Package: jodconverter Version: 2.2.2-13 Severity: normal X-Debbugs-Cc: a...@debian.org
Hello, jodconverter depends on libxstream-java. In version 1.4.18 XStream switched from a security blacklist to a whitelist to block malicious classes which could possible trigger remote code execution whenever an object was deserialized. I am attaching a patch that whitelists all classes of com.artofsolving.jodconverter and thus should make deserialization work again. Regards, Markus
From: Markus Koschany <a...@debian.org> Date: Tue, 28 Sep 2021 21:21:14 +0200 Subject: libxstream-java --- .../java/com/artofsolving/jodconverter/XmlDocumentFormatRegistry.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/main/java/com/artofsolving/jodconverter/XmlDocumentFormatRegistry.java b/src/main/java/com/artofsolving/jodconverter/XmlDocumentFormatRegistry.java index 90901a6..918710f 100644 --- a/src/main/java/com/artofsolving/jodconverter/XmlDocumentFormatRegistry.java +++ b/src/main/java/com/artofsolving/jodconverter/XmlDocumentFormatRegistry.java @@ -70,6 +70,7 @@ public class XmlDocumentFormatRegistry extends BasicDocumentFormatRegistry imple private static XStream createXStream() { XStream xstream = new XStream(new DomDriver()); + xstream.allowTypesByWildcard(new String[] {XmlDocumentFormatRegistry.class.getPackage().getName()+".*" }); xstream.setMode(XStream.NO_REFERENCES); xstream.alias("document-format", DocumentFormat.class); xstream.aliasField("mime-type", DocumentFormat.class, "mimeType");