Thanks for providing the debdiffs to fix the CVE in this package for trusty and xenial. I have uploaded the updated packages to security-proposed. Please note that there are errors and warnings in the build but they do not differ before/after applying the patch. The packages are currently building and will soon be available for testing. Please let me know if you test them. https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libxstream-java in Ubuntu. https://bugs.launchpad.net/bugs/1780844 Title: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void' Status in libxstream-java package in Ubuntu: Fix Released Status in libxstream-java source package in Trusty: Confirmed Status in libxstream-java source package in Xenial: Confirmed Status in libxstream-java source package in Artful: Fix Released Status in libxstream-java source package in Bionic: Fix Released Status in libxstream-java source package in Cosmic: Fix Released Bug description: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call. [test case] install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial (or trusty) system. Then create a file named TestCVE.java with this content: import com.thoughtworks.xstream.XStream; public class TestCVE { public static void main(String[] args) { XStream xstream = new XStream(); xstream.fromXML("<void/>"); } } then run this (from the same directory as the file) to compile it, noting to replace the version number if needed (1.4.8 is X version, if on trusty use 1.4.7): $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java then test it (again correcting version if needed): $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE failure is a JVM segfault, e.g.: # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x00007f6546a6f9d2, pid=9279, tid=0x00007f654816c700 success is a normal java exception with backtrace, e.g.: Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance [regression potential] regressions could include failing to parse the stream, or otherwise cause exceptions or segfaults. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp