus.jackson.util.BufferRecycler;
+
+@@ -25,4 +28,25 @@ public class TestUtf8Generator
+ gen.writeString(str);
+ gen.flush();
+ }
++
++ public void testSurrogatesWithRaw() throws Exception
++ {
++ final String VALUE = quote("\uD83C\uDF89");
++ ByteArrayOutputStream bytes = new ByteArrayOutputStream();
++ IOContext ioc = new IOContext(new BufferRecycler(), bytes, true);
++ JsonGenerator jgen = new Utf8Generator(ioc, 0, null, bytes);
++ jgen.writeRawValue(VALUE);
++ jgen.close();
++
++ final byte[] JSON = bytes.toByteArray();
++
++ JsonParser jp = new JsonFactory().createJsonParser(JSON);
++ assertToken(JsonToken.VALUE_STRING, jp.nextToken());
++ String str = jp.getText();
++ assertEquals(2, str.length());
++ assertEquals((char) 0xD83C, str.charAt(0));
++ assertEquals((char) 0xDF89, str.charAt(1));
++ System.out.println(str);
++ jp.close();
++ }
+ }
+--
+2.20.1
+
diff -Nru libjackson-json-java-1.9.13/debian/patches/0005-fix-deserialization.patch libjackson-json-java-1.9.13/debian/patches/0005-fix-deserialization.patch
--- libjackson-json-java-1.9.13/debian/patches/0005-fix-deserialization.patch 1970-01-01 02:00:00.000000000 +0200
+++ libjackson-json-java-1.9.13/debian/patches/0005-fix-deserialization.patch 2020-09-18 21:20:41.000000000 +0300
@@ -0,0 +1,86 @@
+From b4c841aea501341fb1d7e62fa4f25a57ed990134 Mon Sep 17 00:00:00 2001
+From: Pawel Niegowski <pniegowski at atlassian.com>
+Date: Fri, 21 Apr 2017 14:47:42 +0200
+Subject: [PATCH] fix deserialization
+
+---
+
+Upstream link: https://github.com/FasterXML/jackson-1/commit/b4c841aea501341fb1d7e62fa4f25a57ed990134
+
+ .../map/deser/BeanDeserializerFactory.java | 48 +++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+
+diff --git a/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java b/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java
+index 620c9dce..b8c0c180 100644
+--- a/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java
++++ b/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java
+@@ -31,6 +31,37 @@ public class BeanDeserializerFactory
+ */
+ private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { Throwable.class };
+
++ /**
++ * Set of well-known "nasty classes", deserialization of which is considered dangerous
++ * and should (and is) prevented by default.
++ *
++ * @since 1.9.13-atlassian-2
++ */
++ protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
++
++ static
++ {
++ Set<String> s = new HashSet<String>();
++ // Courtesy of [https://github.com/kantega/notsoserial]:
++ // (and wrt [databind#1599]
++ s.add("org.apache.commons.collections.functors.InvokerTransformer");
++ s.add("org.apache.commons.collections.functors.InstantiateTransformer");
++ s.add("org.apache.commons.collections4.functors.InvokerTransformer");
++ s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
++ s.add("org.codehaus.groovy.runtime.ConvertedClosure");
++ s.add("org.codehaus.groovy.runtime.MethodClosure");
++ s.add("org.springframework.beans.factory.ObjectFactory");
++ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
++ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
++ }
++
++ /**
++ * Set of class names of types that are never to be deserialized.
++ *
++ * @since 1.9.13-atlassian-2
++ */
++ protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
++
+ /*
+ /**********************************************************
+ /* Config class implementation
+@@ -632,6 +663,7 @@ public class BeanDeserializerFactory
+ if (!isPotentialBeanType(type.getRawClass())) {
+ return null;
+ }
++ checkIllegalTypes(type);
+ // Use generic bean introspection to build deserializer
+ return buildBeanDeserializer(config, type, beanDesc, property);
+ }
+@@ -1473,4 +1505,20 @@ public class BeanDeserializerFactory
+ }
+ return status;
+ }
++
++ /**
++ * @since 2.8.9
++ */
++ protected void checkIllegalTypes(JavaType type)
++ throws JsonMappingException
++ {
++ // There are certain nasty classes that could cause problems, mostly
++ // via default typing -- catch them here.
++ String full = type.getRawClass().getName();
++
++ if (_cfgIllegalClassNames.contains(full))
++ {
++ throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons");
++ }
++ }
+ }
+--
+2.20.1
+
diff -Nru libjackson-json-java-1.9.13/debian/patches/0006-Backport-all-known-security-fixes-from-2.x-that-were.patch libjackson-json-java-1.9.13/debian/patches/0006-Backport-all-known-security-fixes-from-2.x-that-were.patch
--- libjackson-json-java-1.9.13/debian/patches/0006-Backport-all-known-security-fixes-from-2.x-that-were.patch 1970-01-01 02:00:00.000000000 +0200
+++ libjackson-json-java-1.9.13/debian/patches/0006-Backport-all-known-security-fixes-from-2.x-that-were.patch 2020-09-18 21:20:41.000000000 +0300
@@ -0,0 +1,239 @@
+From 9ac68db819bce7b9546bc4bf1c44f82ca910fa31 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta at iki.fi>
+Date: Wed, 20 Dec 2017 16:50:14 -0800
+Subject: [PATCH] Backport all known security fixes from 2.x that were missing, related to public CVEs.
+
+---
+
+upstream link: https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31
+
+diff --git a/src/java/org/codehaus/jackson/type/JavaType.java b/src/java/org/codehaus/jackson/type/JavaType.java
+index 3b216491..871bca4b 100644
+--- a/src/java/org/codehaus/jackson/type/JavaType.java
++++ b/src/java/org/codehaus/jackson/type/JavaType.java
+@@ -479,6 +479,11 @@ public abstract class JavaType
+ /**********************************************************
+ */
+
++ // since 1.9.14: needed by one of the patches
++ public final boolean isTypeOrSubTypeOf(Class<?> clz) {
++ return (_class == clz) || clz.isAssignableFrom(_class);
++ }
++
+ protected void _assertSubclass(Class<?> subclass, Class<?> superClass)
+ {
+ if (!_class.isAssignableFrom(subclass)) {
+diff --git a/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java b/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java
+index b8c0c180..ffeadb12 100644
+--- a/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java
++++ b/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java
+@@ -9,6 +9,7 @@ import org.codehaus.jackson.map.deser.impl.CreatorProperty;
+ import org.codehaus.jackson.map.deser.std.StdKeyDeserializers;
+ import org.codehaus.jackson.map.deser.std.ThrowableDeserializer;
+ import org.codehaus.jackson.map.introspect.*;
++import org.codehaus.jackson.map.jsontype.impl.SubTypeValidator;
+ import org.codehaus.jackson.map.type.*;
+ import org.codehaus.jackson.map.util.ArrayBuilders;
+ import org.codehaus.jackson.map.util.ClassUtil;
+@@ -31,37 +32,6 @@ public class BeanDeserializerFactory
+ */
+ private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { Throwable.class };
+
+- /**
+- * Set of well-known "nasty classes", deserialization of which is considered dangerous
+- * and should (and is) prevented by default.
+- *
+- * @since 1.9.13-atlassian-2
+- */
+- protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
+-
+- static
+- {
+- Set<String> s = new HashSet<String>();
+- // Courtesy of [https://github.com/kantega/notsoserial]:
+- // (and wrt [databind#1599]
+- s.add("org.apache.commons.collections.functors.InvokerTransformer");
+- s.add("org.apache.commons.collections.functors.InstantiateTransformer");
+- s.add("org.apache.commons.collections4.functors.InvokerTransformer");
+- s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
+- s.add("org.codehaus.groovy.runtime.ConvertedClosure");
+- s.add("org.codehaus.groovy.runtime.MethodClosure");
+- s.add("org.springframework.beans.factory.ObjectFactory");
+- s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+- DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+- }
+-
+- /**
+- * Set of class names of types that are never to be deserialized.
+- *
+- * @since 1.9.13-atlassian-2
+- */
+- protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
+-
+ /*
+ /**********************************************************
+ /* Config class implementation
+@@ -265,6 +235,12 @@ public class BeanDeserializerFactory
+ */
+ protected final Config _factoryConfig;
+
++ /**
++ *
++ * @since 1.9.14
++ */
++ protected SubTypeValidator _subtypeValidator = SubTypeValidator.instance();
++
+ @Deprecated
+ public BeanDeserializerFactory() {
+ this(null);
+@@ -1507,18 +1483,13 @@ public class BeanDeserializerFactory
+ }
+
+ /**
+- * @since 2.8.9
++ * @since 1.9.14
+ */
+- protected void checkIllegalTypes(JavaType type)
+- throws JsonMappingException
++ protected void checkIllegalTypes(JavaType type) throws JsonMappingException
+ {
+ // There are certain nasty classes that could cause problems, mostly
+ // via default typing -- catch them here.
+- String full = type.getRawClass().getName();
+-
+- if (_cfgIllegalClassNames.contains(full))
+- {
+- throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons");
+- }
++ _subtypeValidator.validateSubType(type);
++ //throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons");
+ }
+ }
+diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/ClassNameIdResolver.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/ClassNameIdResolver.java
+index c9fd65e1..c9a00011 100644
+--- a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/ClassNameIdResolver.java
++++ b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/ClassNameIdResolver.java
+@@ -46,8 +46,16 @@ public class ClassNameIdResolver
+ * to do translation when necessary
+ */
+ if (id.indexOf('<') > 0) {
+- JavaType t = TypeFactory.fromCanonical(id);
+ // note: may want to try combining with specialization (esp for EnumMap)
++ // 17-Aug-2017, tatu: As per [databind#1735] need to ensure assignment
++ // compatibility -- needed later anyway, and not doing so may open
++ // security issues.
++ JavaType t = _typeFactory.constructFromCanonical(id);
++ if (!t.isTypeOrSubTypeOf(_baseType.getRawClass())) {
++ // Probably cleaner to have a method in `TypeFactory` but can't add in patch
++ throw new IllegalArgumentException(String.format(
++ "Class %s not subtype of %s", t.getRawClass().getName(), _baseType));
++ }
+ return t;
+ }
+ try {
+diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
+new file mode 100644
+index 00000000..865c20e7
+--- /dev/null
++++ b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
+@@ -0,0 +1,97 @@
++package org.codehaus.jackson.map.jsontype.impl;
++
++import java.util.Collections;
++import java.util.HashSet;
++import java.util.Set;
++
++import org.codehaus.jackson.map.JsonMappingException;
++import org.codehaus.jackson.type.JavaType;
++
++/**
++ * Helper class used to encapsulate rules that determine subtypes that
++ * are invalid to use, even with default typing, mostly due to security
++ * concerns.
++ * Used by <code>BeanDeserializerFactory</code>
++ *
++ * @since 1.9.14
++ */
++public class SubTypeValidator
++{
++ protected final static String PREFIX_STRING = "org.springframework.";
++ /**
++ * Set of well-known "nasty classes", deserialization of which is considered dangerous
++ * and should (and is) prevented by default.
++ */
++ protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
++ static {
++ Set<String> s = new HashSet<String>();
++ // Courtesy of [https://github.com/kantega/notsoserial]:
++ // (and wrt [databind#1599])
++ s.add("org.apache.commons.collections.functors.InvokerTransformer");
++ s.add("org.apache.commons.collections.functors.InstantiateTransformer");
++ s.add("org.apache.commons.collections4.functors.InvokerTransformer");
++ s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
++ s.add("org.codehaus.groovy.runtime.ConvertedClosure");
++ s.add("org.codehaus.groovy.runtime.MethodClosure");
++ s.add("org.springframework.beans.factory.ObjectFactory");
++ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
++ s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
++ // [databind#1680]: may or may not be problem, take no chance
++ s.add("com.sun.rowset.JdbcRowSetImpl");
++ // [databind#1737]; JDK provided
++ s.add("java.util.logging.FileHandler");
++ s.add("java.rmi.server.UnicastRemoteObject");
++ // [databind#1737]; 3rd party
++//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
++ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
++ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
++ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++ // [databind#1855]: more 3rd party
++ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
++ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
++ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
++ }
++
++ /**
++ * Set of class names of types that are never to be deserialized.
++ */
++ protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
++
++ private final static SubTypeValidator instance = new SubTypeValidator();
++
++ protected SubTypeValidator() { }
++
++ public static SubTypeValidator instance() { return instance; }
++
++ public void validateSubType(JavaType type) throws JsonMappingException
++ {
++ // There are certain nasty classes that could cause problems, mostly
++ // via default typing -- catch them here.
++ final Class<?> raw = type.getRawClass();
++ String full = raw.getName();
++
++ main_check:
++ do {
++ if (_cfgIllegalClassNames.contains(full)) {
++ break;
++ }
++
++ // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
++ // for some Spring framework types
++ if (full.startsWith(PREFIX_STRING)) {
++ for (Class<?> cls = raw; cls != Object.class; cls = cls.getSuperclass()) {
++ String name = cls.getSimpleName();
++ // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
++ if ("AbstractPointcutAdvisor".equals(name)
++ // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts
++ || "AbstractApplicationContext".equals(name)) {
++ break main_check;
++ }
++ }
++ }
++ return;
++ } while (false);
++
++ throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons");
++ }
++}
+--
+2.20.1
+
diff -Nru libjackson-json-java-1.9.13/debian/patches/series libjackson-json-java-1.9.13/debian/patches/series
--- libjackson-json-java-1.9.13/debian/patches/series 2018-12-31 00:15:15.000000000 +0200
+++ libjackson-json-java-1.9.13/debian/patches/series 2020-09-18 19:10:06.000000000 +0300
@@ -1 +1,7 @@
java9.patch
+0001-fixed-234.patch
+0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch
+0003-setExpandEntityReferences-false.patch
+0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch
+0005-fix-deserialization.patch
+0006-Backport-all-known-security-fixes-from-2.x-that-were.patch
More information about the pkg-java-maintainers
mailing list