This is an automated email from the git hooks/post-receive script. nomadium pushed a commit to branch jessie in repository groovy2.
commit b644f770749338ff4927bbdfcaebc5189489ab45 Author: Miguel Landaeta <[email protected]> Date: Sat Jul 25 15:48:17 2015 -0300 Fix CVE-2015-3253 --- debian/changelog | 7 +++++++ debian/patches/04_CVE-2015-3253.diff | 32 ++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 40 insertions(+) diff --git a/debian/changelog b/debian/changelog index f8fcc86..8c8fa3e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +groovy2 (2.2.2+dfsg-3+deb8u1) stable; urgency=high + + * Fix remote execution of untrusted code and possible DoS vulnerability. + (CVE-2015-3253) (Closes: #793398). + + -- Miguel Landaeta <[email protected]> Sat, 25 Jul 2015 15:46:24 -0300 + groovy2 (2.2.2+dfsg-3) unstable; urgency=medium * Relicense patches under Apache-2.0 license to make them compatible diff --git a/debian/patches/04_CVE-2015-3253.diff b/debian/patches/04_CVE-2015-3253.diff new file mode 100644 index 0000000..32bee6e --- /dev/null +++ b/debian/patches/04_CVE-2015-3253.diff @@ -0,0 +1,32 @@ +Description: Fix remote execution of untrusted code when deserializing (CVE-2015-3253) +Author: Cedric Champeau <[email protected]> +Bug-Debian: https://bugs.debian.org/793398 +Origin: upstream, https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d +Forwarded: no +Last-Update: 2015-07-25 + +--- groovy2-2.4.3+dfsg.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java ++++ groovy2-2.4.3+dfsg/src/main/org/codehaus/groovy/runtime/MethodClosure.java +@@ -30,6 +30,8 @@ import java.util.List; + */ + public class MethodClosure extends Closure { + ++ public static boolean ALLOW_RESOLVE = false; ++ + private String method; + + public MethodClosure(Object owner, String method) { +@@ -60,6 +62,13 @@ public class MethodClosure extends Closure { + return InvokerHelper.invokeMethod(getOwner(), method, arguments); + } + ++ private Object readResolve() { ++ if (ALLOW_RESOLVE) { ++ return this; ++ } ++ throw new UnsupportedOperationException(); ++ } ++ + public Object getProperty(String property) { + if ("method".equals(property)) { + return getMethod(); diff --git a/debian/patches/series b/debian/patches/series index ebca9cd..b036870 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 01_fix_gradle_build.diff 02_fix_start_script.diff 03_add_maven_poms.diff +04_CVE-2015-3253.diff -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/groovy2.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
