** Description changed:
[impact]
XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("<void/>") call.
[test case]
install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial
(or trusty) system. Then create a file named TestCVE.java with this
content:
-
import com.thoughtworks.xstream.XStream;
public class TestCVE {
- public static void main(String[] args) {
- XStream xstream = new XStream();
- xstream.fromXML("<void/>");
- }
+ public static void main(String[] args) {
+ XStream xstream = new XStream();
+ xstream.fromXML("<void/>");
+ }
}
-
- then run this (from the same directory as the file) to compile it:
+ then run this (from the same directory as the file) to compile it,
+ noting to replace the version number if needed (1.4.8 is X version, if
+ on trusty use 1.4.7):
$ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java
- then test it:
+ then test it (again correcting version if needed):
$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
failure is a JVM segfault, e.g.:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007f6546a6f9d2, pid=9279, tid=0x00007f654816c700
success is a normal java exception with backtrace, e.g.:
Exception in thread "main"
com.thoughtworks.xstream.converters.ConversionException: Type void
cannot have an instance
[regression potential]
regressions could include failing to parse the stream, or otherwise
cause exceptions or segfaults.
[other info]
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libxstream-java in Ubuntu.
https://bugs.launchpad.net/bugs/1780844
Title:
CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an
instance of the primitive type 'void'
Status in libxstream-java package in Ubuntu:
Fix Released
Status in libxstream-java source package in Trusty:
In Progress
Status in libxstream-java source package in Xenial:
In Progress
Status in libxstream-java source package in Artful:
Fix Released
Status in libxstream-java source package in Bionic:
Fix Released
Status in libxstream-java source package in Cosmic:
Fix Released
Bug description:
[impact]
XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("<void/>") call.
[test case]
install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial
(or trusty) system. Then create a file named TestCVE.java with this
content:
import com.thoughtworks.xstream.XStream;
public class TestCVE {
public static void main(String[] args) {
XStream xstream = new XStream();
xstream.fromXML("<void/>");
}
}
then run this (from the same directory as the file) to compile it,
noting to replace the version number if needed (1.4.8 is X version, if
on trusty use 1.4.7):
$ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java
then test it (again correcting version if needed):
$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
failure is a JVM segfault, e.g.:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007f6546a6f9d2, pid=9279, tid=0x00007f654816c700
success is a normal java exception with backtrace, e.g.:
Exception in thread "main"
com.thoughtworks.xstream.converters.ConversionException: Type void
cannot have an instance
[regression potential]
regressions could include failing to parse the stream, or otherwise
cause exceptions or segfaults.
[other info]
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
