Am 19.02.2016 um 13:10 schrieb Stian Soiland-Reyes: > Hi, > > BeanShell aka bsh has released a security fix 2.0b6: > > https://github.com/beanshell/beanshell/releases/tag/2.0b6 > > It has been reported to MITRE as CVE-2016-2510. Hi Stian, I intend to backport your changes to fix CVE-2016-2510. Looking at the relevant commits, I could condense the changes to create the attached patch. Could you take a look at it and confirm that this is sufficient? Regards, Markus
From: Markus Koschany <apo@debian.org> Date: Fri, 26 Feb 2016 14:24:31 +0100 Subject: CVE-2016-2510 --- src/bsh/XThis.java | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/bsh/XThis.java b/src/bsh/XThis.java index 3f05974..94bcc22 100644 --- a/src/bsh/XThis.java +++ b/src/bsh/XThis.java @@ -65,7 +65,7 @@ public class XThis extends This */ Hashtable interfaces; - InvocationHandler invocationHandler = new Handler(); + transient InvocationHandler invocationHandler = new Handler(); public XThis( NameSpace namespace, Interpreter declaringInterp ) { super( namespace, declaringInterp ); @@ -122,8 +122,12 @@ public class XThis extends This classes aren't there (doesn't it?) This class shouldn't be loaded if an XThis isn't instantiated in NameSpace.java, should it? */ - class Handler implements InvocationHandler, java.io.Serializable + class Handler implements InvocationHandler { + private Object readResolve() throws ObjectStreamException { + throw new NotSerializableException(); + } + public Object invoke( Object proxy, Method method, Object[] args ) throws Throwable {
Attachment:
signature.asc
Description: OpenPGP digital signature