Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, It was reported a vulnerability on groovy2 that allow to execute arbitrary code remotely. For more information you can take a look at: https://bugs.debian.org/793398. I already uploaded a fix to unstable but given the low popcon of groovy2 I don't think it warrant a DSA so I'm proposing to fix this in stable with the next point release. I'm attaching a debdiff with the proposed changes. Thanks, -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.0.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Miguel Landaeta, nomadium at debian.org secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key. "Faith means not wanting to know what is true." -- Nietzsche
diff -Nru groovy2-2.2.2+dfsg/debian/changelog groovy2-2.2.2+dfsg/debian/changelog --- groovy2-2.2.2+dfsg/debian/changelog 2014-08-29 01:18:55.000000000 -0300 +++ groovy2-2.2.2+dfsg/debian/changelog 2015-07-25 17:20:07.000000000 -0300 @@ -1,3 +1,10 @@ +groovy2 (2.2.2+dfsg-3+deb8u1) stable; urgency=high + + * Fix remote execution of untrusted code and possible DoS vulnerability. + (CVE-2015-3253) (Closes: #793398). + + -- Miguel Landaeta <nomadium@debian.org> Sat, 25 Jul 2015 15:46:24 -0300 + groovy2 (2.2.2+dfsg-3) unstable; urgency=medium * Relicense patches under Apache-2.0 license to make them compatible diff -Nru groovy2-2.2.2+dfsg/debian/patches/04_CVE-2015-3253.diff groovy2-2.2.2+dfsg/debian/patches/04_CVE-2015-3253.diff --- groovy2-2.2.2+dfsg/debian/patches/04_CVE-2015-3253.diff 1969-12-31 21:00:00.000000000 -0300 +++ groovy2-2.2.2+dfsg/debian/patches/04_CVE-2015-3253.diff 2015-07-25 17:19:23.000000000 -0300 @@ -0,0 +1,32 @@ +Description: Fix remote execution of untrusted code when deserializing (CVE-2015-3253) +Author: Cedric Champeau <cchampeau@apache.org> +Bug-Debian: https://bugs.debian.org/793398 +Origin: upstream, https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d +Forwarded: no +Last-Update: 2015-07-25 + +--- groovy2-2.4.3+dfsg.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java ++++ groovy2-2.4.3+dfsg/src/main/org/codehaus/groovy/runtime/MethodClosure.java +@@ -30,6 +30,8 @@ import java.util.List; + */ + public class MethodClosure extends Closure { + ++ public static boolean ALLOW_RESOLVE = false; ++ + private String method; + + public MethodClosure(Object owner, String method) { +@@ -60,6 +62,13 @@ public class MethodClosure extends Closure { + return InvokerHelper.invokeMethod(getOwner(), method, arguments); + } + ++ private Object readResolve() { ++ if (ALLOW_RESOLVE) { ++ return this; ++ } ++ throw new UnsupportedOperationException(); ++ } ++ + public Object getProperty(String property) { + if ("method".equals(property)) { + return getMethod(); diff -Nru groovy2-2.2.2+dfsg/debian/patches/series groovy2-2.2.2+dfsg/debian/patches/series --- groovy2-2.2.2+dfsg/debian/patches/series 2014-07-25 22:21:25.000000000 -0300 +++ groovy2-2.2.2+dfsg/debian/patches/series 2015-07-25 17:19:23.000000000 -0300 @@ -1,3 +1,4 @@ 01_fix_gradle_build.diff 02_fix_start_script.diff 03_add_maven_poms.diff +04_CVE-2015-3253.diff
Attachment:
signature.asc
Description: Digital signature