Markus Koschany pushed to branch buster at Debian Java Maintainers / libxstream-java
Commits: 735f1214 by Hideki Yamane at 2021-06-18T23:25:48+09:00 Update: properly applied to buster code Accidentally it was committed as patch for unstable without changes, so now I should fix it. - - - - - 7f93127e by Hideki Yamane at 2021-06-18T23:25:48+09:00 Rename patch as 0004-Fix-CVE-2021-29505-for-buster.patch - - - - - a42f8f60 by Hideki Yamane at 2021-06-18T23:27:25+09:00 Update patch descriptions - - - - - e44f12c4 by Markus Koschany at 2021-06-18T15:34:26+00:00 Merge branch 'buster' into 'buster' Fix: properly applied to buster code See merge request java-team/libxstream-java!3 - - - - - 3 changed files: - + debian/patches/0004-Fix-CVE-2021-29505-for-buster.patch - − debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch - debian/patches/series Changes: ===================================== debian/patches/0004-Fix-CVE-2021-29505-for-buster.patch ===================================== @@ -0,0 +1,36 @@ +From: Hideki Yamane <[email protected]> +Date: Thu, 18 Jun 2021 23:27:25 +0900 +Subject: Fix CVE-2021-29505 from upstream commit (Closes:#989491) + +Taken patch from upstream commit +https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227 +and modified it to be applied buster branch (1.4.11.1) + +--- + xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +Index: libxstream-java/xstream/src/java/com/thoughtworks/xstream/XStream.java +=================================================================== +--- libxstream-java.orig/xstream/src/java/com/thoughtworks/xstream/XStream.java ++++ libxstream-java/xstream/src/java/com/thoughtworks/xstream/XStream.java +@@ -354,8 +354,10 @@ public class XStream { + + private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper"; + private static final Pattern IGNORE_ALL = Pattern.compile(".*"); ++ private static final Pattern LAZY_ENUMERATORS = Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*"); + private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator"); + private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*"); ++ private static final Pattern JAVA_RMI = Pattern.compile("(?:java|sun)\\.rmi\\..*"); + private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream"); + + /** +@@ -710,7 +712,7 @@ public class XStream { + java.beans.EventHandler.class, + java.lang.ProcessBuilder.class, + java.lang.Void.class, void.class }); +- denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM}); ++ denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM, LAZY_ENUMERATORS,JAVA_RMI}); + allowTypeHierarchy(Exception.class); + securityInitialized = false; + } ===================================== debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch deleted ===================================== @@ -1,38 +0,0 @@ -From: Hideki Yamane <[email protected]> -Date: Thu, 17 Jun 2021 21:42:35 +0900 -Subject: Fix CVE-2021-29505 from upstream commit (Closes:#989491) - -See https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227 ---- - xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java -index b5e43af..7a166ca 100644 ---- a/xstream/src/java/com/thoughtworks/xstream/XStream.java -+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java -@@ -336,11 +336,13 @@ public class XStream { - private static final Pattern IGNORE_ALL = Pattern.compile(".*"); - private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection"); - private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter"); -+ private static final Pattern LAZY_ENUMERATORS = Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*"); - private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator"); - private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator"); - private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile( - "javafx\\.collections\\.ObservableList\\$.*"); - private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*"); -+ private static final Pattern JAVA_RMI = Pattern.compile("(?:java|sun)\\.rmi\\..*"); - private static final Pattern BCEL_CL = Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader"); - - /** -@@ -657,8 +659,8 @@ public class XStream { - "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", // - "sun.swing.SwingLazyValue"}); - denyTypesByRegExp(new Pattern[]{ -- LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS, -- JAVAFX_OBSERVABLE_LIST__, BCEL_CL}); -+ LAZY_ITERATORS, LAZY_ENUMERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVA_RMI, JAVAX_CRYPTO, -+ JAXWS_ITERATORS, JAVAFX_OBSERVABLE_LIST__, BCEL_CL}); - denyTypeHierarchy(InputStream.class); - denyTypeHierarchyDynamically("java.nio.channels.Channel"); - denyTypeHierarchyDynamically("javax.activation.DataSource"); ===================================== debian/patches/series ===================================== @@ -2,4 +2,4 @@ CVE-2020-26217.patch CVE-2020-26258.patch CVE-2020-26259.patch -0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch +0004-Fix-CVE-2021-29505-for-buster.patch View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/d4edc8dcd008a6373f4542f45f5da90401818d21...e44f12c48a192fb864094616fe8c2de84248f2c4 -- View it on GitLab: https://salsa.debian.org/java-team/libxstream-java/-/compare/d4edc8dcd008a6373f4542f45f5da90401818d21...e44f12c48a192fb864094616fe8c2de84248f2c4 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
