Bug#853235: jessie-pu: package groovy/2.2.2+dfsg-3+deb8u1
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
groovy2 is also affected by CVE-2016-6814. The patch is almost
identical to the one used in groovy. Please find attached the debdiff.
Markus
diff -Nru groovy2-2.2.2+dfsg/debian/changelog groovy2-2.2.2+dfsg/debian/changelog
--- groovy2-2.2.2+dfsg/debian/changelog 2015-07-25 22:20:07.000000000 +0200
+++ groovy2-2.2.2+dfsg/debian/changelog 2017-01-30 17:49:16.000000000 +0100
@@ -1,3 +1,16 @@
+groovy2 (2.2.2+dfsg-3+deb8u2) jessie; urgency=medium
+
+ * Team upload.
+ * Fix CVE-2016-6814: It was found that a flaw in Apache Groovy, a dynamic
+ language for the Java Virtual Machine, allows remote code execution
+ wherever deserialization occurs in the application. It is possible for an
+ attacker to craft a special serialized object that will execute code
+ directly when deserialized. All applications which rely on serialization
+ and do not isolate the code which deserializes objects are subject to this
+ vulnerability.
+
+ -- Markus Koschany <apo@debian.org> Mon, 30 Jan 2017 17:49:16 +0100
+
groovy2 (2.2.2+dfsg-3+deb8u1) stable; urgency=high
* Fix remote execution of untrusted code and possible DoS vulnerability.
diff -Nru groovy2-2.2.2+dfsg/debian/patches/CVE-2016-6814.patch groovy2-2.2.2+dfsg/debian/patches/CVE-2016-6814.patch
--- groovy2-2.2.2+dfsg/debian/patches/CVE-2016-6814.patch 1970-01-01 01:00:00.000000000 +0100
+++ groovy2-2.2.2+dfsg/debian/patches/CVE-2016-6814.patch 2017-01-30 17:49:16.000000000 +0100
@@ -0,0 +1,37 @@
+From: Markus Koschany <apo@debian.org>
+Date: Mon, 30 Jan 2017 17:47:46 +0100
+Subject: CVE-2016-6814
+
+Bug-Debian: https://bugs.debian.org/851408
+Origin: http://seclists.org/oss-sec/2017/q1/92
+---
+ src/main/org/codehaus/groovy/runtime/MethodClosure.java | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/main/org/codehaus/groovy/runtime/MethodClosure.java b/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+index 8e4fac8..6fceb3d 100644
+--- a/src/main/org/codehaus/groovy/runtime/MethodClosure.java
++++ b/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+@@ -19,6 +19,7 @@ import groovy.lang.Closure;
+ import groovy.lang.MetaMethod;
+
+ import java.util.List;
++import java.io.IOException;
+
+
+ /**
+@@ -69,6 +70,14 @@ public class MethodClosure extends Closure {
+ throw new UnsupportedOperationException();
+ }
+
++ private void readObject(java.io.ObjectInputStream stream) throws
++ IOException, ClassNotFoundException {
++ if (ALLOW_RESOLVE) {
++ stream.defaultReadObject();
++ }
++ throw new UnsupportedOperationException();
++ }
++
+ public Object getProperty(String property) {
+ if ("method".equals(property)) {
+ return getMethod();
diff -Nru groovy2-2.2.2+dfsg/debian/patches/series groovy2-2.2.2+dfsg/debian/patches/series
--- groovy2-2.2.2+dfsg/debian/patches/series 2015-07-25 22:19:23.000000000 +0200
+++ groovy2-2.2.2+dfsg/debian/patches/series 2017-01-30 17:49:16.000000000 +0100
@@ -2,3 +2,4 @@
02_fix_start_script.diff
03_add_maven_poms.diff
04_CVE-2015-3253.diff
+CVE-2016-6814.patch
Reply to: