Your message dated Sat, 20 May 2017 08:10:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#862946: unblock: libxstream-java/1.4.9-2
has caused the Debian Bug report #862946,
regarding unblock: libxstream-java/1.4.9-2
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
862946: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862946
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Hi
Please unblock package libxstream-java
It fixes CVE-2017-7957, #861521, which could lead to a denial of
service during unmarshalling.
+libxstream-java (1.4.9-2) unstable; urgency=medium
+
+ * Fixed CVE-2017-7957: Attempts to create an instance of the primitive
+ type 'void' during unmarshalling lead to a remote application crash.
+ (Closes: #861521)
+
+ -- Emmanuel Bourg <[email protected]> Tue, 02 May 2017 16:52:35 +0200
https://www.debian.org/security/2017/dsa-3841
unblock libxstream-java/1.4.9-2
Regards,
Salvatore
diff -Nru libxstream-java-1.4.9/debian/changelog
libxstream-java-1.4.9/debian/changelog
--- libxstream-java-1.4.9/debian/changelog 2016-03-29 12:12:30.000000000
+0200
+++ libxstream-java-1.4.9/debian/changelog 2017-05-02 16:52:35.000000000
+0200
@@ -1,3 +1,11 @@
+libxstream-java (1.4.9-2) unstable; urgency=medium
+
+ * Fixed CVE-2017-7957: Attempts to create an instance of the primitive
+ type 'void' during unmarshalling lead to a remote application crash.
+ (Closes: #861521)
+
+ -- Emmanuel Bourg <[email protected]> Tue, 02 May 2017 16:52:35 +0200
+
libxstream-java (1.4.9-1) unstable; urgency=medium
* New upstream release
diff -Nru libxstream-java-1.4.9/debian/patches/CVE-2017-7957.patch
libxstream-java-1.4.9/debian/patches/CVE-2017-7957.patch
--- libxstream-java-1.4.9/debian/patches/CVE-2017-7957.patch 1970-01-01
01:00:00.000000000 +0100
+++ libxstream-java-1.4.9/debian/patches/CVE-2017-7957.patch 2017-05-02
16:49:06.000000000 +0200
@@ -0,0 +1,97 @@
+Description: Fixes CVE-2017-7957: When a certain denyTypes workaround is not
+ used, XStream mishandles attempts to create an instance of the primitive type
+ 'void' during unmarshalling, leading to a remote application crash, as
+ demonstrated by an xstream.fromXML("<void/>") call.
+Origin: backport, https://github.com/x-stream/xstream/commit/b3570be
+Bug-Debian: https://bugs.debian.org/861521
+---
a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
++++
b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
+@@ -78,14 +78,18 @@
+ throw ex;
+ }
+ ErrorWritingException ex = null;
+- try {
+- return unsafe.allocateInstance(type);
+- } catch (SecurityException e) {
+- ex = new ObjectAccessException("Cannot construct type", e);
+- } catch (InstantiationException e) {
+- ex = new ConversionException("Cannot construct type", e);
+- } catch (IllegalArgumentException e) {
+- ex = new ObjectAccessException("Cannot construct type", e);
++ if (type == void.class || type == Void.class) {
++ ex = new ConversionException("Type void cannot have an instance");
++ } else {
++ try {
++ return unsafe.allocateInstance(type);
++ } catch (final SecurityException e) {
++ ex = new ObjectAccessException("Cannot construct type", e);
++ } catch (final InstantiationException e) {
++ ex = new ConversionException("Cannot construct type", e);
++ } catch (final IllegalArgumentException e) {
++ ex = new ObjectAccessException("Cannot construct type", e);
++ }
+ }
+ ex.add("construction-type", type.getName());
+ throw ex;
+---
a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
++++
b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
+@@ -8,8 +8,9 @@
+
+ import com.thoughtworks.xstream.core.util.Primitives;
+
++
+ /**
+- * Permission for any primitive type and its boxed counterpart (incl. void).
++ * Permission for any primitive type and its boxed counterpart (excl. void).
+ *
+ * @author Jörg Schaible
+ * @since 1.4.7
+@@ -21,7 +22,8 @@
+ public static final TypePermission PRIMITIVES = new
PrimitiveTypePermission();
+
+ public boolean allows(Class type) {
+- return type != null && type.isPrimitive() || Primitives.isBoxed(type);
++ return type != null && type != void.class && type != Void.class &&
type.isPrimitive()
++ || Primitives.isBoxed(type);
+ }
+
+ public int hashCode() {
+---
a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++
b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -13,9 +13,12 @@
+ import java.beans.EventHandler;
+
+ import com.thoughtworks.xstream.XStreamException;
++import com.thoughtworks.xstream.converters.ConversionException;
+ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
++import com.thoughtworks.xstream.security.ForbiddenClassException;
+ import com.thoughtworks.xstream.security.ProxyTypePermission;
+
++
+ /**
+ * @author Jörg Schaible
+ */
+@@ -80,4 +83,23 @@
+ BUFFER.append("Executed!");
+ }
+ }
++
++ public void testDeniedInstanceOfVoid() {
++ try {
++ xstream.fromXML("<void/>");
++ fail("Thrown " + ForbiddenClassException.class.getName() + "
expected");
++ } catch (final ForbiddenClassException e) {
++ // OK
++ }
++ }
++
++ public void testAllowedInstanceOfVoid() {
++ xstream.allowTypes(void.class, Void.class);
++ try {
++ xstream.fromXML("<void/>");
++ fail("Thrown " + ConversionException.class.getName() + "
expected");
++ } catch (final ConversionException e) {
++ assertEquals("void", e.get("construction-type"));
++ }
++ }
+ }
diff -Nru libxstream-java-1.4.9/debian/patches/series
libxstream-java-1.4.9/debian/patches/series
--- libxstream-java-1.4.9/debian/patches/series 2016-03-29 11:26:24.000000000
+0200
+++ libxstream-java-1.4.9/debian/patches/series 2017-05-02 16:27:42.000000000
+0200
@@ -1 +1,2 @@
01-java7-compatibility.patch
+CVE-2017-7957.patch
--- End Message ---
--- Begin Message ---
Salvatore Bonaccorso:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
>
> Hi
>
> Please unblock package libxstream-java
>
> It fixes CVE-2017-7957, #861521, which could lead to a denial of
> service during unmarshalling.
>
> +libxstream-java (1.4.9-2) unstable; urgency=medium
> +
> + * Fixed CVE-2017-7957: Attempts to create an instance of the primitive
> + type 'void' during unmarshalling lead to a remote application crash.
> + (Closes: #861521)
> +
> + -- Emmanuel Bourg <[email protected]> Tue, 02 May 2017 16:52:35 +0200
>
> https://www.debian.org/security/2017/dsa-3841
>
> unblock libxstream-java/1.4.9-2
>
> Regards,
> Salvatore
>
Unblocked, thanks.
~Niels
--- End Message ---
