[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#862946: marked as done (unblock: libxstream-java/1.4.9-2)

Your message dated Sat, 20 May 2017 08:10:00 +0000
with message-id <781bedbd-8d40-4916-4311-8b918ca99462@thykier.net>
and subject line Re: Bug#862946: unblock: libxstream-java/1.4.9-2
has caused the Debian Bug report #862946,
regarding unblock: libxstream-java/1.4.9-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
862946: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862946
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

Please unblock package libxstream-java

It fixes  CVE-2017-7957, #861521, which could lead to a denial of
service during unmarshalling. 

+libxstream-java (1.4.9-2) unstable; urgency=medium
+
+  * Fixed CVE-2017-7957: Attempts to create an instance of the primitive
+    type 'void' during unmarshalling lead to a remote application crash.
+    (Closes: #861521)
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Tue, 02 May 2017 16:52:35 +0200

https://www.debian.org/security/2017/dsa-3841

unblock libxstream-java/1.4.9-2

Regards,
Salvatore

diff -Nru libxstream-java-1.4.9/debian/changelog libxstream-java-1.4.9/debian/changelog
--- libxstream-java-1.4.9/debian/changelog	2016-03-29 12:12:30.000000000 +0200
+++ libxstream-java-1.4.9/debian/changelog	2017-05-02 16:52:35.000000000 +0200
@@ -1,3 +1,11 @@
+libxstream-java (1.4.9-2) unstable; urgency=medium
+
+  * Fixed CVE-2017-7957: Attempts to create an instance of the primitive
+    type 'void' during unmarshalling lead to a remote application crash.
+    (Closes: #861521)
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Tue, 02 May 2017 16:52:35 +0200
+
 libxstream-java (1.4.9-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru libxstream-java-1.4.9/debian/patches/CVE-2017-7957.patch libxstream-java-1.4.9/debian/patches/CVE-2017-7957.patch
--- libxstream-java-1.4.9/debian/patches/CVE-2017-7957.patch	1970-01-01 01:00:00.000000000 +0100
+++ libxstream-java-1.4.9/debian/patches/CVE-2017-7957.patch	2017-05-02 16:49:06.000000000 +0200
@@ -0,0 +1,97 @@
+Description: Fixes CVE-2017-7957: When a certain denyTypes workaround is not
+ used, XStream mishandles attempts to create an instance of the primitive type
+ 'void' during unmarshalling, leading to a remote application crash, as
+ demonstrated by an xstream.fromXML("<void/>") call.
+Origin: backport, https://github.com/x-stream/xstream/commit/b3570be
+Bug-Debian: https://bugs.debian.org/861521
+--- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
++++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
+@@ -78,14 +78,18 @@
+             throw ex;
+         }
+         ErrorWritingException ex = null;
+-        try {
+-            return unsafe.allocateInstance(type);
+-        } catch (SecurityException e) {
+-            ex = new ObjectAccessException("Cannot construct type", e);
+-        } catch (InstantiationException e) {
+-            ex =  new ConversionException("Cannot construct type", e);
+-        } catch (IllegalArgumentException e) {
+-            ex = new ObjectAccessException("Cannot construct type", e);
++        if (type == void.class || type == Void.class) {
++            ex = new ConversionException("Type void cannot have an instance");
++        } else {
++            try {
++                return unsafe.allocateInstance(type);
++            } catch (final SecurityException e) {
++                ex = new ObjectAccessException("Cannot construct type", e);
++            } catch (final InstantiationException e) {
++                ex = new ConversionException("Cannot construct type", e);
++            } catch (final IllegalArgumentException e) {
++                ex = new ObjectAccessException("Cannot construct type", e);
++            }
+         }
+         ex.add("construction-type", type.getName());
+         throw ex;
+--- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
++++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
+@@ -8,8 +8,9 @@
+ 
+ import com.thoughtworks.xstream.core.util.Primitives;
+ 
++
+ /**
+- * Permission for any primitive type and its boxed counterpart (incl. void).
++ * Permission for any primitive type and its boxed counterpart (excl. void).
+  * 
+  * @author J&ouml;rg Schaible
+  * @since 1.4.7
+@@ -21,7 +22,8 @@
+     public static final TypePermission PRIMITIVES = new PrimitiveTypePermission();
+ 
+     public boolean allows(Class type) {
+-        return type != null && type.isPrimitive() || Primitives.isBoxed(type);
++        return type != null && type != void.class && type != Void.class && type.isPrimitive()
++            || Primitives.isBoxed(type);
+     }
+ 
+     public int hashCode() {
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -13,9 +13,12 @@
+ import java.beans.EventHandler;
+ 
+ import com.thoughtworks.xstream.XStreamException;
++import com.thoughtworks.xstream.converters.ConversionException;
+ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
++import com.thoughtworks.xstream.security.ForbiddenClassException;
+ import com.thoughtworks.xstream.security.ProxyTypePermission;
+ 
++
+ /**
+  * @author J&ouml;rg Schaible
+  */
+@@ -80,4 +83,23 @@
+             BUFFER.append("Executed!");
+         }
+     }
++
++    public void testDeniedInstanceOfVoid() {
++        try {
++            xstream.fromXML("<void/>");
++            fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
++        } catch (final ForbiddenClassException e) {
++            // OK
++        }
++    }
++
++    public void testAllowedInstanceOfVoid() {
++        xstream.allowTypes(void.class, Void.class);
++        try {
++            xstream.fromXML("<void/>");
++            fail("Thrown " + ConversionException.class.getName() + " expected");
++        } catch (final ConversionException e) {
++            assertEquals("void", e.get("construction-type"));
++        }
++    }
+ }
diff -Nru libxstream-java-1.4.9/debian/patches/series libxstream-java-1.4.9/debian/patches/series
--- libxstream-java-1.4.9/debian/patches/series	2016-03-29 11:26:24.000000000 +0200
+++ libxstream-java-1.4.9/debian/patches/series	2017-05-02 16:27:42.000000000 +0200
@@ -1 +1,2 @@
 01-java7-compatibility.patch
+CVE-2017-7957.patch

--- End Message ---
--- Begin Message --- 
Salvatore Bonaccorso:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Hi
> 
> Please unblock package libxstream-java
> 
> It fixes  CVE-2017-7957, #861521, which could lead to a denial of
> service during unmarshalling. 
> 
> +libxstream-java (1.4.9-2) unstable; urgency=medium
> +
> +  * Fixed CVE-2017-7957: Attempts to create an instance of the primitive
> +    type 'void' during unmarshalling lead to a remote application crash.
> +    (Closes: #861521)
> +
> + -- Emmanuel Bourg <ebourg@apache.org>  Tue, 02 May 2017 16:52:35 +0200
> 
> https://www.debian.org/security/2017/dsa-3841
> 
> unblock libxstream-java/1.4.9-2
> 
> Regards,
> Salvatore
> 

Unblocked, thanks.

~Niels

--- End Message ---
Reply to: