Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu Hi, It was reported a vulnerability on groovy that allow to execute arbitrary code remotely. For more information you can take a look at: https://bugs.debian.org/793397. I already uploaded a fix to unstable but given the low popcon of groovy I don't think it warrant a DSA so I'm proposing to fix this in stable with the next point release. I'm attaching a debdiff with the proposed changes. Thanks, -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.0.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Miguel Landaeta, nomadium at debian.org secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key. "Faith means not wanting to know what is true." -- Nietzsche
diff -Nru groovy-1.8.6/debian/changelog groovy-1.8.6/debian/changelog
--- groovy-1.8.6/debian/changelog 2014-05-18 16:33:10.000000000 -0300
+++ groovy-1.8.6/debian/changelog 2015-07-25 18:30:00.000000000 -0300
@@ -1,3 +1,10 @@
+groovy (1.8.6-4+deb8u1) stable; urgency=high
+
+ * Fix remote execution of untrusted code and possible DoS vulnerability.
+ (CVE-2015-3253) (Closes: #793397).
+
+ -- Miguel Landaeta <nomadium@debian.org> Sat, 25 Jul 2015 18:27:24 -0300
+
groovy (1.8.6-4) unstable; urgency=medium
* Implement alternatives usage to allow co-installation with groovy 2.x.
diff -Nru groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch
--- groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch 1969-12-31 21:00:00.000000000 -0300
+++ groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch 2015-07-25 18:26:18.000000000 -0300
@@ -0,0 +1,32 @@
+Description: Fix remote execution of untrusted code when deserializing (CVE-2015-3253)
+Author: Cédric Champeau <cedric.champeau@gmail.com>
+Bug-Debian: https://bugs.debian.org/793397
+Origin: upstream, https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
+Forwarded: no
+Last-Update: 2015-07-25
+
+--- groovy-1.8.6.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java
++++ groovy-1.8.6/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+@@ -30,6 +30,8 @@ import java.util.List;
+ */
+ public class MethodClosure extends Closure {
+
++ public static boolean ALLOW_RESOLVE = false;
++
+ private String method;
+
+ public MethodClosure(Object owner, String method) {
+@@ -52,6 +54,13 @@ public class MethodClosure extends Closu
+ }
+ }
+
++ private Object readResolve() {
++ if (ALLOW_RESOLVE) {
++ return this;
++ }
++ throw new UnsupportedOperationException();
++ }
++
+ public String getMethod() {
+ return method;
+ }
diff -Nru groovy-1.8.6/debian/patches/series groovy-1.8.6/debian/patches/series
--- groovy-1.8.6/debian/patches/series 2014-05-07 20:29:08.000000000 -0300
+++ groovy-1.8.6/debian/patches/series 2015-07-25 18:26:18.000000000 -0300
@@ -2,3 +2,4 @@
0002-ant-build.diff.patch
0003-disable-bnd.diff.patch
0004-java8-compatibility.patch
+0005-CVE-2015-3253.patch
Attachment:
signature.asc
Description: Digital signature