Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, It was reported a vulnerability on groovy2 that allow to execute arbitrary code remotely. For more information you can take a look at: https://bugs.debian.org/793398. I already uploaded a fix to unstable but given the low popcon of groovy2 I don't think it warrant a DSA so I'm proposing to fix this in stable with the next point release. I'm attaching a debdiff with the proposed changes. Thanks, -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.0.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Miguel Landaeta, nomadium at debian.org secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key. "Faith means not wanting to know what is true." -- Nietzsche
diff -Nru groovy2-2.2.2+dfsg/debian/changelog groovy2-2.2.2+dfsg/debian/changelog
--- groovy2-2.2.2+dfsg/debian/changelog 2014-08-29 01:18:55.000000000 -0300
+++ groovy2-2.2.2+dfsg/debian/changelog 2015-07-25 17:20:07.000000000 -0300
@@ -1,3 +1,10 @@
+groovy2 (2.2.2+dfsg-3+deb8u1) stable; urgency=high
+
+ * Fix remote execution of untrusted code and possible DoS vulnerability.
+ (CVE-2015-3253) (Closes: #793398).
+
+ -- Miguel Landaeta <nomadium@debian.org> Sat, 25 Jul 2015 15:46:24 -0300
+
groovy2 (2.2.2+dfsg-3) unstable; urgency=medium
* Relicense patches under Apache-2.0 license to make them compatible
diff -Nru groovy2-2.2.2+dfsg/debian/patches/04_CVE-2015-3253.diff groovy2-2.2.2+dfsg/debian/patches/04_CVE-2015-3253.diff
--- groovy2-2.2.2+dfsg/debian/patches/04_CVE-2015-3253.diff 1969-12-31 21:00:00.000000000 -0300
+++ groovy2-2.2.2+dfsg/debian/patches/04_CVE-2015-3253.diff 2015-07-25 17:19:23.000000000 -0300
@@ -0,0 +1,32 @@
+Description: Fix remote execution of untrusted code when deserializing (CVE-2015-3253)
+Author: Cedric Champeau <cchampeau@apache.org>
+Bug-Debian: https://bugs.debian.org/793398
+Origin: upstream, https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
+Forwarded: no
+Last-Update: 2015-07-25
+
+--- groovy2-2.4.3+dfsg.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java
++++ groovy2-2.4.3+dfsg/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+@@ -30,6 +30,8 @@ import java.util.List;
+ */
+ public class MethodClosure extends Closure {
+
++ public static boolean ALLOW_RESOLVE = false;
++
+ private String method;
+
+ public MethodClosure(Object owner, String method) {
+@@ -60,6 +62,13 @@ public class MethodClosure extends Closure {
+ return InvokerHelper.invokeMethod(getOwner(), method, arguments);
+ }
+
++ private Object readResolve() {
++ if (ALLOW_RESOLVE) {
++ return this;
++ }
++ throw new UnsupportedOperationException();
++ }
++
+ public Object getProperty(String property) {
+ if ("method".equals(property)) {
+ return getMethod();
diff -Nru groovy2-2.2.2+dfsg/debian/patches/series groovy2-2.2.2+dfsg/debian/patches/series
--- groovy2-2.2.2+dfsg/debian/patches/series 2014-07-25 22:21:25.000000000 -0300
+++ groovy2-2.2.2+dfsg/debian/patches/series 2015-07-25 17:19:23.000000000 -0300
@@ -1,3 +1,4 @@
01_fix_gradle_build.diff
02_fix_start_script.diff
03_add_maven_poms.diff
+04_CVE-2015-3253.diff
Attachment:
signature.asc
Description: Digital signature