[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#859801: marked as done (jessie-pu: package logback/1:1.1.2-1)

Your message dated Sat, 06 May 2017 14:44:18 +0100
with message-id <1494078258.26551.13.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 8.8
has caused the Debian Bug report #859801,
regarding jessie-pu: package logback/1:1.1.2-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
859801: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859801
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

I have prepared a security update for logback. [1]
The security team marked this issue as no-dsa hence I would like
to include it in the next point-release for Jessie.

Thanks

Markus


[1] https://bugs.debian.org/857343

diff -Nru logback-1.1.2/debian/changelog logback-1.1.2/debian/changelog
--- logback-1.1.2/debian/changelog	2014-04-29 06:26:58.000000000 +0200
+++ logback-1.1.2/debian/changelog	2017-04-07 15:48:29.000000000 +0200
@@ -1,3 +1,13 @@
+logback (1:1.1.2-1+deb8u1) jessie; urgency=high
+
+  * Team upload.
+  * Fix CVE-2017-5929:
+    It was discovered that logback, a flexible logging library for Java, would
+    deserialize data from untrusted sockets. This issue has been resolved by
+    adding a whitelist to use only trusted classes. (Closes: #857343)
+
+ -- Markus Koschany <apo@debian.org>  Fri, 07 Apr 2017 15:48:29 +0200
+
 logback (1:1.1.2-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru logback-1.1.2/debian/patches/CVE-2017-5929.patch logback-1.1.2/debian/patches/CVE-2017-5929.patch
--- logback-1.1.2/debian/patches/CVE-2017-5929.patch	1970-01-01 01:00:00.000000000 +0100
+++ logback-1.1.2/debian/patches/CVE-2017-5929.patch	2017-04-07 15:48:29.000000000 +0200
@@ -0,0 +1,364 @@
+From: Markus Koschany <apo@debian.org>
+Date: Fri, 7 Apr 2017 14:35:27 +0200
+Subject: CVE-2017-5929
+
+Bug-Debian: https://bugs.debian.org/857343
+Origin: https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8
+Origin: https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9
+Origin: https://github.com/qos-ch/logback/commit/7fbea6127fa98fc48368ca5e8540eefe0e60cec5
+Origin: https://github.com/qos-ch/logback/commit/3b4f605454534b304770eeee3cb343521fcd6968
+---
+ .../access/net/HardenedAccessEventInputStream.java | 15 +++++
+ .../java/ch/qos/logback/access/net/SocketNode.java | 12 ++--
+ .../logback/classic/net/SimpleSocketServer.java    |  1 -
+ .../ch/qos/logback/classic/net/SocketAppender.java |  2 -
+ .../ch/qos/logback/classic/net/SocketNode.java     | 15 +++--
+ .../server/HardenedLoggingEventInputStream.java    | 56 +++++++++++++++++
+ .../net/server/RemoteAppenderStreamClient.java     | 10 +--
+ .../core/net/HardenedObjectInputStream.java        | 71 ++++++++++++++++++++++
+ 8 files changed, 159 insertions(+), 23 deletions(-)
+ create mode 100644 logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java
+ create mode 100644 logback-classic/src/main/java/ch/qos/logback/classic/net/server/HardenedLoggingEventInputStream.java
+ create mode 100644 logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
+
+diff --git a/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java b/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java
+new file mode 100644
+index 0000000..c0ba6b0
+--- /dev/null
++++ b/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java
+@@ -0,0 +1,15 @@
++package ch.qos.logback.access.net;
++
++import java.io.IOException;
++import java.io.InputStream;
++
++import ch.qos.logback.access.spi.AccessEvent;
++import ch.qos.logback.core.net.HardenedObjectInputStream;
++
++public class HardenedAccessEventInputStream extends HardenedObjectInputStream {
++
++    public HardenedAccessEventInputStream(InputStream in) throws IOException {
++        super(in, new String[] {AccessEvent.class.getName(), String[].class.getName()});
++    }
++
++}
+diff --git a/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java b/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java
+index 32c6654..7db96a3 100644
+--- a/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java
++++ b/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java
+@@ -15,7 +15,6 @@ package ch.qos.logback.access.net;
+ 
+ import java.io.BufferedInputStream;
+ import java.io.IOException;
+-import java.io.ObjectInputStream;
+ import java.net.Socket;
+ 
+ import ch.qos.logback.access.spi.AccessContext;
+@@ -42,16 +41,15 @@ public class SocketNode implements Runnable {
+ 
+   Socket socket;
+   AccessContext context;
+-  ObjectInputStream ois;
++  HardenedAccessEventInputStream hardenedOIS;
+ 
+   public SocketNode(Socket socket, AccessContext context) {
+     this.socket = socket;
+     this.context = context;
+     try {
+-      ois = new ObjectInputStream(new BufferedInputStream(socket
+-          .getInputStream()));
++            hardenedOIS = new HardenedAccessEventInputStream(new BufferedInputStream(socket.getInputStream()));
+     } catch (Exception e) {
+-      System.out.println("Could not open ObjectInputStream to " + socket + e);
++      System.out.println("Could not open HardenedObjectInputStream to " + socket + e);
+     }
+   }
+ 
+@@ -61,7 +59,7 @@ public class SocketNode implements Runnable {
+     try {
+       while (true) {
+         // read an event from the wire
+-        event = (IAccessEvent) ois.readObject();
++        event = (IAccessEvent) hardenedOIS.readObject();
+         //check that the event should be logged
+         if (context.getFilterChainDecision(event) == FilterReply.DENY) {
+           break;
+@@ -81,7 +79,7 @@ public class SocketNode implements Runnable {
+     }
+ 
+     try {
+-      ois.close();
++      hardenedOIS.close();
+     } catch (Exception e) {
+       System.out.println("Could not close connection." + e);
+     }
+diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java
+index e450fff..a0fd7d8 100644
+--- a/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java
++++ b/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java
+@@ -14,7 +14,6 @@
+ package ch.qos.logback.classic.net;
+ 
+ import java.io.IOException;
+-import java.lang.reflect.Constructor;
+ import java.net.ServerSocket;
+ import java.net.Socket;
+ import java.util.ArrayList;
+diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketAppender.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketAppender.java
+index 1bc74a4..9f2ebef 100644
+--- a/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketAppender.java
++++ b/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketAppender.java
+@@ -14,8 +14,6 @@
+ // Contributors: Dan MacDonald <dan@redknee.com>
+ package ch.qos.logback.classic.net;
+ 
+-import java.net.InetAddress;
+-
+ import ch.qos.logback.classic.spi.ILoggingEvent;
+ import ch.qos.logback.core.net.AbstractSocketAppender;
+ import ch.qos.logback.core.spi.PreSerializationTransformer;
+diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java
+index 98023e8..dcd967c 100644
+--- a/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java
++++ b/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java
+@@ -15,13 +15,13 @@ package ch.qos.logback.classic.net;
+ 
+ import java.io.BufferedInputStream;
+ import java.io.IOException;
+-import java.io.ObjectInputStream;
+ import java.net.Socket;
+ import java.net.SocketAddress;
+ 
+ import ch.qos.logback.classic.Logger;
+ 
+ import ch.qos.logback.classic.LoggerContext;
++import ch.qos.logback.classic.net.server.HardenedLoggingEventInputStream;
+ import ch.qos.logback.classic.spi.ILoggingEvent;
+ 
+ // Contributors: Moses Hohman <mmhohman@rainbow.uchicago.edu>
+@@ -44,7 +44,7 @@ public class SocketNode implements Runnable {
+ 
+   Socket socket;
+   LoggerContext context;
+-  ObjectInputStream ois;
++  HardenedLoggingEventInputStream hardenedLoggingEventInputStream;
+   SocketAddress remoteSocketAddress;
+   
+   Logger logger;
+@@ -68,8 +68,7 @@ public class SocketNode implements Runnable {
+   public void run() {
+ 
+     try {
+-      ois = new ObjectInputStream(new BufferedInputStream(socket
+-          .getInputStream()));
++      hardenedLoggingEventInputStream = new HardenedLoggingEventInputStream(new BufferedInputStream(socket.getInputStream()));
+     } catch (Exception e) {
+       logger.error("Could not open ObjectInputStream to " + socket, e);
+       closed = true;
+@@ -81,7 +80,7 @@ public class SocketNode implements Runnable {
+     try {
+       while (!closed) {
+         // read an event from the wire
+-        event = (ILoggingEvent) ois.readObject();
++        event = (ILoggingEvent) hardenedLoggingEventInputStream.readObject();
+         // get a logger from the hierarchy. The name of the logger is taken to
+         // be the name contained in the event.
+         remoteLogger = context.getLogger(event.getLoggerName());
+@@ -111,13 +110,13 @@ public class SocketNode implements Runnable {
+       return;
+     }
+     closed = true;
+-    if (ois != null) {
++    if (hardenedLoggingEventInputStream != null) {
+       try {
+-        ois.close();
++        hardenedLoggingEventInputStream.close();
+       } catch (IOException e) {
+         logger.warn("Could not close connection.", e);
+       } finally {
+-        ois = null;
++        hardenedLoggingEventInputStream = null;
+       }
+     }
+   }
+diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/server/HardenedLoggingEventInputStream.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/server/HardenedLoggingEventInputStream.java
+new file mode 100644
+index 0000000..522a30f
+--- /dev/null
++++ b/logback-classic/src/main/java/ch/qos/logback/classic/net/server/HardenedLoggingEventInputStream.java
+@@ -0,0 +1,56 @@
++package ch.qos.logback.classic.net.server;
++
++import java.io.IOException;
++import java.io.InputStream;
++import java.util.ArrayList;
++import java.util.List;
++
++import org.slf4j.helpers.BasicMarker;
++
++import ch.qos.logback.classic.Level;
++import ch.qos.logback.classic.Logger;
++import ch.qos.logback.classic.spi.ClassPackagingData;
++import ch.qos.logback.classic.spi.IThrowableProxy;
++import ch.qos.logback.classic.spi.LoggerContextVO;
++import ch.qos.logback.classic.spi.LoggerRemoteView;
++import ch.qos.logback.classic.spi.LoggingEventVO;
++import ch.qos.logback.classic.spi.StackTraceElementProxy;
++import ch.qos.logback.classic.spi.ThrowableProxy;
++import ch.qos.logback.classic.spi.ThrowableProxyVO;
++import ch.qos.logback.core.net.HardenedObjectInputStream;
++
++public class HardenedLoggingEventInputStream extends HardenedObjectInputStream {
++
++    static final String ARRAY_PREFIX = "[L";
++    
++    static public List<String> getWhilelist() {
++        List<String> whitelist = new ArrayList<String>();
++        whitelist.add(LoggingEventVO.class.getName());
++        whitelist.add(LoggerContextVO.class.getName());
++        whitelist.add(LoggerRemoteView.class.getName());
++        whitelist.add(ThrowableProxyVO.class.getName());
++        whitelist.add(BasicMarker.class.getName());
++        whitelist.add(Level.class.getName());
++        whitelist.add(Logger.class.getName());
++        whitelist.add(StackTraceElement.class.getName());
++        whitelist.add(StackTraceElement[].class.getName());
++        whitelist.add(ThrowableProxy.class.getName());
++        whitelist.add(ThrowableProxy[].class.getName());
++        whitelist.add(IThrowableProxy.class.getName());
++        whitelist.add(IThrowableProxy[].class.getName());
++        whitelist.add(StackTraceElementProxy.class.getName());
++        whitelist.add(StackTraceElementProxy[].class.getName());
++        whitelist.add(ClassPackagingData.class.getName());
++
++        return whitelist;
++    }
++   
++    public HardenedLoggingEventInputStream(InputStream is) throws IOException {
++        super(is, getWhilelist());
++    }
++    
++    public HardenedLoggingEventInputStream(InputStream is, List<String> additionalAuthorizedClasses) throws IOException {
++        this(is);
++        super.addToWhitelist(additionalAuthorizedClasses);
++    }
++}
+diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java
+index a4b34a9..3901dad 100644
+--- a/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java
++++ b/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java
+@@ -16,12 +16,12 @@ package ch.qos.logback.classic.net.server;
+ import java.io.EOFException;
+ import java.io.IOException;
+ import java.io.InputStream;
+-import java.io.ObjectInputStream;
+ import java.net.Socket;
+ 
+ import ch.qos.logback.classic.Logger;
+ import ch.qos.logback.classic.LoggerContext;
+ import ch.qos.logback.classic.spi.ILoggingEvent;
++import ch.qos.logback.core.net.HardenedObjectInputStream;
+ import ch.qos.logback.core.util.CloseUtil;
+ 
+ /**
+@@ -86,7 +86,7 @@ class RemoteAppenderStreamClient implements RemoteAppenderClient {
+    */
+   public void run() {
+     logger.info(this + ": connected"); 
+-    ObjectInputStream ois = null;
++    HardenedObjectInputStream ois = null;
+     try {
+       ois = createObjectInputStream();
+       while (true) {
+@@ -124,11 +124,11 @@ class RemoteAppenderStreamClient implements RemoteAppenderClient {
+     }
+   }
+ 
+-  private ObjectInputStream createObjectInputStream() throws IOException {
++  private HardenedObjectInputStream createObjectInputStream() throws IOException {
+     if (inputStream != null) {
+-      return new ObjectInputStream(inputStream);
++      return new HardenedLoggingEventInputStream(inputStream);
+     }
+-    return new ObjectInputStream(socket.getInputStream());
++    return new HardenedLoggingEventInputStream(socket.getInputStream());
+   }
+   
+   /**
+diff --git a/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
+new file mode 100644
+index 0000000..d1b7301
+--- /dev/null
++++ b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
+@@ -0,0 +1,71 @@
++package ch.qos.logback.core.net;
++
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.InvalidClassException;
++import java.io.ObjectInputStream;
++import java.io.ObjectStreamClass;
++import java.util.ArrayList;
++import java.util.List;
++
++/**
++ * HardenedObjectInputStream restricts the set of classes that can be deserialized to a set of 
++ * explicitly whitelisted classes. This prevents certain type of attacks from being successful.
++ * 
++ * <p>It is assumed that classes in the "java.lang" and  "java.util" packages are 
++ * always authorized.</p>
++ * 
++ * @author Ceki G&uuml;lc&uuml;
++ * @since 1.2.0
++ */
++public class HardenedObjectInputStream extends ObjectInputStream {
++
++    final List<String> whitelistedClassNames;
++    final static String[] JAVA_PACKAGES = new String[] { "java.lang", "java.util" };
++
++    public HardenedObjectInputStream(InputStream in, String[] whilelist) throws IOException {
++        super(in);
++
++        this.whitelistedClassNames = new ArrayList<String>();
++        if (whilelist != null) {
++            for (int i = 0; i < whilelist.length; i++) {
++                this.whitelistedClassNames.add(whilelist[i]);
++            }
++        }
++    }
++
++    public HardenedObjectInputStream(InputStream in, List<String> whitelist) throws IOException {
++        super(in);
++
++        this.whitelistedClassNames = new ArrayList<String>();
++        this.whitelistedClassNames.addAll(whitelist);
++    }
++
++    @Override
++    protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException {
++        
++        String incomingClassName = anObjectStreamClass.getName();
++        
++        if (!isWhitelisted(incomingClassName)) {
++            throw new InvalidClassException("Unauthorized deserialization attempt", anObjectStreamClass.getName());
++        }
++
++        return super.resolveClass(anObjectStreamClass);
++    }
++
++    private boolean isWhitelisted(String incomingClassName) {
++        for (int i = 0; i < JAVA_PACKAGES.length; i++) {
++            if (incomingClassName.startsWith(JAVA_PACKAGES[i]))
++                return true;
++        }
++        for (String whiteListed : whitelistedClassNames) {
++            if (incomingClassName.equals(whiteListed))
++                return true;
++        }
++        return false;
++    }
++
++    protected void addToWhitelist(List<String> additionalAuthorizedClasses) {
++        whitelistedClassNames.addAll(additionalAuthorizedClasses);
++    }
++}
diff -Nru logback-1.1.2/debian/patches/series logback-1.1.2/debian/patches/series
--- logback-1.1.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ logback-1.1.2/debian/patches/series	2017-04-07 15:48:29.000000000 +0200
@@ -0,0 +1 @@
+CVE-2017-5929.patch

--- End Message ---
--- Begin Message --- 
Version: 8.8

Hi,

Each of these bugs refers to an update that was included in today's
jessie point release. Thanks!

Regards,

Adam

--- End Message ---
Reply to: