[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#887999: stretch-pu: package libhibernate-validator-java/4.3.3-1

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

I would like to fix CVE-2017-7536 in libhibernate-validator-java. The
issue is no-dsa but still worth fixing.

Please find attached the debdiff.

Regards,

Markus

diff -Nru libhibernate-validator-java-4.3.3/debian/changelog libhibernate-validator-java-4.3.3/debian/changelog
--- libhibernate-validator-java-4.3.3/debian/changelog	2016-12-19 09:50:16.000000000 +0100
+++ libhibernate-validator-java-4.3.3/debian/changelog	2018-01-22 13:36:42.000000000 +0100
@@ -1,3 +1,11 @@
+libhibernate-validator-java (4.3.3-1+deb9u1) stretch; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2017-7536: potential privilege escalation by circumventing security
+    manager permissions. (Closes: #885577)
+
+ -- Markus Koschany <apo@debian.org>  Mon, 22 Jan 2018 13:36:42 +0100
+
 libhibernate-validator-java (4.3.3-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru libhibernate-validator-java-4.3.3/debian/patches/CVE-2017-7536.patch libhibernate-validator-java-4.3.3/debian/patches/CVE-2017-7536.patch
--- libhibernate-validator-java-4.3.3/debian/patches/CVE-2017-7536.patch	1970-01-01 01:00:00.000000000 +0100
+++ libhibernate-validator-java-4.3.3/debian/patches/CVE-2017-7536.patch	2018-01-22 13:36:42.000000000 +0100
@@ -0,0 +1,84 @@
+From: Markus Koschany <apo@debian.org>
+Date: Thu, 11 Jan 2018 14:39:09 +0100
+Subject: CVE-2017-7536
+
+Bug-Debian: https://bugs.debian.org/885577
+Origin: https://github.com/hibernate/hibernate-validator/commit/0ed45f37c4680998167179e631113a2c9cb5d113
+---
+ .../validator/HibernateValidatorPermission.java    | 29 ++++++++++++++++++++++
+ .../validator/internal/engine/ValidatorImpl.java   |  6 +++++
+ .../util/privilegedactions/GetDeclaredField.java   |  1 -
+ 3 files changed, 35 insertions(+), 1 deletion(-)
+ create mode 100644 engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java
+
+diff --git a/engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java b/engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java
+new file mode 100644
+index 0000000..71b33b7
+--- /dev/null
++++ b/engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java
+@@ -0,0 +1,29 @@
++/*
++ * Hibernate Validator, declare and validate application constraints
++ *
++ * License: Apache License, Version 2.0
++ * See the license.txt file in the root directory or <http://www.apache.org/licenses/LICENSE-2.0>.
++ */
++package org.hibernate.validator;
++
++import java.security.BasicPermission;
++
++/**
++ * Our specific implementation of {@link BasicPermission} as we cannot define additional {@link RuntimePermission}.
++ * <p>
++ * {@code HibernateValidatorPermission} is thread-safe and immutable.
++ *
++ * @author Guillaume Smet
++ */
++public class HibernateValidatorPermission extends BasicPermission {
++
++	public static final HibernateValidatorPermission ACCESS_PRIVATE_MEMBERS = new HibernateValidatorPermission( "accessPrivateMembers" );
++
++	public HibernateValidatorPermission(String name) {
++		super( name );
++	}
++
++	public HibernateValidatorPermission(String name, String actions) {
++		super( name, actions );
++	}
++}
+diff --git a/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java b/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java
+index 02d2b97..00b78e2 100644
+--- a/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java
++++ b/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java
+@@ -64,6 +64,7 @@ import org.hibernate.validator.internal.util.privilegedactions.SetAccessibility;
+ import org.hibernate.validator.method.MethodConstraintViolation;
+ import org.hibernate.validator.method.MethodValidator;
+ import org.hibernate.validator.method.metadata.TypeDescriptor;
++import org.hibernate.validator.HibernateValidatorPermission;
+ 
+ import static org.hibernate.validator.internal.util.CollectionHelper.newArrayList;
+ import static org.hibernate.validator.internal.util.CollectionHelper.newHashMap;
+@@ -1426,6 +1427,11 @@ public class ValidatorImpl implements Validator, MethodValidator {
+ 			return member;
+ 		}
+ 
++		SecurityManager sm = System.getSecurityManager();
++		if ( sm != null ) {
++			sm.checkPermission( HibernateValidatorPermission.ACCESS_PRIVATE_MEMBERS );
++		}
++
+ 		Class<?> clazz = original.getDeclaringClass();
+ 
+ 		if ( original instanceof Field ) {
+diff --git a/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java b/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java
+index 3617d63..8db6523 100644
+--- a/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java
++++ b/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java
+@@ -41,7 +41,6 @@ public final class GetDeclaredField implements PrivilegedAction<Field> {
+ 	public Field run() {
+ 		try {
+ 			final Field field = clazz.getDeclaredField( fieldName );
+-			field.setAccessible( true );
+ 			return field;
+ 		}
+ 		catch ( NoSuchFieldException e ) {
diff -Nru libhibernate-validator-java-4.3.3/debian/patches/series libhibernate-validator-java-4.3.3/debian/patches/series
--- libhibernate-validator-java-4.3.3/debian/patches/series	2016-12-19 09:46:46.000000000 +0100
+++ libhibernate-validator-java-4.3.3/debian/patches/series	2018-01-22 13:36:42.000000000 +0100
@@ -1 +1,2 @@
 01-workaround-maven-repo-helper-bug.patch
+CVE-2017-7536.patch
Reply to: