Package: release.debian.org Severity: normal Tags: wheezy User: release.debian.org@packages.debian.org Usertags: pu Hi, It was reported a vulnerability on groovy that allow to execute arbitrary code remotely. For more information you can take a look at: https://bugs.debian.org/793397. I don't think it warrant a DSA so I'm proposing to fix this in stable with the next point release. I'm attaching a debdiff with the proposed changes. Thanks, -- System Information: Debian Release: 8.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.0.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- Miguel Landaeta, nomadium at debian.org secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key. "Faith means not wanting to know what is true." -- Nietzsche
diff -Nru groovy-1.8.6/debian/changelog groovy-1.8.6/debian/changelog --- groovy-1.8.6/debian/changelog 2012-02-14 22:23:05.000000000 -0300 +++ groovy-1.8.6/debian/changelog 2015-07-25 19:59:33.000000000 -0300 @@ -1,3 +1,10 @@ +groovy (1.8.6-1+deb7u1) oldstable; urgency=high + + * Fix remote execution of untrusted code and possible DoS vulnerability. + (CVE-2015-3253) (Closes: #793397). + + -- Miguel Landaeta <nomadium@debian.org> Sat, 25 Jul 2015 19:59:19 -0300 + groovy (1.8.6-1) unstable; urgency=low * New upstream release. diff -Nru groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch --- groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch 1969-12-31 21:00:00.000000000 -0300 +++ groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch 2015-07-25 19:57:30.000000000 -0300 @@ -0,0 +1,32 @@ +Description: Fix remote execution of untrusted code when deserializing (CVE-2015-3253) +Author: Cédric Champeau <cedric.champeau@gmail.com> +Bug-Debian: https://bugs.debian.org/793397 +Origin: upstream, https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d +Forwarded: no +Last-Update: 2015-07-25 + +--- groovy-1.8.6.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java ++++ groovy-1.8.6/src/main/org/codehaus/groovy/runtime/MethodClosure.java +@@ -30,6 +30,8 @@ import java.util.List; + */ + public class MethodClosure extends Closure { + ++ public static boolean ALLOW_RESOLVE = false; ++ + private String method; + + public MethodClosure(Object owner, String method) { +@@ -52,6 +54,13 @@ public class MethodClosure extends Closu + } + } + ++ private Object readResolve() { ++ if (ALLOW_RESOLVE) { ++ return this; ++ } ++ throw new UnsupportedOperationException(); ++ } ++ + public String getMethod() { + return method; + } diff -Nru groovy-1.8.6/debian/patches/series groovy-1.8.6/debian/patches/series --- groovy-1.8.6/debian/patches/series 2011-10-14 15:41:49.000000000 -0300 +++ groovy-1.8.6/debian/patches/series 2015-07-25 20:00:25.000000000 -0300 @@ -1,3 +1,4 @@ 0001-start-scripts.patch 0002-ant-build.diff.patch 0003-disable-bnd.diff.patch +0005-CVE-2015-3253.patch
Attachment:
signature.asc
Description: Digital signature