Am 19.02.2016 um 13:10 schrieb Stian Soiland-Reyes: > Hi, > > BeanShell aka bsh has released a security fix 2.0b6: > > https://github.com/beanshell/beanshell/releases/tag/2.0b6 > > It has been reported to MITRE as CVE-2016-2510. Hi Stian, I intend to backport your changes to fix CVE-2016-2510. Looking at the relevant commits, I could condense the changes to create the attached patch. Could you take a look at it and confirm that this is sufficient? Regards, Markus
From: Markus Koschany <apo@debian.org>
Date: Fri, 26 Feb 2016 14:24:31 +0100
Subject: CVE-2016-2510
---
src/bsh/XThis.java | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/bsh/XThis.java b/src/bsh/XThis.java
index 3f05974..94bcc22 100644
--- a/src/bsh/XThis.java
+++ b/src/bsh/XThis.java
@@ -65,7 +65,7 @@ public class XThis extends This
*/
Hashtable interfaces;
- InvocationHandler invocationHandler = new Handler();
+ transient InvocationHandler invocationHandler = new Handler();
public XThis( NameSpace namespace, Interpreter declaringInterp ) {
super( namespace, declaringInterp );
@@ -122,8 +122,12 @@ public class XThis extends This
classes aren't there (doesn't it?) This class shouldn't be loaded
if an XThis isn't instantiated in NameSpace.java, should it?
*/
- class Handler implements InvocationHandler, java.io.Serializable
+ class Handler implements InvocationHandler
{
+ private Object readResolve() throws ObjectStreamException {
+ throw new NotSerializableException();
+ }
+
public Object invoke( Object proxy, Method method, Object[] args )
throws Throwable
{
Attachment:
signature.asc
Description: OpenPGP digital signature