This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch jessie in repository libcommons-collections3-java.
commit f0f1b151ccf6432345f974364384467892eda673 Author: Emmanuel Bourg <[email protected]> Date: Tue Nov 24 12:18:47 2015 +0100 Disabled the deserialization of the functors classes --- debian/changelog | 10 ++ debian/gbp.conf | 2 + .../patches/disable-functors-deserialization.patch | 159 +++++++++++++++++++++ debian/patches/series | 1 + 4 files changed, 172 insertions(+) diff --git a/debian/changelog b/debian/changelog index a1e33ea..375c8d1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +libcommons-collections3-java (3.2.1-7+deb8u1) jessie-security; urgency=medium + + * Backported a modification from commons-collections 3.2.2 disabling + the deserialization of the functors classes unless the system property + org.apache.commons.collections.enableUnsafeSerialization is set to true. + This fixes a vulnerability in unsafe applications deserializing objects + from untrusted sources without sanitizing the input data. + + -- Emmanuel Bourg <[email protected]> Tue, 24 Nov 2015 12:18:15 +0100 + libcommons-collections3-java (3.2.1-7) unstable; urgency=medium * Renamed the MultiMap.remove(Object, Object) method to removeMapping() diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..fae4302 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = jessie diff --git a/debian/patches/disable-functors-deserialization.patch b/debian/patches/disable-functors-deserialization.patch new file mode 100644 index 0000000..2ca581d --- /dev/null +++ b/debian/patches/disable-functors-deserialization.patch @@ -0,0 +1,159 @@ +Description: Disable the deserialization of the functors classes unless + the system property org.apache.commons.collections.enableUnsafeSerialization + is set to true. + . + This fixes a vulnerability in unsafe applications deserializing objects + from untrusted sources without sanitizing the input data. + . + https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread +Origin: backport, http://svn.apache.org/r1713845 +Bug: https://issues.apache.org/jira/browse/COLLECTIONS-580 +--- a/src/java/org/apache/commons/collections/functors/CloneTransformer.java ++++ b/src/java/org/apache/commons/collections/functors/CloneTransformer.java +@@ -68,4 +68,8 @@ + return PrototypeFactory.getInstance(input).create(); + } + ++ private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException { ++ FunctorUtils.checkUnsafeSerialization(CloneTransformer.class); ++ is.defaultReadObject(); ++ } + } +--- a/src/java/org/apache/commons/collections/functors/ForClosure.java ++++ b/src/java/org/apache/commons/collections/functors/ForClosure.java +@@ -102,4 +102,8 @@ + return iCount; + } + ++ private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException { ++ FunctorUtils.checkUnsafeSerialization(ForClosure.class); ++ is.defaultReadObject(); ++ } + } +--- a/src/java/org/apache/commons/collections/functors/FunctorUtils.java ++++ b/src/java/org/apache/commons/collections/functors/FunctorUtils.java +@@ -16,6 +16,8 @@ + */ + package org.apache.commons.collections.functors; + ++import java.security.AccessController; ++import java.security.PrivilegedAction; + import java.util.Collection; + import java.util.Iterator; + +@@ -34,6 +36,10 @@ + */ + class FunctorUtils { + ++ /** System property key to enable unsafe serialization */ ++ final static String UNSAFE_SERIALIZABLE_PROPERTY ++ = "org.apache.commons.collections.enableUnsafeSerialization"; ++ + /** + * Restricted constructor. + */ +@@ -152,4 +158,32 @@ + } + } + ++ /** ++ * Package-private helper method to check if serialization support is ++ * enabled for unsafe classes. ++ * ++ * @param clazz the clazz to check for serialization support ++ * @throws UnsupportedOperationException if unsafe serialization is disabled ++ */ ++ static void checkUnsafeSerialization(Class clazz) { ++ String unsafeSerializableProperty; ++ ++ try { ++ unsafeSerializableProperty = ++ (String) AccessController.doPrivileged(new PrivilegedAction() { ++ public Object run() { ++ return System.getProperty(UNSAFE_SERIALIZABLE_PROPERTY); ++ } ++ }); ++ } catch (SecurityException ex) { ++ unsafeSerializableProperty = null; ++ } ++ ++ if (!"true".equalsIgnoreCase(unsafeSerializableProperty)) { ++ throw new UnsupportedOperationException( ++ "Serialization support for " + clazz.getName() + " is disabled for security reasons. " + ++ "To enable it set system property '" + UNSAFE_SERIALIZABLE_PROPERTY + "' to 'true', " + ++ "but you must ensure that your application does not de-serialize objects from untrusted sources."); ++ } ++ } + } +--- a/src/java/org/apache/commons/collections/functors/InstantiateFactory.java ++++ b/src/java/org/apache/commons/collections/functors/InstantiateFactory.java +@@ -136,5 +136,9 @@ + throw new FunctorException("InstantiateFactory: Constructor threw an exception", ex); + } + } +- ++ ++ private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException { ++ FunctorUtils.checkUnsafeSerialization(InstantiateFactory.class); ++ is.defaultReadObject(); ++ } + } +--- a/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java ++++ b/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java +@@ -116,4 +116,8 @@ + } + } + ++ private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException { ++ FunctorUtils.checkUnsafeSerialization(InstantiateTransformer.class); ++ is.defaultReadObject(); ++ } + } +--- a/src/java/org/apache/commons/collections/functors/InvokerTransformer.java ++++ b/src/java/org/apache/commons/collections/functors/InvokerTransformer.java +@@ -134,4 +134,8 @@ + } + } + ++ private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException { ++ FunctorUtils.checkUnsafeSerialization(InvokerTransformer.class); ++ is.defaultReadObject(); ++ } + } +--- a/src/java/org/apache/commons/collections/functors/PrototypeFactory.java ++++ b/src/java/org/apache/commons/collections/functors/PrototypeFactory.java +@@ -144,6 +144,11 @@ + throw new FunctorException("PrototypeCloneFactory: Clone method threw an exception", ex); + } + } ++ ++ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException { ++ FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class); ++ is.defaultReadObject(); ++ } + } + + // PrototypeSerializationFactory +@@ -204,6 +209,11 @@ + } + } + } ++ ++ private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException { ++ FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class); ++ is.defaultReadObject(); ++ } + } + + } +--- a/src/java/org/apache/commons/collections/functors/WhileClosure.java ++++ b/src/java/org/apache/commons/collections/functors/WhileClosure.java +@@ -120,4 +120,8 @@ + return iDoLoop; + } + ++ private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException { ++ FunctorUtils.checkUnsafeSerialization(WhileClosure.class); ++ is.defaultReadObject(); ++ } + } diff --git a/debian/patches/series b/debian/patches/series index a877473..0c58107 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ OSGI_Manifest.diff java8-compatibility.patch +disable-functors-deserialization.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libcommons-collections3-java.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
