Package: release.debian.org Severity: normal Tags: stretch User: [email protected] Usertags: pu
Dear release team, I would like to fix CVE-2017-7536 in libhibernate-validator-java. The issue is no-dsa but still worth fixing. Please find attached the debdiff. Regards, Markus
diff -Nru libhibernate-validator-java-4.3.3/debian/changelog libhibernate-validator-java-4.3.3/debian/changelog --- libhibernate-validator-java-4.3.3/debian/changelog 2016-12-19 09:50:16.000000000 +0100 +++ libhibernate-validator-java-4.3.3/debian/changelog 2018-01-22 13:36:42.000000000 +0100 @@ -1,3 +1,11 @@ +libhibernate-validator-java (4.3.3-1+deb9u1) stretch; urgency=medium + + * Team upload. + * Fix CVE-2017-7536: potential privilege escalation by circumventing security + manager permissions. (Closes: #885577) + + -- Markus Koschany <[email protected]> Mon, 22 Jan 2018 13:36:42 +0100 + libhibernate-validator-java (4.3.3-1) unstable; urgency=medium * Team upload. diff -Nru libhibernate-validator-java-4.3.3/debian/patches/CVE-2017-7536.patch libhibernate-validator-java-4.3.3/debian/patches/CVE-2017-7536.patch --- libhibernate-validator-java-4.3.3/debian/patches/CVE-2017-7536.patch 1970-01-01 01:00:00.000000000 +0100 +++ libhibernate-validator-java-4.3.3/debian/patches/CVE-2017-7536.patch 2018-01-22 13:36:42.000000000 +0100 @@ -0,0 +1,84 @@ +From: Markus Koschany <[email protected]> +Date: Thu, 11 Jan 2018 14:39:09 +0100 +Subject: CVE-2017-7536 + +Bug-Debian: https://bugs.debian.org/885577 +Origin: https://github.com/hibernate/hibernate-validator/commit/0ed45f37c4680998167179e631113a2c9cb5d113 +--- + .../validator/HibernateValidatorPermission.java | 29 ++++++++++++++++++++++ + .../validator/internal/engine/ValidatorImpl.java | 6 +++++ + .../util/privilegedactions/GetDeclaredField.java | 1 - + 3 files changed, 35 insertions(+), 1 deletion(-) + create mode 100644 engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java + +diff --git a/engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java b/engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java +new file mode 100644 +index 0000000..71b33b7 +--- /dev/null ++++ b/engine/src/main/java/org/hibernate/validator/HibernateValidatorPermission.java +@@ -0,0 +1,29 @@ ++/* ++ * Hibernate Validator, declare and validate application constraints ++ * ++ * License: Apache License, Version 2.0 ++ * See the license.txt file in the root directory or <http://www.apache.org/licenses/LICENSE-2.0>. ++ */ ++package org.hibernate.validator; ++ ++import java.security.BasicPermission; ++ ++/** ++ * Our specific implementation of {@link BasicPermission} as we cannot define additional {@link RuntimePermission}. ++ * <p> ++ * {@code HibernateValidatorPermission} is thread-safe and immutable. ++ * ++ * @author Guillaume Smet ++ */ ++public class HibernateValidatorPermission extends BasicPermission { ++ ++ public static final HibernateValidatorPermission ACCESS_PRIVATE_MEMBERS = new HibernateValidatorPermission( "accessPrivateMembers" ); ++ ++ public HibernateValidatorPermission(String name) { ++ super( name ); ++ } ++ ++ public HibernateValidatorPermission(String name, String actions) { ++ super( name, actions ); ++ } ++} +diff --git a/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java b/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java +index 02d2b97..00b78e2 100644 +--- a/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java ++++ b/engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java +@@ -64,6 +64,7 @@ import org.hibernate.validator.internal.util.privilegedactions.SetAccessibility; + import org.hibernate.validator.method.MethodConstraintViolation; + import org.hibernate.validator.method.MethodValidator; + import org.hibernate.validator.method.metadata.TypeDescriptor; ++import org.hibernate.validator.HibernateValidatorPermission; + + import static org.hibernate.validator.internal.util.CollectionHelper.newArrayList; + import static org.hibernate.validator.internal.util.CollectionHelper.newHashMap; +@@ -1426,6 +1427,11 @@ public class ValidatorImpl implements Validator, MethodValidator { + return member; + } + ++ SecurityManager sm = System.getSecurityManager(); ++ if ( sm != null ) { ++ sm.checkPermission( HibernateValidatorPermission.ACCESS_PRIVATE_MEMBERS ); ++ } ++ + Class<?> clazz = original.getDeclaringClass(); + + if ( original instanceof Field ) { +diff --git a/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java b/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java +index 3617d63..8db6523 100644 +--- a/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java ++++ b/engine/src/main/java/org/hibernate/validator/internal/util/privilegedactions/GetDeclaredField.java +@@ -41,7 +41,6 @@ public final class GetDeclaredField implements PrivilegedAction<Field> { + public Field run() { + try { + final Field field = clazz.getDeclaredField( fieldName ); +- field.setAccessible( true ); + return field; + } + catch ( NoSuchFieldException e ) { diff -Nru libhibernate-validator-java-4.3.3/debian/patches/series libhibernate-validator-java-4.3.3/debian/patches/series --- libhibernate-validator-java-4.3.3/debian/patches/series 2016-12-19 09:46:46.000000000 +0100 +++ libhibernate-validator-java-4.3.3/debian/patches/series 2018-01-22 13:36:42.000000000 +0100 @@ -1 +1,2 @@ 01-workaround-maven-repo-helper-bug.patch +CVE-2017-7536.patch
