Thank you for preparing this. Rather than use the SRU process, this should go through the security sponsorship process. Then it can be delivered into the security pocket and will need a security sponsor. Please see https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue for details.
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libxstream-java in Ubuntu. https://bugs.launchpad.net/bugs/1780844 Title: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void' Status in libxstream-java package in Ubuntu: Fix Released Status in libxstream-java source package in Trusty: In Progress Status in libxstream-java source package in Xenial: In Progress Status in libxstream-java source package in Artful: Fix Released Status in libxstream-java source package in Bionic: Fix Released Status in libxstream-java source package in Cosmic: Fix Released Bug description: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call. [test case] install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial (or trusty) system. Then create a file named TestCVE.java with this content: import com.thoughtworks.xstream.XStream; public class TestCVE { public static void main(String[] args) { XStream xstream = new XStream(); xstream.fromXML("<void/>"); } } then run this (from the same directory as the file) to compile it, noting to replace the version number if needed (1.4.8 is X version, if on trusty use 1.4.7): $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java then test it (again correcting version if needed): $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE failure is a JVM segfault, e.g.: # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x00007f6546a6f9d2, pid=9279, tid=0x00007f654816c700 success is a normal java exception with backtrace, e.g.: Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance [regression potential] regressions could include failing to parse the stream, or otherwise cause exceptions or segfaults. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
