Re: Propose to ignore libxstream-java CVEs

To: Markus Koschany <apo@debian.org>, debian-lts@lists.debian.org
Cc: Anton Gladky <gladk@debian.org>
Subject: Re: Propose to ignore libxstream-java CVEs
From: Sylvain Beucler <beuc@beuc.net>
Date: Wed, 22 Sep 2021 20:57:10 +0200
Message-id: <[🔎] 20210922185710.GA5598@mail.beuc.net>
In-reply-to: <[🔎] 3561e6a0-a809-8e22-c6a5-cdff7556d5f4@beuc.net>
References: <CABY6=0=B2hUDycVE5P2TNBZXncFvayrmDqGGcMZQmPo3S264eg@mail.gmail.com> <3f2a393b-ef07-0819-540f-09271f062432@beuc.net> <b81f4d153d88d38ee68463c8ff774863f3bd0da3.camel@debian.org> <[🔎] 58308646b991646c8b5bf1338b281caec857893c.camel@debian.org> <[🔎] 3561e6a0-a809-8e22-c6a5-cdff7556d5f4@beuc.net>

Hi,

On Wed, Sep 22, 2021 at 04:29:39PM +0200, Sylvain Beucler wrote:
> On 22/09/2021 15:37, Markus Koschany wrote:
> > so far I have not found any regressions in Debian packages which depend on
> > libxstream-java. I propose to switch to the whitelist in all suites because
> > this is the only reasonable way to secure XStream. I have prepared an update
> > for Stretch. Anton, could you take a look at it because I saw you have claimed
> > libxstream-java?
> > 
> > https://people.debian.org/~apo/lts/libxstream-java/libxstream-java.debdiff
> 
> I am pretty surprised because I had concluded that all reverse-dependencies
> would break, due to not white-listing any app-specific class:
> https://lists.debian.org/debian-lts/2021/06/msg00040.html
> 
> I'll test your package shortly to see if my angle is relevant with this
> patch.

I had a look again.  IIUC you mean no Debian non-lib package actually
use xstream at all, or the breakage has negligible impact
(e.g. Jajuk's support for Last.FM scrobbling should become more
network-intensive since the submission cache won't load anymore).

User code that link to our xstream.jar may break though (see below
with an application that uses libjsap-java), so it's a bold move, but
your call.

Cheers!
Sylvain

# java -cp .:/usr/share/java/xstream.jar com.martiansoftware.jsap.examples.Manual_HelloWorld_9
Security framework of XStream not explicitly initialized, using predefined black list on your own risk.
Hi, World!

# dpkg -i libxstream-java_1.4.11.1-1+deb9u4_all.deb 

# java -cp .:/usr/share/java/xstream.jar com.martiansoftware.jsap.examples.Manual_HelloWorld_9
Exception in thread "main" com.thoughtworks.xstream.security.ForbiddenClassException: com.martiansoftware.jsap.xml.JSAPConfig
	at com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26)
	at com.thoughtworks.xstream.mapper.SecurityMapper.realClass(SecurityMapper.java:74)
	at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125)
	at com.thoughtworks.xstream.mapper.CachingMapper.realClass(CachingMapper.java:47)
	at com.thoughtworks.xstream.core.util.HierarchicalStreams.readClassType(HierarchicalStreams.java:29)
	at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:133)
	at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
	at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1482)
	at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1462)
	at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1333)
	at com.martiansoftware.jsap.xml.JSAPConfig.configure(JSAPConfig.java:42)
	at com.martiansoftware.jsap.JSAP.<init>(JSAP.java:366)
	at com.martiansoftware.jsap.examples.Manual_HelloWorld_9.main(Manual_HelloWorld_9.java:22)

Reply to:

Follow-Ups:
- Re: Propose to ignore libxstream-java CVEs
  - From: Markus Koschany <apo@debian.org>

References:
- Re: Propose to ignore libxstream-java CVEs
  - From: Markus Koschany <apo@debian.org>
- Re: Propose to ignore libxstream-java CVEs
  - From: Sylvain Beucler <beuc@beuc.net>

Prev by Date: Re: Propose to ignore libxstream-java CVEs
Next by Date: Re: Propose to ignore libxstream-java CVEs
Previous by thread: Re: Propose to ignore libxstream-java CVEs
Next by thread: Re: Propose to ignore libxstream-java CVEs
Index(es):
- Date
- Thread