This is an automated email from the git hooks/post-receive script. nomadium pushed a commit to branch master in repository groovy2.
commit 768cef056996e9c2bca243b8f3d94e2b610d2a65 Author: Miguel Landaeta <[email protected]> Date: Sat Jul 25 15:41:47 2015 -0300 Fix CVE-2015-3253 --- debian/changelog | 7 +++++++ debian/patches/CVE-2015-3253.patch | 36 ++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 44 insertions(+) diff --git a/debian/changelog b/debian/changelog index 9668635..7f5060b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +groovy2 (2.4.3+dfsg-2) UNRELEASED; urgency=medium + + * Fix remote execution of untrusted code and possible DoS vulnerability. + (CVE-2015-3253) (Closes: #793398). + + -- Miguel Landaeta <[email protected]> Sat, 25 Jul 2015 15:32:35 -0300 + groovy2 (2.4.3+dfsg-1) experimental; urgency=medium [ Emmanuel Bourg ] diff --git a/debian/patches/CVE-2015-3253.patch b/debian/patches/CVE-2015-3253.patch new file mode 100644 index 0000000..20f86b1 --- /dev/null +++ b/debian/patches/CVE-2015-3253.patch @@ -0,0 +1,36 @@ +Description: Fix remote execution of untrusted code when deserializing (CVE-2015-3253) +Author: Cedric Champeau <[email protected]> +Bug-Debian: https://bugs.debian.org/793398 +Origin: upstream, https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d +Forwarded: no +Last-Update: 2015-07-25 + +--- groovy2-2.4.3+dfsg.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java ++++ groovy2-2.4.3+dfsg/src/main/org/codehaus/groovy/runtime/MethodClosure.java +@@ -32,9 +32,11 @@ + */ + public class MethodClosure extends Closure { + ++ public static boolean ALLOW_RESOLVE = false; ++ + private static final Class[] EMPTY_CLASS_ARRAY = new Class[0]; + private String method; +- ++ + public MethodClosure(Object owner, String method) { + super(owner); + this.method = method; +@@ -62,6 +64,13 @@ public String getMethod() { + protected Object doCall(Object arguments) { + return InvokerHelper.invokeMethod(getOwner(), method, arguments); + } ++ ++ private Object readResolve() { ++ if (ALLOW_RESOLVE) { ++ return this; ++ } ++ throw new UnsupportedOperationException(); ++ } + + public Object getProperty(String property) { + if ("method".equals(property)) { diff --git a/debian/patches/series b/debian/patches/series index a69d9c5..bd142b5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ change_bsf_dependencies_version.diff change_servlet_dependency_version.diff change_junit_version.diff change_testng_dependency_version.diff +CVE-2015-3253.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/groovy2.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
