Salut Pierre, hello security team, Sorry for this very late reply. El 07/10/24 a las 23:46, Pierre Gruet escribió: > Hi Santiago, > > Le 07/10/2024 à 20:21, Santiago Ruano Rincón a écrit : > > Dear teams, > > > > activemq is listed in both dla-needed and dsa-needed, and I claimed it > > for bullseye LTS. CVE-2023-46604 was fixed in 5.17.6 and 5.16.7 and the > > patches for both are clearly identified upstream: > > > [...] > > > > I have also a question about bullseye: Pierre, I see in debian/5.16.1-2, > > the a6be349b21ab01a4a5572906e45933406073ed29 commit "Adding the missing > > xpp3 dependency to the stomp pom.xml". That sounds like a important > > bug, but I don't find anything filed about it. Is that something that > > should be fixed in oldstable? I guess no, but I want to be sure. > > You're right, no need to fix this in oldstable: no issue related to this in > bullseye. > I did not forward the patch upstream at that time because it was an issue > not in activemq, but in libxstream-java which does not declare the correct > classpath for its jar. I wrote this patch to have activemq build but I > intended it to be temporary thanks to a fix in libxstream-java -- which I > never made up to now, will do so in the upcoming days! Thanks for your answer and for confirming the above! That is helpful. Dear security team, Please find attached an updated debdiff for bookworm that also includes the fix for CVE-2022-41678. Since CVE-2023-46604 concerns openwire, I've tested the proposed package using the example found at /usr/share/doc/activemq/examples/openwire/cpp. I can confirm the message exchange between listener and publisher works before and after the upgrade. I am not sure I will have the time to make a proper test of CVE-2022-41678. But giving there have been no follow-ups upstream of the fixing commits since 2023, I tend to be confident that the risk of introducing regression is very low. If any of the readers is able to help testing authentication via jolokia, it would be great. Could you please tell me what do you think about the update? I would like to upload the bullseye update soon (by tomorrow, if possible). Sorry for the late notice, but is there any chance both uploads could be "sync'ed"? Bullseye's (staging) debdiff is also attached. Best, -- Santiago
diff -Nru activemq-5.17.2+dfsg/debian/changelog activemq-5.17.2+dfsg/debian/changelog
--- activemq-5.17.2+dfsg/debian/changelog 2023-02-12 12:53:03.000000000 -0300
+++ activemq-5.17.2+dfsg/debian/changelog 2024-10-23 23:20:32.000000000 -0300
@@ -1,3 +1,11 @@
+activemq (5.17.2+dfsg-2+deb12u1) bookworm-security; urgency=medium
+
+ * CVE-2022-41678: Potential arbitrary code execution via Jolokia
+ * CVE-2023-46604: The Java OpenWire protocol marshaller is vulnerable to
+ Remote Code Execution (Closes: #1054909).
+
+ -- Santiago Ruano Rincón <santiagorr@riseup.net> Wed, 23 Oct 2024 23:20:32 -0300
+
activemq (5.17.2+dfsg-2) unstable; urgency=medium
* Team upload.
diff -Nru activemq-5.17.2+dfsg/debian/patches/0001-AMQ-9201-Update-Jolokia-default-access-configuration.patch activemq-5.17.2+dfsg/debian/patches/0001-AMQ-9201-Update-Jolokia-default-access-configuration.patch
--- activemq-5.17.2+dfsg/debian/patches/0001-AMQ-9201-Update-Jolokia-default-access-configuration.patch 1969-12-31 21:00:00.000000000 -0300
+++ activemq-5.17.2+dfsg/debian/patches/0001-AMQ-9201-Update-Jolokia-default-access-configuration.patch 2024-10-23 23:20:32.000000000 -0300
@@ -0,0 +1,70 @@
+From bf65929fdc607d5bb953a507c2f0c7256ae8e5b6 Mon Sep 17 00:00:00 2001
+From: "Christopher L. Shannon (cshannon)" <christopher.l.shannon@gmail.com>
+Date: Wed, 1 Feb 2023 07:04:56 -0500
+Subject: [PATCH] AMQ-9201 - Update Jolokia default access configuration
+
+(cherry picked from commit 6120169e563b55323352431dfe9ac67a8b4de6c2)
+
+Bug: https://issues.apache.org/jira/browse/AMQ-9201
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-41678
+
+---
+ assembly/src/release/conf/jolokia-access.xml | 34 +++++++++++++++++++-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/assembly/src/release/conf/jolokia-access.xml b/assembly/src/release/conf/jolokia-access.xml
+index 8cad1cd40e..97b099a5b7 100644
+--- a/assembly/src/release/conf/jolokia-access.xml
++++ b/assembly/src/release/conf/jolokia-access.xml
+@@ -22,8 +22,35 @@
+ <strict-checking/>
+ </cors>
+
+- <!-- deny calling operations or getting attributes from these mbeans -->
++ <!-- By default don't allow write or exec operations -->
++ <commands>
++ <command>read</command>
++ <command>list</command>
++ <command>version</command>
++ <command>search</command>
++ </commands>
++
++ <allow>
++ <!-- Allow all operations for the broker itself -->
++ <mbean>
++ <name>org.apache.activemq:*</name>
++ <attribute>*</attribute>
++ <operation>*</operation>
++ </mbean>
++ <!-- Allow all operations for Jolokia Config -->
++ <mbean>
++ <name>jolokia:type=Config</name>
++ <operation>*</operation>
++ </mbean>
++ </allow>
++
++ <!-- deny all operations or getting attributes from these mbeans -->
+ <deny>
++ <mbean>
++ <name>org.apache.logging.log4j2:*</name>
++ <attribute>*</attribute>
++ <operation>*</operation>
++ </mbean>
+ <mbean>
+ <name>com.sun.management:type=DiagnosticCommand</name>
+ <attribute>*</attribute>
+@@ -34,6 +61,11 @@
+ <attribute>*</attribute>
+ <operation>*</operation>
+ </mbean>
++ <mbean>
++ <name>jdk.management.jfr:type=FlightRecorder</name>
++ <attribute>*</attribute>
++ <operation>*</operation>
++ </mbean>
+ </deny>
+
+ </restrict>
+--
+2.39.5
+
diff -Nru activemq-5.17.2+dfsg/debian/patches/0001-AMQ-9370-Openwire-marshaller-should-validate-Throwab.patch activemq-5.17.2+dfsg/debian/patches/0001-AMQ-9370-Openwire-marshaller-should-validate-Throwab.patch
--- activemq-5.17.2+dfsg/debian/patches/0001-AMQ-9370-Openwire-marshaller-should-validate-Throwab.patch 1969-12-31 21:00:00.000000000 -0300
+++ activemq-5.17.2+dfsg/debian/patches/0001-AMQ-9370-Openwire-marshaller-should-validate-Throwab.patch 2024-10-23 23:20:32.000000000 -0300
@@ -0,0 +1,729 @@
+From d0ccdd31544ada83185554c87c7aa141064020f0 Mon Sep 17 00:00:00 2001
+From: "Christopher L. Shannon (cshannon)" <christopher.l.shannon@gmail.com>
+Date: Mon, 23 Oct 2023 18:24:38 -0400
+Subject: [PATCH] AMQ-9370 - Openwire marshaller should validate Throwable
+ class type
+
+(cherry picked from commit 3eaf3107f4fb9a3ce7ab45c175bfaeac7e866d5b)
+
+Bug-Debian: https://bugs.debian.org/1054909
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-46604
+---
+ activemq-client/pom.xml | 11 ++
+ .../activemq/openwire/OpenWireUtil.java | 32 ++++
+ .../openwire/v1/BaseDataStreamMarshaller.java | 4 +
+ .../v10/BaseDataStreamMarshaller.java | 4 +
+ .../v11/BaseDataStreamMarshaller.java | 4 +
+ .../v12/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v9/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/OpenWireValidationTest.java | 166 ++++++++++++++++++
+ activemq-openwire-legacy/pom.xml | 12 ++
+ .../openwire/v2/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v3/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v4/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v5/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v6/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v7/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v8/BaseDataStreamMarshaller.java | 4 +
+ .../OpenWireLegacyValidationTest.java | 129 ++++++++++++++
+ pom.xml | 7 +
+ 18 files changed, 405 insertions(+)
+ create mode 100644 activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireUtil.java
+ create mode 100644 activemq-client/src/test/java/org/apache/activemq/openwire/OpenWireValidationTest.java
+ create mode 100644 activemq-openwire-legacy/src/test/java/org/apache/activemq/openwire/OpenWireLegacyValidationTest.java
+
+Index: activemq/activemq-client/pom.xml
+===================================================================
+--- activemq.orig/activemq-client/pom.xml
++++ activemq/activemq-client/pom.xml
+@@ -278,6 +278,17 @@
+ </execution>
+ </executions>
+ </plugin>
++ <!-- generate the attached tests jar -->
++ <plugin>
++ <artifactId>maven-jar-plugin</artifactId>
++ <executions>
++ <execution>
++ <goals>
++ <goal>test-jar</goal>
++ </goals>
++ </execution>
++ </executions>
++ </plugin>
+ </plugins>
+ <pluginManagement>
+ <plugins>
+Index: activemq/activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireUtil.java
+===================================================================
+--- /dev/null
++++ activemq/activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireUtil.java
+@@ -0,0 +1,32 @@
++/**
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.activemq.openwire;
++
++public class OpenWireUtil {
++
++ /**
++ * Verify that the provided class extends {@link Throwable} and throw an
++ * {@link IllegalArgumentException} if it does not.
++ *
++ * @param clazz
++ */
++ public static void validateIsThrowable(Class<?> clazz) {
++ if (!Throwable.class.isAssignableFrom(clazz)) {
++ throw new IllegalArgumentException("Class " + clazz + " is not assignable to Throwable");
++ }
++ }
++}
+Index: activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v1/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-client/src/main/java/org/apache/activemq/openwire/v1/BaseDataStreamMarshaller.java
++++ activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v1/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -229,8 +230,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v10/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-client/src/main/java/org/apache/activemq/openwire/v10/BaseDataStreamMarshaller.java
++++ activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v10/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v11/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-client/src/main/java/org/apache/activemq/openwire/v11/BaseDataStreamMarshaller.java
++++ activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v11/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -227,8 +228,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v12/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-client/src/main/java/org/apache/activemq/openwire/v12/BaseDataStreamMarshaller.java
++++ activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v12/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -227,8 +228,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v9/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-client/src/main/java/org/apache/activemq/openwire/v9/BaseDataStreamMarshaller.java
++++ activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v9/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -227,8 +228,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-client/src/test/java/org/apache/activemq/openwire/OpenWireValidationTest.java
+===================================================================
+--- /dev/null
++++ activemq/activemq-client/src/test/java/org/apache/activemq/openwire/OpenWireValidationTest.java
+@@ -0,0 +1,166 @@
++/**
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.activemq.openwire;
++
++import static org.junit.Assert.assertTrue;
++
++import java.io.DataOutput;
++import java.io.IOException;
++import java.lang.reflect.Method;
++import java.util.ArrayList;
++import java.util.Collection;
++import java.util.List;
++import org.apache.activemq.command.CommandTypes;
++import org.apache.activemq.command.ExceptionResponse;
++import org.apache.activemq.util.ByteSequence;
++import org.junit.Test;
++import org.junit.runner.RunWith;
++import org.junit.runners.Parameterized;
++import org.junit.runners.Parameterized.Parameters;
++
++/**
++ * Test that Openwire marshalling will validate Throwable types during
++ * unmarshalling commands that contain a Throwable
++ */
++@RunWith(Parameterized.class)
++public class OpenWireValidationTest {
++
++ protected final int version;
++
++ @Parameters(name = "version={0}")
++ public static Collection<Object[]> data() {
++ List<Integer> versions = List.of(1, 9, 10, 11, 12);
++ List<Object[]> versionObjs = new ArrayList<>();
++ for (int i : versions) {
++ versionObjs.add(new Object[]{i});
++ }
++
++ // Sanity check to make sure the latest generated version is contained in the list
++ // This will make sure that we don't forget to update this test to include
++ // any future versions that are generated
++ assertTrue("List of Openwire versions does not include latest version",
++ versions.contains((int)CommandTypes.PROTOCOL_VERSION));
++
++ return versionObjs;
++ }
++
++ public OpenWireValidationTest(int version) {
++ this.version = version;
++ }
++
++ @Test
++ public void testOpenwireThrowableValidation() throws Exception {
++ // Create a format which will use loose encoding by default
++ // The code for handling exception creation is shared between both
++ // tight/loose encoding so only need to test 1
++ OpenWireFormat format = new OpenWireFormat();
++
++ // Override the marshaller map with a custom impl to purposely marshal a class type that is
++ // not a Throwable for testing the unmarshaller
++ Class<?> marshallerFactory = getMarshallerFactory();
++ Method createMarshallerMap = marshallerFactory.getMethod("createMarshallerMap", OpenWireFormat.class);
++ DataStreamMarshaller[] map = (DataStreamMarshaller[]) createMarshallerMap.invoke(marshallerFactory, format);
++ map[ExceptionResponse.DATA_STRUCTURE_TYPE] = getExceptionMarshaller();
++ // This will trigger updating the marshaller from the marshaller map with the right version
++ format.setVersion(version);
++
++ // Build the response and try to unmarshal which should give an IllegalArgumentExeption on unmarshall
++ // as the test marshaller should have encoded a class type that is not a Throwable
++ ExceptionResponse r = new ExceptionResponse();
++ r.setException(new Exception());
++ ByteSequence bss = format.marshal(r);
++ ExceptionResponse response = (ExceptionResponse) format.unmarshal(bss);
++
++ assertTrue(response.getException() instanceof IllegalArgumentException);
++ assertTrue(response.getException().getMessage().contains("is not assignable to Throwable"));
++ }
++
++ static class NotAThrowable {
++ private String message;
++
++ public NotAThrowable(String message) {
++ this.message = message;
++ }
++
++ public NotAThrowable() {
++ }
++ }
++
++ private Class<?> getMarshallerFactory() throws ClassNotFoundException {
++ return Class.forName("org.apache.activemq.openwire.v" + version + ".MarshallerFactory");
++ }
++
++ // Create test marshallers for all non-legacy versions that will encode NotAThrowable
++ // instead of the exception type for testing purposes
++ protected DataStreamMarshaller getExceptionMarshaller() {
++ switch (version) {
++ case 12:
++ return new org.apache.activemq.openwire.v12.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 11:
++ return new org.apache.activemq.openwire.v11.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 10:
++ return new org.apache.activemq.openwire.v10.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 9:
++ return new org.apache.activemq.openwire.v9.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 1:
++ return new org.apache.activemq.openwire.v1.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ default:
++ throw new IllegalArgumentException("Unknown openwire version of " + version);
++ }
++ }
++
++}
+Index: activemq/activemq-openwire-legacy/pom.xml
+===================================================================
+--- activemq.orig/activemq-openwire-legacy/pom.xml
++++ activemq/activemq-openwire-legacy/pom.xml
+@@ -35,6 +35,20 @@
+ <groupId>org.apache.activemq</groupId>
+ <artifactId>activemq-client</artifactId>
+ </dependency>
++
++ <!--
++ <dependency>
++ <groupId>org.apache.activemq</groupId>
++ <artifactId>activemq-client</artifactId>
++ <type>test-jar</type>
++ <scope>test</scope>
++ </dependency>
++ -->
++ <dependency>
++ <groupId>junit</groupId>
++ <artifactId>junit</artifactId>
++ <scope>test</scope>
++ </dependency>
+ </dependencies>
+
+ </project>
+Index: activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v2/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v2/BaseDataStreamMarshaller.java
++++ activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v2/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v3/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v3/BaseDataStreamMarshaller.java
++++ activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v3/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v4/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v4/BaseDataStreamMarshaller.java
++++ activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v4/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v5/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v5/BaseDataStreamMarshaller.java
++++ activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v5/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v6/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v6/BaseDataStreamMarshaller.java
++++ activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v6/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v7/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v7/BaseDataStreamMarshaller.java
++++ activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v7/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -227,8 +228,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v8/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v8/BaseDataStreamMarshaller.java
++++ activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v8/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -227,8 +228,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-openwire-legacy/src/test/java/org/apache/activemq/openwire/OpenWireLegacyValidationTest.java
+===================================================================
+--- /dev/null
++++ activemq/activemq-openwire-legacy/src/test/java/org/apache/activemq/openwire/OpenWireLegacyValidationTest.java
+@@ -0,0 +1,129 @@
++/**
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.activemq.openwire;
++
++import java.io.DataOutput;
++import java.io.IOException;
++import java.util.ArrayList;
++import java.util.Collection;
++import java.util.List;
++import org.junit.runner.RunWith;
++import org.junit.runners.Parameterized;
++import org.junit.runners.Parameterized.Parameters;
++
++/**
++ * Test that Openwire marshalling for legacy versions will validate Throwable types during
++ * unmarshalling commands that contain a Throwable
++ */
++@RunWith(Parameterized.class)
++public class OpenWireLegacyValidationTest extends OpenWireValidationTest {
++
++
++ // Run through version 2 - 8 which are legacy
++ @Parameters(name = "version={0}")
++ public static Collection<Object[]> data() {
++ List<Object[]> versions = new ArrayList<>();
++ for (int i = 2; i <= 8; i++) {
++ versions.add(new Object[]{i});
++ }
++ return versions;
++ }
++
++ public OpenWireLegacyValidationTest(int version) {
++ super(version);
++ }
++
++ // Create test marshallers for all legacy versions that will encode NotAThrowable
++ // instead of the exception type for testing purposes
++ protected DataStreamMarshaller getExceptionMarshaller() {
++ switch (version) {
++ case 2:
++ return new org.apache.activemq.openwire.v2.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 3:
++ return new org.apache.activemq.openwire.v3.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 4:
++ return new org.apache.activemq.openwire.v4.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 5:
++ return new org.apache.activemq.openwire.v5.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 6:
++ return new org.apache.activemq.openwire.v6.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 7:
++ return new org.apache.activemq.openwire.v7.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 8:
++ return new org.apache.activemq.openwire.v8.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ default:
++ throw new IllegalArgumentException("Unknown openwire version of " + version);
++ }
++ }
++
++}
+Index: activemq/pom.xml
+===================================================================
+--- activemq.orig/pom.xml
++++ activemq/pom.xml
+@@ -300,6 +300,13 @@
+ </dependency>
+ <dependency>
+ <groupId>org.apache.activemq</groupId>
++ <artifactId>activemq-client</artifactId>
++ <version>${project.version}</version>
++ <type>test-jar</type>
++ <scope>test</scope>
++ </dependency>
++ <dependency>
++ <groupId>org.apache.activemq</groupId>
+ <artifactId>activemq-openwire-legacy</artifactId>
+ <version>${project.version}</version>
+ </dependency>
diff -Nru activemq-5.17.2+dfsg/debian/patches/series activemq-5.17.2+dfsg/debian/patches/series
--- activemq-5.17.2+dfsg/debian/patches/series 2023-02-12 12:53:03.000000000 -0300
+++ activemq-5.17.2+dfsg/debian/patches/series 2024-10-23 23:20:32.000000000 -0300
@@ -5,3 +5,5 @@
java11.patch
enable-activemq-jdbc-store-module.patch
mising-dependency-in-stomp-pom.patch
+0001-AMQ-9370-Openwire-marshaller-should-validate-Throwab.patch
+0001-AMQ-9201-Update-Jolokia-default-access-configuration.patch
diff -Nru activemq-5.16.1/debian/changelog activemq-5.16.1/debian/changelog
--- activemq-5.16.1/debian/changelog 2021-03-02 13:08:31.000000000 -0300
+++ activemq-5.16.1/debian/changelog 2024-10-24 07:01:01.000000000 -0300
@@ -1,3 +1,15 @@
+activemq (5.16.1-1+deb11u1~3.gbp5ddc05) UNRELEASED-bullseye-security; urgency=medium
+
+ ** SNAPSHOT build @5ddc054098a63eaf3e00ea4cc5505b1ac81adc34 **
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2023-46604: The Java OpenWire protocol marshaller is vulnerable to
+ Remote Code Execution (Closes: #1054909)
+ * CVE-2022-41678: Potential arbitrary code execution via Jolokia
+ * Add d/salsa-ci.yml using lts-team bullseye recipe
+
+ -- Santiago Ruano Rincón <santiagorr@riseup.net> Thu, 24 Oct 2024 07:01:01 -0300
+
activemq (5.16.1-1) unstable; urgency=high
* Team upload.
diff -Nru activemq-5.16.1/debian/patches/0001-AMQ-9201-Update-Jolokia-default-access-configuration.patch activemq-5.16.1/debian/patches/0001-AMQ-9201-Update-Jolokia-default-access-configuration.patch
--- activemq-5.16.1/debian/patches/0001-AMQ-9201-Update-Jolokia-default-access-configuration.patch 1969-12-31 21:00:00.000000000 -0300
+++ activemq-5.16.1/debian/patches/0001-AMQ-9201-Update-Jolokia-default-access-configuration.patch 2024-10-24 07:01:01.000000000 -0300
@@ -0,0 +1,70 @@
+From 5c8d457d9fcef194ea89f969b822850837143c5f Mon Sep 17 00:00:00 2001
+From: "Christopher L. Shannon (cshannon)" <christopher.l.shannon@gmail.com>
+Date: Wed, 1 Feb 2023 07:04:56 -0500
+Subject: [PATCH] AMQ-9201 - Update Jolokia default access configuration
+
+(cherry picked from commit 6120169e563b55323352431dfe9ac67a8b4de6c2)
+
+Bug: https://issues.apache.org/jira/browse/AMQ-9201
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-41678
+
+---
+ .../api/WEB-INF/classes/jolokia-access.xml | 34 ++++++++++++++++++-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/assembly/src/release/webapps/api/WEB-INF/classes/jolokia-access.xml b/assembly/src/release/webapps/api/WEB-INF/classes/jolokia-access.xml
+index 8cad1cd40e..97b099a5b7 100644
+--- a/assembly/src/release/webapps/api/WEB-INF/classes/jolokia-access.xml
++++ b/assembly/src/release/webapps/api/WEB-INF/classes/jolokia-access.xml
+@@ -22,8 +22,35 @@
+ <strict-checking/>
+ </cors>
+
+- <!-- deny calling operations or getting attributes from these mbeans -->
++ <!-- By default don't allow write or exec operations -->
++ <commands>
++ <command>read</command>
++ <command>list</command>
++ <command>version</command>
++ <command>search</command>
++ </commands>
++
++ <allow>
++ <!-- Allow all operations for the broker itself -->
++ <mbean>
++ <name>org.apache.activemq:*</name>
++ <attribute>*</attribute>
++ <operation>*</operation>
++ </mbean>
++ <!-- Allow all operations for Jolokia Config -->
++ <mbean>
++ <name>jolokia:type=Config</name>
++ <operation>*</operation>
++ </mbean>
++ </allow>
++
++ <!-- deny all operations or getting attributes from these mbeans -->
+ <deny>
++ <mbean>
++ <name>org.apache.logging.log4j2:*</name>
++ <attribute>*</attribute>
++ <operation>*</operation>
++ </mbean>
+ <mbean>
+ <name>com.sun.management:type=DiagnosticCommand</name>
+ <attribute>*</attribute>
+@@ -34,6 +61,11 @@
+ <attribute>*</attribute>
+ <operation>*</operation>
+ </mbean>
++ <mbean>
++ <name>jdk.management.jfr:type=FlightRecorder</name>
++ <attribute>*</attribute>
++ <operation>*</operation>
++ </mbean>
+ </deny>
+
+ </restrict>
+--
+2.39.5
+
diff -Nru activemq-5.16.1/debian/patches/0001-AMQ-9370-Openwire-marshaller-should-validate-Throwab.patch activemq-5.16.1/debian/patches/0001-AMQ-9370-Openwire-marshaller-should-validate-Throwab.patch
--- activemq-5.16.1/debian/patches/0001-AMQ-9370-Openwire-marshaller-should-validate-Throwab.patch 1969-12-31 21:00:00.000000000 -0300
+++ activemq-5.16.1/debian/patches/0001-AMQ-9370-Openwire-marshaller-should-validate-Throwab.patch 2024-10-24 07:01:01.000000000 -0300
@@ -0,0 +1,731 @@
+From 22442b2385b1000312aec3d19e510131d595a5fc Mon Sep 17 00:00:00 2001
+From: "Christopher L. Shannon (cshannon)" <christopher.l.shannon@gmail.com>
+Date: Mon, 23 Oct 2023 18:24:38 -0400
+Subject: [PATCH] AMQ-9370 - Openwire marshaller should validate Throwable
+ class type
+
+(cherry picked from commit 3eaf3107f4fb9a3ce7ab45c175bfaeac7e866d5b)
+(cherry picked from commit d0ccdd31544ada83185554c87c7aa141064020f0)
+
+Bug-Debian: https://bugs.debian.org/1054909
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-46604
+
+---
+ activemq-client/pom.xml | 11 ++
+ .../activemq/openwire/OpenWireUtil.java | 32 ++++
+ .../openwire/v1/BaseDataStreamMarshaller.java | 4 +
+ .../v10/BaseDataStreamMarshaller.java | 4 +
+ .../v11/BaseDataStreamMarshaller.java | 4 +
+ .../v12/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v9/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/OpenWireValidationTest.java | 166 ++++++++++++++++++
+ activemq-openwire-legacy/pom.xml | 12 ++
+ .../openwire/v2/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v3/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v4/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v5/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v6/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v7/BaseDataStreamMarshaller.java | 4 +
+ .../openwire/v8/BaseDataStreamMarshaller.java | 4 +
+ .../OpenWireLegacyValidationTest.java | 129 ++++++++++++++
+ pom.xml | 7 +
+ 18 files changed, 405 insertions(+)
+ create mode 100644 activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireUtil.java
+ create mode 100644 activemq-client/src/test/java/org/apache/activemq/openwire/OpenWireValidationTest.java
+ create mode 100644 activemq-openwire-legacy/src/test/java/org/apache/activemq/openwire/OpenWireLegacyValidationTest.java
+
+Index: activemq/activemq-client/pom.xml
+===================================================================
+--- activemq.orig/activemq-client/pom.xml
++++ activemq/activemq-client/pom.xml
+@@ -266,6 +266,17 @@
+ </execution>
+ </executions>
+ </plugin>
++ <!-- generate the attached tests jar -->
++ <plugin>
++ <artifactId>maven-jar-plugin</artifactId>
++ <executions>
++ <execution>
++ <goals>
++ <goal>test-jar</goal>
++ </goals>
++ </execution>
++ </executions>
++ </plugin>
+ </plugins>
+ <pluginManagement>
+ <plugins>
+Index: activemq/activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireUtil.java
+===================================================================
+--- /dev/null
++++ activemq/activemq-client/src/main/java/org/apache/activemq/openwire/OpenWireUtil.java
+@@ -0,0 +1,32 @@
++/**
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.activemq.openwire;
++
++public class OpenWireUtil {
++
++ /**
++ * Verify that the provided class extends {@link Throwable} and throw an
++ * {@link IllegalArgumentException} if it does not.
++ *
++ * @param clazz
++ */
++ public static void validateIsThrowable(Class<?> clazz) {
++ if (!Throwable.class.isAssignableFrom(clazz)) {
++ throw new IllegalArgumentException("Class " + clazz + " is not assignable to Throwable");
++ }
++ }
++}
+Index: activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v1/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-client/src/main/java/org/apache/activemq/openwire/v1/BaseDataStreamMarshaller.java
++++ activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v1/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v10/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-client/src/main/java/org/apache/activemq/openwire/v10/BaseDataStreamMarshaller.java
++++ activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v10/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -227,8 +228,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v11/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-client/src/main/java/org/apache/activemq/openwire/v11/BaseDataStreamMarshaller.java
++++ activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v11/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -227,8 +228,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v12/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-client/src/main/java/org/apache/activemq/openwire/v12/BaseDataStreamMarshaller.java
++++ activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v12/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -227,8 +228,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v9/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-client/src/main/java/org/apache/activemq/openwire/v9/BaseDataStreamMarshaller.java
++++ activemq/activemq-client/src/main/java/org/apache/activemq/openwire/v9/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -227,8 +228,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-client/src/test/java/org/apache/activemq/openwire/OpenWireValidationTest.java
+===================================================================
+--- /dev/null
++++ activemq/activemq-client/src/test/java/org/apache/activemq/openwire/OpenWireValidationTest.java
+@@ -0,0 +1,166 @@
++/**
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.activemq.openwire;
++
++import static org.junit.Assert.assertTrue;
++
++import java.io.DataOutput;
++import java.io.IOException;
++import java.lang.reflect.Method;
++import java.util.ArrayList;
++import java.util.Collection;
++import java.util.List;
++import org.apache.activemq.command.CommandTypes;
++import org.apache.activemq.command.ExceptionResponse;
++import org.apache.activemq.util.ByteSequence;
++import org.junit.Test;
++import org.junit.runner.RunWith;
++import org.junit.runners.Parameterized;
++import org.junit.runners.Parameterized.Parameters;
++
++/**
++ * Test that Openwire marshalling will validate Throwable types during
++ * unmarshalling commands that contain a Throwable
++ */
++@RunWith(Parameterized.class)
++public class OpenWireValidationTest {
++
++ protected final int version;
++
++ @Parameters(name = "version={0}")
++ public static Collection<Object[]> data() {
++ List<Integer> versions = List.of(1, 9, 10, 11, 12);
++ List<Object[]> versionObjs = new ArrayList<>();
++ for (int i : versions) {
++ versionObjs.add(new Object[]{i});
++ }
++
++ // Sanity check to make sure the latest generated version is contained in the list
++ // This will make sure that we don't forget to update this test to include
++ // any future versions that are generated
++ assertTrue("List of Openwire versions does not include latest version",
++ versions.contains((int)CommandTypes.PROTOCOL_VERSION));
++
++ return versionObjs;
++ }
++
++ public OpenWireValidationTest(int version) {
++ this.version = version;
++ }
++
++ @Test
++ public void testOpenwireThrowableValidation() throws Exception {
++ // Create a format which will use loose encoding by default
++ // The code for handling exception creation is shared between both
++ // tight/loose encoding so only need to test 1
++ OpenWireFormat format = new OpenWireFormat();
++
++ // Override the marshaller map with a custom impl to purposely marshal a class type that is
++ // not a Throwable for testing the unmarshaller
++ Class<?> marshallerFactory = getMarshallerFactory();
++ Method createMarshallerMap = marshallerFactory.getMethod("createMarshallerMap", OpenWireFormat.class);
++ DataStreamMarshaller[] map = (DataStreamMarshaller[]) createMarshallerMap.invoke(marshallerFactory, format);
++ map[ExceptionResponse.DATA_STRUCTURE_TYPE] = getExceptionMarshaller();
++ // This will trigger updating the marshaller from the marshaller map with the right version
++ format.setVersion(version);
++
++ // Build the response and try to unmarshal which should give an IllegalArgumentExeption on unmarshall
++ // as the test marshaller should have encoded a class type that is not a Throwable
++ ExceptionResponse r = new ExceptionResponse();
++ r.setException(new Exception());
++ ByteSequence bss = format.marshal(r);
++ ExceptionResponse response = (ExceptionResponse) format.unmarshal(bss);
++
++ assertTrue(response.getException() instanceof IllegalArgumentException);
++ assertTrue(response.getException().getMessage().contains("is not assignable to Throwable"));
++ }
++
++ static class NotAThrowable {
++ private String message;
++
++ public NotAThrowable(String message) {
++ this.message = message;
++ }
++
++ public NotAThrowable() {
++ }
++ }
++
++ private Class<?> getMarshallerFactory() throws ClassNotFoundException {
++ return Class.forName("org.apache.activemq.openwire.v" + version + ".MarshallerFactory");
++ }
++
++ // Create test marshallers for all non-legacy versions that will encode NotAThrowable
++ // instead of the exception type for testing purposes
++ protected DataStreamMarshaller getExceptionMarshaller() {
++ switch (version) {
++ case 12:
++ return new org.apache.activemq.openwire.v12.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 11:
++ return new org.apache.activemq.openwire.v11.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 10:
++ return new org.apache.activemq.openwire.v10.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 9:
++ return new org.apache.activemq.openwire.v9.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 1:
++ return new org.apache.activemq.openwire.v1.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ default:
++ throw new IllegalArgumentException("Unknown openwire version of " + version);
++ }
++ }
++
++}
+Index: activemq/activemq-openwire-legacy/pom.xml
+===================================================================
+--- activemq.orig/activemq-openwire-legacy/pom.xml
++++ activemq/activemq-openwire-legacy/pom.xml
+@@ -35,6 +35,20 @@
+ <groupId>org.apache.activemq</groupId>
+ <artifactId>activemq-client</artifactId>
+ </dependency>
++
++ <!--
++ <dependency>
++ <groupId>org.apache.activemq</groupId>
++ <artifactId>activemq-client</artifactId>
++ <type>test-jar</type>
++ <scope>test</scope>
++ </dependency>
++ -->
++ <dependency>
++ <groupId>junit</groupId>
++ <artifactId>junit</artifactId>
++ <scope>test</scope>
++ </dependency>
+ </dependencies>
+
+ </project>
+Index: activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v2/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v2/BaseDataStreamMarshaller.java
++++ activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v2/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v3/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v3/BaseDataStreamMarshaller.java
++++ activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v3/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v4/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v4/BaseDataStreamMarshaller.java
++++ activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v4/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v5/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v5/BaseDataStreamMarshaller.java
++++ activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v5/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v6/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v6/BaseDataStreamMarshaller.java
++++ activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v6/BaseDataStreamMarshaller.java
+@@ -25,6 +25,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -228,8 +229,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v7/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v7/BaseDataStreamMarshaller.java
++++ activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v7/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -227,8 +228,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v8/BaseDataStreamMarshaller.java
+===================================================================
+--- activemq.orig/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v8/BaseDataStreamMarshaller.java
++++ activemq/activemq-openwire-legacy/src/main/java/org/apache/activemq/openwire/v8/BaseDataStreamMarshaller.java
+@@ -24,6 +24,7 @@ import org.apache.activemq.command.DataS
+ import org.apache.activemq.openwire.BooleanStream;
+ import org.apache.activemq.openwire.DataStreamMarshaller;
+ import org.apache.activemq.openwire.OpenWireFormat;
++import org.apache.activemq.openwire.OpenWireUtil;
+ import org.apache.activemq.util.ByteSequence;
+
+ public abstract class BaseDataStreamMarshaller implements DataStreamMarshaller {
+@@ -227,8 +228,11 @@ public abstract class BaseDataStreamMars
+ private Throwable createThrowable(String className, String message) {
+ try {
+ Class clazz = Class.forName(className, false, BaseDataStreamMarshaller.class.getClassLoader());
++ OpenWireUtil.validateIsThrowable(clazz);
+ Constructor constructor = clazz.getConstructor(new Class[] {String.class});
+ return (Throwable)constructor.newInstance(new Object[] {message});
++ } catch (IllegalArgumentException e) {
++ return e;
+ } catch (Throwable e) {
+ return new Throwable(className + ": " + message);
+ }
+Index: activemq/activemq-openwire-legacy/src/test/java/org/apache/activemq/openwire/OpenWireLegacyValidationTest.java
+===================================================================
+--- /dev/null
++++ activemq/activemq-openwire-legacy/src/test/java/org/apache/activemq/openwire/OpenWireLegacyValidationTest.java
+@@ -0,0 +1,129 @@
++/**
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.activemq.openwire;
++
++import java.io.DataOutput;
++import java.io.IOException;
++import java.util.ArrayList;
++import java.util.Collection;
++import java.util.List;
++import org.junit.runner.RunWith;
++import org.junit.runners.Parameterized;
++import org.junit.runners.Parameterized.Parameters;
++
++/**
++ * Test that Openwire marshalling for legacy versions will validate Throwable types during
++ * unmarshalling commands that contain a Throwable
++ */
++@RunWith(Parameterized.class)
++public class OpenWireLegacyValidationTest extends OpenWireValidationTest {
++
++
++ // Run through version 2 - 8 which are legacy
++ @Parameters(name = "version={0}")
++ public static Collection<Object[]> data() {
++ List<Object[]> versions = new ArrayList<>();
++ for (int i = 2; i <= 8; i++) {
++ versions.add(new Object[]{i});
++ }
++ return versions;
++ }
++
++ public OpenWireLegacyValidationTest(int version) {
++ super(version);
++ }
++
++ // Create test marshallers for all legacy versions that will encode NotAThrowable
++ // instead of the exception type for testing purposes
++ protected DataStreamMarshaller getExceptionMarshaller() {
++ switch (version) {
++ case 2:
++ return new org.apache.activemq.openwire.v2.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 3:
++ return new org.apache.activemq.openwire.v3.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 4:
++ return new org.apache.activemq.openwire.v4.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 5:
++ return new org.apache.activemq.openwire.v5.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 6:
++ return new org.apache.activemq.openwire.v6.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 7:
++ return new org.apache.activemq.openwire.v7.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ case 8:
++ return new org.apache.activemq.openwire.v8.ExceptionResponseMarshaller() {
++ @Override
++ protected void looseMarshalThrowable(OpenWireFormat wireFormat, Throwable o,
++ DataOutput dataOut) throws IOException {
++ dataOut.writeBoolean(o != null);
++ looseMarshalString(NotAThrowable.class.getName(), dataOut);
++ looseMarshalString(o.getMessage(), dataOut);
++ }
++ };
++ default:
++ throw new IllegalArgumentException("Unknown openwire version of " + version);
++ }
++ }
++
++}
+Index: activemq/pom.xml
+===================================================================
+--- activemq.orig/pom.xml
++++ activemq/pom.xml
+@@ -316,6 +316,13 @@
+ </dependency>
+ <dependency>
+ <groupId>org.apache.activemq</groupId>
++ <artifactId>activemq-client</artifactId>
++ <version>${project.version}</version>
++ <type>test-jar</type>
++ <scope>test</scope>
++ </dependency>
++ <dependency>
++ <groupId>org.apache.activemq</groupId>
+ <artifactId>activemq-openwire-legacy</artifactId>
+ <version>${project.version}</version>
+ </dependency>
diff -Nru activemq-5.16.1/debian/patches/series activemq-5.16.1/debian/patches/series
--- activemq-5.16.1/debian/patches/series 2021-03-02 13:08:31.000000000 -0300
+++ activemq-5.16.1/debian/patches/series 2024-10-24 07:01:01.000000000 -0300
@@ -5,3 +5,5 @@
java11.patch
maven-xbean-plugin.patch
enable-activemq-jdbc-store-module.patch
+0001-AMQ-9370-Openwire-marshaller-should-validate-Throwab.patch
+0001-AMQ-9201-Update-Jolokia-default-access-configuration.patch
diff -Nru activemq-5.16.1/debian/salsa-ci.yml activemq-5.16.1/debian/salsa-ci.yml
--- activemq-5.16.1/debian/salsa-ci.yml 1969-12-31 21:00:00.000000000 -0300
+++ activemq-5.16.1/debian/salsa-ci.yml 2024-10-24 07:01:01.000000000 -0300
@@ -0,0 +1,3 @@
+---
+include:
+ - https://salsa.debian.org/lts-team/pipeline/raw/master/recipes/bullseye.yml
Attachment:
signature.asc
Description: PGP signature