Bug#853233: jessie-pu: package groovy/1.8.6-4+deb8u1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hello,
I would like to upload a security update for Groovy in Jessie.
(Debdiff is attached) This is Debian bug #851408 or CVE-2016-6814. The
security team has marked this CVE as no-dsa but it would be good to
fix CVE-2016-6814 in Jessie too. I will also file a bug report for
Groovy2 which is affected by the same issue shortly.
Regards,
Markus
diff -Nru groovy-1.8.6/debian/changelog groovy-1.8.6/debian/changelog
--- groovy-1.8.6/debian/changelog 2015-07-25 23:30:00.000000000 +0200
+++ groovy-1.8.6/debian/changelog 2017-01-30 17:20:04.000000000 +0100
@@ -1,3 +1,17 @@
+groovy (1.8.6-4+deb8u2) jessie; urgency=medium
+
+ * Team upload.
+ * Fix CVE-2016-6814:
+ It was found that a flaw in Apache Groovy, a dynamic language for the Java
+ Virtual Machine, allows remote code execution wherever deserialization
+ occurs in the application. It is possible for an attacker to craft a
+ special serialized object that will execute code directly when
+ deserialized. All applications which rely on serialization and do not
+ isolate the code which deserializes objects are subject to this
+ vulnerability.
+
+ -- Markus Koschany <apo@debian.org> Mon, 30 Jan 2017 17:20:04 +0100
+
groovy (1.8.6-4+deb8u1) stable; urgency=high
* Fix remote execution of untrusted code and possible DoS vulnerability.
diff -Nru groovy-1.8.6/debian/patches/CVE-2016-6814.patch groovy-1.8.6/debian/patches/CVE-2016-6814.patch
--- groovy-1.8.6/debian/patches/CVE-2016-6814.patch 1970-01-01 01:00:00.000000000 +0100
+++ groovy-1.8.6/debian/patches/CVE-2016-6814.patch 2017-01-30 17:20:04.000000000 +0100
@@ -0,0 +1,37 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 30 Jan 2017 17:15:11 +0100
+Subject: CVE-2016-6814
+
+Bug-Debian: https://bugs.debian.org/851408
+Origin: http://seclists.org/oss-sec/2017/q1/92
+---
+ src/main/org/codehaus/groovy/runtime/MethodClosure.java | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/main/org/codehaus/groovy/runtime/MethodClosure.java b/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+index d4f996e..4dfb360 100644
+--- a/src/main/org/codehaus/groovy/runtime/MethodClosure.java
++++ b/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+@@ -19,6 +19,7 @@ import groovy.lang.Closure;
+ import groovy.lang.MetaMethod;
+
+ import java.util.List;
++import java.io.IOException;
+
+
+ /**
+@@ -61,6 +62,14 @@ public class MethodClosure extends Closure {
+ throw new UnsupportedOperationException();
+ }
+
++ private void readObject(java.io.ObjectInputStream stream) throws
++ IOException, ClassNotFoundException {
++ if (ALLOW_RESOLVE) {
++ stream.defaultReadObject();
++ }
++ throw new UnsupportedOperationException();
++ }
++
+ public String getMethod() {
+ return method;
+ }
diff -Nru groovy-1.8.6/debian/patches/series groovy-1.8.6/debian/patches/series
--- groovy-1.8.6/debian/patches/series 2015-07-25 23:26:18.000000000 +0200
+++ groovy-1.8.6/debian/patches/series 2017-01-30 17:20:04.000000000 +0100
@@ -3,3 +3,4 @@
0003-disable-bnd.diff.patch
0004-java8-compatibility.patch
0005-CVE-2015-3253.patch
+CVE-2016-6814.patch
Reply to: