Bug#793986: marked as done (wheezy-pu: package groovy/1.8.6-1)

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Subject: Bug#793986: marked as done (wheezy-pu: package groovy/1.8.6-1)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sat, 04 Jun 2016 13:57:15 +0000
Message-id: <[🔎] handler.793986.D793986.14650484875570.ackdone@bugs.debian.org>
References: <1465048477.7545.10.camel@adam-barratt.org.uk> <20150729155645.GA25956@alice.nomadium.lan>

Your message dated Sat, 04 Jun 2016 14:54:37 +0100
with message-id <1465048477.7545.10.camel@adam-barratt.org.uk>
and subject line Closing bugs for fixed included in 7.11
has caused the Debian Bug report #793986,
regarding wheezy-pu: package groovy/1.8.6-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
793986: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793986
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: wheezy-pu: package groovy/1.8.6-1
From: Miguel Landaeta <nomadium@debian.org>
Date: Wed, 29 Jul 2015 12:56:45 -0300
Message-id: <20150729155645.GA25956@alice.nomadium.lan>

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

It was reported a vulnerability on groovy that allow to execute
arbitrary code remotely. For more information you can take a look at:
https://bugs.debian.org/793397.

I don't think it warrant a DSA so I'm proposing to fix this in
stable with the next point release.

I'm attaching a debdiff with the proposed changes.

Thanks,


-- System Information:
Debian Release: 8.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

-- 
Miguel Landaeta, nomadium at debian.org
secure email with PGP 0x6E608B637D8967E9 available at http://miguel.cc/key.
"Faith means not wanting to know what is true." -- Nietzsche

diff -Nru groovy-1.8.6/debian/changelog groovy-1.8.6/debian/changelog
--- groovy-1.8.6/debian/changelog	2012-02-14 22:23:05.000000000 -0300
+++ groovy-1.8.6/debian/changelog	2015-07-25 19:59:33.000000000 -0300
@@ -1,3 +1,10 @@
+groovy (1.8.6-1+deb7u1) oldstable; urgency=high
+
+  * Fix remote execution of untrusted code and possible DoS vulnerability.
+    (CVE-2015-3253) (Closes: #793397).
+
+ -- Miguel Landaeta <nomadium@debian.org>  Sat, 25 Jul 2015 19:59:19 -0300
+
 groovy (1.8.6-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch
--- groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch	1969-12-31 21:00:00.000000000 -0300
+++ groovy-1.8.6/debian/patches/0005-CVE-2015-3253.patch	2015-07-25 19:57:30.000000000 -0300
@@ -0,0 +1,32 @@
+Description: Fix remote execution of untrusted code when deserializing (CVE-2015-3253)
+Author: Cédric Champeau <cedric.champeau@gmail.com>
+Bug-Debian: https://bugs.debian.org/793397
+Origin: upstream, https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
+Forwarded: no
+Last-Update: 2015-07-25
+
+--- groovy-1.8.6.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java
++++ groovy-1.8.6/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+@@ -30,6 +30,8 @@ import java.util.List;
+  */
+ public class MethodClosure extends Closure {
+ 
++    public static boolean ALLOW_RESOLVE = false;
++
+     private String method;
+     
+     public MethodClosure(Object owner, String method) {
+@@ -52,6 +54,13 @@ public class MethodClosure extends Closu
+         }
+     }
+     
++    private Object readResolve() {
++        if (ALLOW_RESOLVE) {
++            return this;
++        }
++        throw new UnsupportedOperationException();
++    }
++
+     public String getMethod() {
+         return method;
+     }
diff -Nru groovy-1.8.6/debian/patches/series groovy-1.8.6/debian/patches/series
--- groovy-1.8.6/debian/patches/series	2011-10-14 15:41:49.000000000 -0300
+++ groovy-1.8.6/debian/patches/series	2015-07-25 20:00:25.000000000 -0300
@@ -1,3 +1,4 @@
 0001-start-scripts.patch
 0002-ant-build.diff.patch
 0003-disable-bnd.diff.patch
+0005-CVE-2015-3253.patch

Attachment: signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

To: 793986-done@bugs.debian.org, 818906-done@bugs.debian.org, 819282-done@bugs.debian.org, 819362-done@bugs.debian.org, 819499-done@bugs.debian.org, 819805-done@bugs.debian.org, 821044-done@bugs.debian.org, 821757-done@bugs.debian.org, 821834-done@bugs.debian.org, 822465-done@bugs.debian.org, 822853-done@bugs.debian.org

Subject: Closing bugs for fixed included in 7.11

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Date: Sat, 04 Jun 2016 14:54:37 +0100

Message-id: <1465048477.7545.10.camel@adam-barratt.org.uk>
Version: 7.11

Hi,

The fixes referred to in each of these bugs were included in today's
7.11 point release.

Regards,

Adam
--- End Message ---

Reply to:

Prev by Date: Re: Bug#825127: RM: mediawiki/1:1.19.20+dfsg-2.3
Next by Date: Bug#818906: marked as done (wheezy-pu: package dpkg/1.16.18)
Previous by thread: Re: Bug#825127: RM: mediawiki/1:1.19.20+dfsg-2.3
Next by thread: Bug#818906: marked as done (wheezy-pu: package dpkg/1.16.18)
Index(es):
- Date
- Thread