Am 01.03.2016 um 14:17 schrieb Sébastien Delafond: > On Feb/26, Markus Koschany wrote: >> Am 19.02.2016 um 13:10 schrieb Stian Soiland-Reyes: >>> Hi, >>> >>> BeanShell aka bsh has released a security fix 2.0b6: >>> >>> https://github.com/beanshell/beanshell/releases/tag/2.0b6 >>> >>> It has been reported to MITRE as CVE-2016-2510. >> >> Hi Stian, >> >> I intend to backport your changes to fix CVE-2016-2510. Looking at the >> relevant commits, I could condense the changes to create the attached >> patch. Could you take a look at it and confirm that this is sufficient? > > Hi Markus, > > now that upstream has validated your patch, do you intend to package and > upload fixed versions for both wheezy- and jessie-security ? In that > case, I'd be happy to validate both your debdiffs prior to your > uploading, and then we can release the DSA. > Hi Seb, Thanks for your assistance. I'm attaching the proposed debdiff for bsh in Wheezy and Jessie. I can upload anytime. P.S.: If time permits, please let me know how we should proceed with Tomcat 6 in Wheezy. Regards, Markus
diff -Nru bsh-2.0b4/debian/changelog bsh-2.0b4/debian/changelog --- bsh-2.0b4/debian/changelog 2013-11-21 17:29:05.000000000 +0100 +++ bsh-2.0b4/debian/changelog 2016-03-01 15:56:57.000000000 +0100 @@ -1,3 +1,15 @@ +bsh (2.0b4-15+deb8u1) jessie-security; urgency=high + + * Team upload. + * Fix CVE-2016-2510. + An application that includes BeanShell on the classpath may be vulnerable + if another part of the application uses Java serialization or XStream to + deserialize data from an untrusted source. A vulnerable application could + be exploited for remote code execution, including executing arbitrary shell + commands. + + -- Markus Koschany <apo@debian.org> Tue, 01 Mar 2016 15:54:12 +0100 + bsh (2.0b4-15) unstable; urgency=low * Added the poms missing in the previous upload (Closes: #730008) diff -Nru bsh-2.0b4/debian/patches/CVE-2016-2510.patch bsh-2.0b4/debian/patches/CVE-2016-2510.patch --- bsh-2.0b4/debian/patches/CVE-2016-2510.patch 1970-01-01 01:00:00.000000000 +0100 +++ bsh-2.0b4/debian/patches/CVE-2016-2510.patch 2016-03-01 15:56:57.000000000 +0100 @@ -0,0 +1,44 @@ +From: Markus Koschany <apo@debian.org> +Date: Fri, 26 Feb 2016 14:24:31 +0100 +Subject: CVE-2016-2510 + +An application that includes BeanShell on the classpath may be vulnerable if +another part of the application uses Java serialization or XStream to +deserialize data from an untrusted source. + +A vulnerable application could be exploited for remote code execution, +including executing arbitrary shell commands. + +https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49 +https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced +--- + src/bsh/XThis.java | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/bsh/XThis.java b/src/bsh/XThis.java +index 3f05974..94bcc22 100644 +--- a/src/bsh/XThis.java ++++ b/src/bsh/XThis.java +@@ -65,7 +65,7 @@ public class XThis extends This + */ + Hashtable interfaces; + +- InvocationHandler invocationHandler = new Handler(); ++ transient InvocationHandler invocationHandler = new Handler(); + + public XThis( NameSpace namespace, Interpreter declaringInterp ) { + super( namespace, declaringInterp ); +@@ -122,8 +122,12 @@ public class XThis extends This + classes aren't there (doesn't it?) This class shouldn't be loaded + if an XThis isn't instantiated in NameSpace.java, should it? + */ +- class Handler implements InvocationHandler, java.io.Serializable ++ class Handler implements InvocationHandler + { ++ private Object readResolve() throws ObjectStreamException { ++ throw new NotSerializableException(); ++ } ++ + public Object invoke( Object proxy, Method method, Object[] args ) + throws Throwable + { diff -Nru bsh-2.0b4/debian/patches/series bsh-2.0b4/debian/patches/series --- bsh-2.0b4/debian/patches/series 2011-12-21 16:07:19.000000000 +0100 +++ bsh-2.0b4/debian/patches/series 2016-03-01 15:56:57.000000000 +0100 @@ -3,3 +3,4 @@ 03_target13_buildXml.patch 04_fix_typo.patch 05_link_javadoc.patch +CVE-2016-2510.patch
diff -Nru bsh-2.0b4/debian/changelog bsh-2.0b4/debian/changelog --- bsh-2.0b4/debian/changelog 2010-06-14 20:46:52.000000000 +0200 +++ bsh-2.0b4/debian/changelog 2016-03-01 15:33:22.000000000 +0100 @@ -1,3 +1,15 @@ +bsh (2.0b4-12+deb7u1) wheezy-security; urgency=high + + * Team upload. + * Fix CVE-2016-2510. + An application that includes BeanShell on the classpath may be vulnerable + if another part of the application uses Java serialization or XStream to + deserialize data from an untrusted source. A vulnerable application could + be exploited for remote code execution, including executing arbitrary shell + commands. + + -- Markus Koschany <apo@debian.org> Tue, 01 Mar 2016 15:32:04 +0100 + bsh (2.0b4-12) unstable; urgency=low * Build-depend on libservlet2.5-java instead of libservlet2.4-java. diff -Nru bsh-2.0b4/debian/patches/CVE-2016-2510.patch bsh-2.0b4/debian/patches/CVE-2016-2510.patch --- bsh-2.0b4/debian/patches/CVE-2016-2510.patch 1970-01-01 01:00:00.000000000 +0100 +++ bsh-2.0b4/debian/patches/CVE-2016-2510.patch 2016-03-01 15:33:22.000000000 +0100 @@ -0,0 +1,44 @@ +From: Markus Koschany <apo@debian.org> +Date: Fri, 26 Feb 2016 14:24:31 +0100 +Subject: CVE-2016-2510 + +An application that includes BeanShell on the classpath may be vulnerable if +another part of the application uses Java serialization or XStream to +deserialize data from an untrusted source. + +A vulnerable application could be exploited for remote code execution, +including executing arbitrary shell commands. + +https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49 +https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced +--- + src/bsh/XThis.java | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/bsh/XThis.java b/src/bsh/XThis.java +index 3f05974..94bcc22 100644 +--- a/src/bsh/XThis.java ++++ b/src/bsh/XThis.java +@@ -65,7 +65,7 @@ public class XThis extends This + */ + Hashtable interfaces; + +- InvocationHandler invocationHandler = new Handler(); ++ transient InvocationHandler invocationHandler = new Handler(); + + public XThis( NameSpace namespace, Interpreter declaringInterp ) { + super( namespace, declaringInterp ); +@@ -122,8 +122,12 @@ public class XThis extends This + classes aren't there (doesn't it?) This class shouldn't be loaded + if an XThis isn't instantiated in NameSpace.java, should it? + */ +- class Handler implements InvocationHandler, java.io.Serializable ++ class Handler implements InvocationHandler + { ++ private Object readResolve() throws ObjectStreamException { ++ throw new NotSerializableException(); ++ } ++ + public Object invoke( Object proxy, Method method, Object[] args ) + throws Throwable + { diff -Nru bsh-2.0b4/debian/patches/series bsh-2.0b4/debian/patches/series --- bsh-2.0b4/debian/patches/series 2010-04-16 23:34:45.000000000 +0200 +++ bsh-2.0b4/debian/patches/series 2016-03-01 15:33:22.000000000 +0100 @@ -1,3 +1,4 @@ 01_EnableBsfAdapter_buildXml.patch 02_GNUvms_workaround.patch 03_target13_buildXml.patch +CVE-2016-2510.patch
Attachment:
signature.asc
Description: OpenPGP digital signature