Markus Koschany pushed to branch buster at Debian Java Maintainers / libxstream-java
Commits: 0cfdd479 by Hideki Yamane at 2021-06-17T22:01:56+09:00 Add debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch - - - - - dac776fe by Hideki Yamane at 2021-06-17T22:05:36+09:00 note to changelog (1.4.11.1-1+deb10u3) for buster-security - - - - - d4edc8dc by Markus Koschany at 2021-06-18T13:10:28+00:00 Merge branch 'buster' into 'buster' CVE-2021-29505 for Buster See merge request java-team/libxstream-java!2 - - - - - 3 changed files: - debian/changelog - + debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,15 @@ +libxstream-java (1.4.11.1-1+deb10u3) buster-security; urgency=high + + * Team upload. + * Fix CVE-2021-29505: + - The vulnerability may allow a remote attacker has sufficient rights + to execute commands of the host only by manipulating the processed + input stream. No user is affected, who followed the recommendation + to setup XStream's security framework with a whitelist limited to + the minimal required types. + + -- Hideki Yamane <[email protected]> Thu, 17 Jun 2021 22:02:16 +0900 + libxstream-java (1.4.11.1-1+deb10u2) buster-security; urgency=high * Team upload. ===================================== debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch ===================================== @@ -0,0 +1,38 @@ +From: Hideki Yamane <[email protected]> +Date: Thu, 17 Jun 2021 21:42:35 +0900 +Subject: Fix CVE-2021-29505 from upstream commit (Closes:#989491) + +See https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227 +--- + xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java +index b5e43af..7a166ca 100644 +--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java ++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java +@@ -336,11 +336,13 @@ public class XStream { + private static final Pattern IGNORE_ALL = Pattern.compile(".*"); + private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection"); + private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter"); ++ private static final Pattern LAZY_ENUMERATORS = Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*"); + private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator"); + private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator"); + private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile( + "javafx\\.collections\\.ObservableList\\$.*"); + private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*"); ++ private static final Pattern JAVA_RMI = Pattern.compile("(?:java|sun)\\.rmi\\..*"); + private static final Pattern BCEL_CL = Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader"); + + /** +@@ -657,8 +659,8 @@ public class XStream { + "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", // + "sun.swing.SwingLazyValue"}); + denyTypesByRegExp(new Pattern[]{ +- LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS, +- JAVAFX_OBSERVABLE_LIST__, BCEL_CL}); ++ LAZY_ITERATORS, LAZY_ENUMERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVA_RMI, JAVAX_CRYPTO, ++ JAXWS_ITERATORS, JAVAFX_OBSERVABLE_LIST__, BCEL_CL}); + denyTypeHierarchy(InputStream.class); + denyTypeHierarchyDynamically("java.nio.channels.Channel"); + denyTypeHierarchyDynamically("javax.activation.DataSource"); ===================================== debian/patches/series ===================================== @@ -2,3 +2,4 @@ CVE-2020-26217.patch CVE-2020-26258.patch CVE-2020-26259.patch +0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/8b4c8a5457f2781e07207e9beecdddafb1cbea52...d4edc8dcd008a6373f4542f45f5da90401818d21 -- View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/8b4c8a5457f2781e07207e9beecdddafb1cbea52...d4edc8dcd008a6373f4542f45f5da90401818d21 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
