Re: bsh (BeanShell) security vulnerability (CVE-2016-2510)

[Markus Koschany <apo@debian.org>]

Am 01.03.2016 um 14:17 schrieb Sébastien Delafond:
> On Feb/26, Markus Koschany wrote:
>> Am 19.02.2016 um 13:10 schrieb Stian Soiland-Reyes:
>>> Hi,
>>>
>>> BeanShell aka bsh has released a security fix 2.0b6:
>>>
>>> https://github.com/beanshell/beanshell/releases/tag/2.0b6
>>>
>>> It has been reported to MITRE as CVE-2016-2510.
>>
>> Hi Stian,
>>
>> I intend to backport your changes to fix CVE-2016-2510. Looking at the
>> relevant commits, I could condense the changes to create the attached
>> patch. Could you take a look at it and confirm that this is sufficient?
> 
> Hi Markus,
> 
> now that upstream has validated your patch, do you intend to package and
> upload fixed versions for both wheezy- and jessie-security ? In that
> case, I'd be happy to validate both your debdiffs prior to your
> uploading, and then we can release the DSA.
> 

Hi Seb,

Thanks for your assistance. I'm attaching the proposed debdiff for bsh
in Wheezy and Jessie. I can upload anytime.

P.S.: If time permits, please let me know how we should proceed with
Tomcat 6 in Wheezy.

Regards,

Markus

diff -Nru bsh-2.0b4/debian/changelog bsh-2.0b4/debian/changelog
--- bsh-2.0b4/debian/changelog	2013-11-21 17:29:05.000000000 +0100
+++ bsh-2.0b4/debian/changelog	2016-03-01 15:56:57.000000000 +0100
@@ -1,3 +1,15 @@
+bsh (2.0b4-15+deb8u1) jessie-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2016-2510.
+    An application that includes BeanShell on the classpath may be vulnerable
+    if another part of the application uses Java serialization or XStream to
+    deserialize data from an untrusted source. A vulnerable application could
+    be exploited for remote code execution, including executing arbitrary shell
+    commands.
+
+ -- Markus Koschany <apo@debian.org>  Tue, 01 Mar 2016 15:54:12 +0100
+
 bsh (2.0b4-15) unstable; urgency=low
 
   * Added the poms missing in the previous upload (Closes: #730008)
diff -Nru bsh-2.0b4/debian/patches/CVE-2016-2510.patch bsh-2.0b4/debian/patches/CVE-2016-2510.patch
--- bsh-2.0b4/debian/patches/CVE-2016-2510.patch	1970-01-01 01:00:00.000000000 +0100
+++ bsh-2.0b4/debian/patches/CVE-2016-2510.patch	2016-03-01 15:56:57.000000000 +0100
@@ -0,0 +1,44 @@
+From: Markus Koschany <apo@debian.org>
+Date: Fri, 26 Feb 2016 14:24:31 +0100
+Subject: CVE-2016-2510
+
+An application that includes BeanShell on the classpath may be vulnerable if
+another part of the application uses Java serialization or XStream to
+deserialize data from an untrusted source.
+
+A vulnerable application could be exploited for remote code execution,
+including executing arbitrary shell commands.
+
+https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49
+https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced
+---
+ src/bsh/XThis.java | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/bsh/XThis.java b/src/bsh/XThis.java
+index 3f05974..94bcc22 100644
+--- a/src/bsh/XThis.java
++++ b/src/bsh/XThis.java
+@@ -65,7 +65,7 @@ public class XThis extends This
+ 	*/
+ 	Hashtable interfaces;
+ 
+-	InvocationHandler invocationHandler = new Handler();
++	transient InvocationHandler invocationHandler = new Handler();
+ 
+ 	public XThis( NameSpace namespace, Interpreter declaringInterp ) { 
+ 		super( namespace, declaringInterp ); 
+@@ -122,8 +122,12 @@ public class XThis extends This
+ 		classes aren't there (doesn't it?)  This class shouldn't be loaded
+ 		if an XThis isn't instantiated in NameSpace.java, should it?
+ 	*/
+-	class Handler implements InvocationHandler, java.io.Serializable 
++	class Handler implements InvocationHandler
+ 	{
++		private Object readResolve() throws ObjectStreamException {
++			throw new NotSerializableException();
++		}
++
+ 		public Object invoke( Object proxy, Method method, Object[] args ) 
+ 			throws Throwable
+ 		{
diff -Nru bsh-2.0b4/debian/patches/series bsh-2.0b4/debian/patches/series
--- bsh-2.0b4/debian/patches/series	2011-12-21 16:07:19.000000000 +0100
+++ bsh-2.0b4/debian/patches/series	2016-03-01 15:56:57.000000000 +0100
@@ -3,3 +3,4 @@
 03_target13_buildXml.patch
 04_fix_typo.patch
 05_link_javadoc.patch
+CVE-2016-2510.patch

diff -Nru bsh-2.0b4/debian/changelog bsh-2.0b4/debian/changelog
--- bsh-2.0b4/debian/changelog	2010-06-14 20:46:52.000000000 +0200
+++ bsh-2.0b4/debian/changelog	2016-03-01 15:33:22.000000000 +0100
@@ -1,3 +1,15 @@
+bsh (2.0b4-12+deb7u1) wheezy-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2016-2510.
+    An application that includes BeanShell on the classpath may be vulnerable
+    if another part of the application uses Java serialization or XStream to
+    deserialize data from an untrusted source. A vulnerable application could
+    be exploited for remote code execution, including executing arbitrary shell
+    commands.
+
+ -- Markus Koschany <apo@debian.org>  Tue, 01 Mar 2016 15:32:04 +0100
+
 bsh (2.0b4-12) unstable; urgency=low
 
   * Build-depend on libservlet2.5-java instead of libservlet2.4-java.
diff -Nru bsh-2.0b4/debian/patches/CVE-2016-2510.patch bsh-2.0b4/debian/patches/CVE-2016-2510.patch
--- bsh-2.0b4/debian/patches/CVE-2016-2510.patch	1970-01-01 01:00:00.000000000 +0100
+++ bsh-2.0b4/debian/patches/CVE-2016-2510.patch	2016-03-01 15:33:22.000000000 +0100
@@ -0,0 +1,44 @@
+From: Markus Koschany <apo@debian.org>
+Date: Fri, 26 Feb 2016 14:24:31 +0100
+Subject: CVE-2016-2510
+
+An application that includes BeanShell on the classpath may be vulnerable if
+another part of the application uses Java serialization or XStream to
+deserialize data from an untrusted source.
+
+A vulnerable application could be exploited for remote code execution,
+including executing arbitrary shell commands.
+
+https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49
+https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced
+---
+ src/bsh/XThis.java | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/bsh/XThis.java b/src/bsh/XThis.java
+index 3f05974..94bcc22 100644
+--- a/src/bsh/XThis.java
++++ b/src/bsh/XThis.java
+@@ -65,7 +65,7 @@ public class XThis extends This
+ 	*/
+ 	Hashtable interfaces;
+ 
+-	InvocationHandler invocationHandler = new Handler();
++	transient InvocationHandler invocationHandler = new Handler();
+ 
+ 	public XThis( NameSpace namespace, Interpreter declaringInterp ) { 
+ 		super( namespace, declaringInterp ); 
+@@ -122,8 +122,12 @@ public class XThis extends This
+ 		classes aren't there (doesn't it?)  This class shouldn't be loaded
+ 		if an XThis isn't instantiated in NameSpace.java, should it?
+ 	*/
+-	class Handler implements InvocationHandler, java.io.Serializable 
++	class Handler implements InvocationHandler
+ 	{
++		private Object readResolve() throws ObjectStreamException {
++			throw new NotSerializableException();
++		}
++
+ 		public Object invoke( Object proxy, Method method, Object[] args ) 
+ 			throws Throwable
+ 		{
diff -Nru bsh-2.0b4/debian/patches/series bsh-2.0b4/debian/patches/series
--- bsh-2.0b4/debian/patches/series	2010-04-16 23:34:45.000000000 +0200
+++ bsh-2.0b4/debian/patches/series	2016-03-01 15:33:22.000000000 +0100
@@ -1,3 +1,4 @@
 01_EnableBsfAdapter_buildXml.patch
 02_GNUvms_workaround.patch
 03_target13_buildXml.patch
+CVE-2016-2510.patch

Attachment: signature.asc
Description: OpenPGP digital signature