[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#853233: marked as done (jessie-pu: package groovy/1.8.6-4+deb8u1)



Your message dated Sat, 06 May 2017 14:44:18 +0100
with message-id <1494078258.26551.13.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 8.8
has caused the Debian Bug report #853233,
regarding jessie-pu: package groovy/1.8.6-4+deb8u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
853233: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=853233
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

I would like to upload a security update for Groovy in Jessie.
(Debdiff is attached) This is Debian bug #851408 or CVE-2016-6814. The
security team has marked this CVE as no-dsa but it would be good to
fix CVE-2016-6814 in Jessie too. I will also file a bug report for
Groovy2 which is affected by the same issue shortly.

Regards,

Markus
diff -Nru groovy-1.8.6/debian/changelog groovy-1.8.6/debian/changelog
--- groovy-1.8.6/debian/changelog	2015-07-25 23:30:00.000000000 +0200
+++ groovy-1.8.6/debian/changelog	2017-01-30 17:20:04.000000000 +0100
@@ -1,3 +1,17 @@
+groovy (1.8.6-4+deb8u2) jessie; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2016-6814:
+    It was found that a flaw in Apache Groovy, a dynamic language for the Java
+    Virtual Machine, allows remote code execution wherever deserialization
+    occurs in the application. It is possible for an attacker to craft a
+    special serialized object that will execute code directly when
+    deserialized. All applications which rely on serialization and do not
+    isolate the code which deserializes objects are subject to this
+    vulnerability.
+
+ -- Markus Koschany <apo@debian.org>  Mon, 30 Jan 2017 17:20:04 +0100
+
 groovy (1.8.6-4+deb8u1) stable; urgency=high
 
   * Fix remote execution of untrusted code and possible DoS vulnerability.
diff -Nru groovy-1.8.6/debian/patches/CVE-2016-6814.patch groovy-1.8.6/debian/patches/CVE-2016-6814.patch
--- groovy-1.8.6/debian/patches/CVE-2016-6814.patch	1970-01-01 01:00:00.000000000 +0100
+++ groovy-1.8.6/debian/patches/CVE-2016-6814.patch	2017-01-30 17:20:04.000000000 +0100
@@ -0,0 +1,37 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 30 Jan 2017 17:15:11 +0100
+Subject: CVE-2016-6814
+
+Bug-Debian: https://bugs.debian.org/851408
+Origin: http://seclists.org/oss-sec/2017/q1/92
+---
+ src/main/org/codehaus/groovy/runtime/MethodClosure.java | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/main/org/codehaus/groovy/runtime/MethodClosure.java b/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+index d4f996e..4dfb360 100644
+--- a/src/main/org/codehaus/groovy/runtime/MethodClosure.java
++++ b/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+@@ -19,6 +19,7 @@ import groovy.lang.Closure;
+ import groovy.lang.MetaMethod;
+ 
+ import java.util.List;
++import java.io.IOException;
+ 
+ 
+ /**
+@@ -61,6 +62,14 @@ public class MethodClosure extends Closure {
+         throw new UnsupportedOperationException();
+     }
+ 
++    private void readObject(java.io.ObjectInputStream stream) throws
++        IOException, ClassNotFoundException {
++            if (ALLOW_RESOLVE) {
++                stream.defaultReadObject();
++            }
++            throw new UnsupportedOperationException();
++    }
++
+     public String getMethod() {
+         return method;
+     }
diff -Nru groovy-1.8.6/debian/patches/series groovy-1.8.6/debian/patches/series
--- groovy-1.8.6/debian/patches/series	2015-07-25 23:26:18.000000000 +0200
+++ groovy-1.8.6/debian/patches/series	2017-01-30 17:20:04.000000000 +0100
@@ -3,3 +3,4 @@
 0003-disable-bnd.diff.patch
 0004-java8-compatibility.patch
 0005-CVE-2015-3253.patch
+CVE-2016-6814.patch

--- End Message ---
--- Begin Message ---
Version: 8.8

Hi,

Each of these bugs refers to an update that was included in today's
jessie point release. Thanks!

Regards,

Adam

--- End Message ---

Reply to: