Your message dated Tue, 04 Apr 2017 14:49:44 +0000
with message-id <e1cvpmc-0008id...@fasolo.debian.org>
and subject line Bug#857343: fixed in logback 1:1.1.9-3
has caused the Debian Bug report #857343,
regarding logback: CVE-2017-5929: serialization vulnerability affecting the 
SocketServer and ServerSocketReceiver components
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
857343: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857343
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: liblogback-java
Version: 1:1.1.2-1
Severity: important
Tags: upstream patch

Dear Maintainer,

logback versions in wheezy, jessie and stretch are vulnerable to a
deserialization issue.
Logback would try to deserialize data from a socket, but it can't be trusted.
Upstream mitigates this issue by adding a whitelist of allowed classes to be
deserialized.

I've prepared a patch for jessie.

Regards

-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages liblogback-java depends on:
ii  libslf4j-java  1.7.7-1

liblogback-java recommends no packages.

Versions of packages liblogback-java suggests:
ii  glassfish-javaee  1:2.1.1-b31g+dfsg1-2
ii  libjanino-java    2.7.0-2
diff -rPu logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java logback/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java
--- logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java	1970-01-01 01:00:00.000000000 +0100
+++ logback/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java	2017-03-04 15:39:00.000000000 +0100
@@ -0,0 +1,16 @@
+package ch.qos.logback.access.net;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import ch.qos.logback.access.spi.AccessEvent;
+import ch.qos.logback.core.net.HardenedObjectInputStream;
+
+public class HardenedAccessEventInputStream extends HardenedObjectInputStream {
+
+    public HardenedAccessEventInputStream(InputStream in) throws IOException {
+        super(in, new String[] {AccessEvent.class.getName(), String[].class.getName()});
+    }
+
+}
+
diff -rPu logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java logback/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java
--- logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java	2013-09-07 12:44:46.000000000 +0200
+++ logback/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java	2017-03-05 15:09:48.000000000 +0100
@@ -15,7 +15,6 @@
 
 import java.io.BufferedInputStream;
 import java.io.IOException;
-import java.io.ObjectInputStream;
 import java.net.Socket;
 
 import ch.qos.logback.access.spi.AccessContext;
@@ -42,16 +41,15 @@
 
   Socket socket;
   AccessContext context;
-  ObjectInputStream ois;
+  HardenedAccessEventInputStream hardenedOIS;
 
   public SocketNode(Socket socket, AccessContext context) {
     this.socket = socket;
     this.context = context;
     try {
-      ois = new ObjectInputStream(new BufferedInputStream(socket
-          .getInputStream()));
+      hardenedOIS = new HardenedAccessEventInputStream(new BufferedInputStream(socket.getInputStream()));
     } catch (Exception e) {
-      System.out.println("Could not open ObjectInputStream to " + socket + e);
+      System.out.println("Could not open HardenedObjectInputStream to " + socket + e);
     }
   }
 
@@ -61,7 +59,7 @@
     try {
       while (true) {
         // read an event from the wire
-        event = (IAccessEvent) ois.readObject();
+        event = (IAccessEvent) hardenedOIS.readObject();
         //check that the event should be logged
         if (context.getFilterChainDecision(event) == FilterReply.DENY) {
           break;
@@ -81,7 +79,7 @@
     }
 
     try {
-      ois.close();
+      hardenedOIS.close();
     } catch (Exception e) {
       System.out.println("Could not close connection." + e);
     }
diff -rPu logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java logback/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java
--- logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java	1970-01-01 01:00:00.000000000 +0100
+++ logback/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java	2017-03-05 15:14:25.000000000 +0100
@@ -0,0 +1,57 @@
+package ch.qos.logback.classic.net.server;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.slf4j.helpers.BasicMarker;
+
+import ch.qos.logback.classic.Level;
+import ch.qos.logback.classic.Logger;
+import ch.qos.logback.classic.spi.ClassPackagingData;
+import ch.qos.logback.classic.spi.IThrowableProxy;
+import ch.qos.logback.classic.spi.LoggerContextVO;
+import ch.qos.logback.classic.spi.LoggerRemoteView;
+import ch.qos.logback.classic.spi.LoggingEventVO;
+import ch.qos.logback.classic.spi.StackTraceElementProxy;
+import ch.qos.logback.classic.spi.ThrowableProxy;
+import ch.qos.logback.classic.spi.ThrowableProxyVO;
+import ch.qos.logback.core.net.HardenedObjectInputStream;
+
+public class HardenedLoggingEventInputStream extends HardenedObjectInputStream {
+
+    static final String ARRAY_PREFIX = "[L";
+    
+    static public List<String> getWhilelist() {
+        List<String> whitelist = new ArrayList<String>();
+        whitelist.add(LoggingEventVO.class.getName());
+        whitelist.add(LoggerContextVO.class.getName());
+        whitelist.add(LoggerRemoteView.class.getName());
+        whitelist.add(ThrowableProxyVO.class.getName());
+        whitelist.add(BasicMarker.class.getName());
+        whitelist.add(Level.class.getName());
+        whitelist.add(Logger.class.getName());
+        whitelist.add(StackTraceElement.class.getName());
+        whitelist.add(StackTraceElement[].class.getName());
+        whitelist.add(ThrowableProxy.class.getName());
+        whitelist.add(ThrowableProxy[].class.getName());
+        whitelist.add(IThrowableProxy.class.getName());
+        whitelist.add(IThrowableProxy[].class.getName());
+        whitelist.add(StackTraceElementProxy.class.getName());
+        whitelist.add(StackTraceElementProxy[].class.getName());
+        whitelist.add(ClassPackagingData.class.getName());
+
+        return whitelist;
+    }
+   
+    public HardenedLoggingEventInputStream(InputStream is) throws IOException {
+        super(is, getWhilelist());
+    }
+    
+    public HardenedLoggingEventInputStream(InputStream is, List<String> additionalAuthorizedClasses) throws IOException {
+        this(is);
+        super.addToWhitelist(additionalAuthorizedClasses);
+    }
+}
+
diff -rPu logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java logback/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java
--- logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java	2013-09-07 12:44:46.000000000 +0200
+++ logback/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java	2017-03-07 16:43:38.579569993 +0100
@@ -16,12 +16,12 @@
 import java.io.EOFException;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.ObjectInputStream;
 import java.net.Socket;
 
 import ch.qos.logback.classic.Logger;
 import ch.qos.logback.classic.LoggerContext;
 import ch.qos.logback.classic.spi.ILoggingEvent;
+import ch.qos.logback.core.net.HardenedObjectInputStream;
 import ch.qos.logback.core.util.CloseUtil;
 
 /**
@@ -86,7 +86,7 @@
    */
   public void run() {
     logger.info(this + ": connected"); 
-    ObjectInputStream ois = null;
+    HardenedObjectInputStream ois = null;
     try {
       ois = createObjectInputStream();
       while (true) {
@@ -124,11 +124,11 @@
     }
   }
 
-  private ObjectInputStream createObjectInputStream() throws IOException {
+  private HardenedObjectInputStream createObjectInputStream() throws IOException {
     if (inputStream != null) {
-      return new ObjectInputStream(inputStream);
+      return new HardenedLoggingEventInputStream(inputStream);
     }
-    return new ObjectInputStream(socket.getInputStream());
+    return new HardenedLoggingEventInputStream(socket.getInputStream());
   }
   
   /**
diff -rPu logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java logback/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java
--- logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java	2014-01-28 21:05:23.000000000 +0100
+++ logback/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java	2017-03-05 15:12:34.000000000 +0100
@@ -15,13 +15,13 @@
 
 import java.io.BufferedInputStream;
 import java.io.IOException;
-import java.io.ObjectInputStream;
 import java.net.Socket;
 import java.net.SocketAddress;
 
 import ch.qos.logback.classic.Logger;
 
 import ch.qos.logback.classic.LoggerContext;
+import ch.qos.logback.classic.net.server.HardenedLoggingEventInputStream;
 import ch.qos.logback.classic.spi.ILoggingEvent;
 
 // Contributors: Moses Hohman <mmhoh...@rainbow.uchicago.edu>
@@ -44,7 +44,7 @@
 
   Socket socket;
   LoggerContext context;
-  ObjectInputStream ois;
+  HardenedLoggingEventInputStream hardenedLoggingEventInputStream;
   SocketAddress remoteSocketAddress;
   
   Logger logger;
@@ -68,8 +68,7 @@
   public void run() {
 
     try {
-      ois = new ObjectInputStream(new BufferedInputStream(socket
-          .getInputStream()));
+      hardenedLoggingEventInputStream = new HardenedLoggingEventInputStream(new BufferedInputStream(socket.getInputStream()));
     } catch (Exception e) {
       logger.error("Could not open ObjectInputStream to " + socket, e);
       closed = true;
@@ -81,7 +80,7 @@
     try {
       while (!closed) {
         // read an event from the wire
-        event = (ILoggingEvent) ois.readObject();
+        event = (ILoggingEvent) hardenedLoggingEventInputStream.readObject();
         // get a logger from the hierarchy. The name of the logger is taken to
         // be the name contained in the event.
         remoteLogger = context.getLogger(event.getLoggerName());
@@ -111,13 +110,13 @@
       return;
     }
     closed = true;
-    if (ois != null) {
+    if (hardenedLoggingEventInputStream != null) {
       try {
-        ois.close();
+        hardenedLoggingEventInputStream.close();
       } catch (IOException e) {
         logger.warn("Could not close connection.", e);
       } finally {
-        ois = null;
+        hardenedLoggingEventInputStream = null;
       }
     }
   }
diff -rPu logback.orig/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java logback/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
--- logback.orig/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java	1970-01-01 01:00:00.000000000 +0100
+++ logback/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java	2017-03-07 15:49:29.360186454 +0100
@@ -0,0 +1,64 @@
+package ch.qos.logback.core.net;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InvalidClassException;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * 
+ * @author Ceki G&uuml;lc&uuml;
+ * @since 1.2.0
+ */
+public class HardenedObjectInputStream extends ObjectInputStream {
+
+    final List<String> whitelistedClassNames;
+    final static String[] JAVA_PACKAGES = new String[] { "java.lang", "java.util" };
+
+    public HardenedObjectInputStream(InputStream in, String[] whilelist) throws IOException {
+        super(in);
+        this.whitelistedClassNames = new ArrayList<String>();
+        if (whilelist != null) {
+            for (int i = 0; i < whilelist.length; i++) {
+                this.whitelistedClassNames.add(whilelist[i]);
+            }
+        }
+    }
+
+    public HardenedObjectInputStream(InputStream in, List<String> whitelist) throws IOException {
+        super(in);
+
+        this.whitelistedClassNames = new ArrayList<String>();
+        this.whitelistedClassNames.addAll(whitelist);
+    }
+
+    @Override
+    protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException {
+        String incomingClassName = anObjectStreamClass.getName();
+        if(!isWhitelisted(incomingClassName)) {
+            throw new InvalidClassException("Unauthorized deserialization attempt", anObjectStreamClass.getName());
+        }
+    
+        return super.resolveClass(anObjectStreamClass);
+    }
+
+    private boolean isWhitelisted(String incomingClassName) {
+        for(int i = 0; i < JAVA_PACKAGES.length; i++) {
+            if(incomingClassName.startsWith(JAVA_PACKAGES[i]))
+                return true;
+        }
+        for(String whiteListed: whitelistedClassNames) {
+            if(incomingClassName.equals(whiteListed))
+                return true;
+        }
+        return false;
+    }
+
+    protected void addToWhitelist(List<String> additionalAuthorizedClasses) {
+        whitelistedClassNames.addAll(additionalAuthorizedClasses);
+    }
+}
+

--- End Message ---
--- Begin Message ---
Source: logback
Source-Version: 1:1.1.9-3

We believe that the bug you reported is fixed in the latest version of
logback, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated logback package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 04 Apr 2017 14:49:44 +0200
Source: logback
Binary: liblogback-java liblogback-java-doc
Architecture: source
Version: 1:1.1.9-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Description:
 liblogback-java - flexible logging library for Java
 liblogback-java-doc - flexible logging library for Java - documentation
Closes: 857343
Changes:
 logback (1:1.1.9-3) unstable; urgency=medium
 .
   * Team upload.
   * The patch for CVE-2017-5929 was incomplete. Add CVE-2017-5929-part2.patch
     and really fix the issue. (Closes: #857343)
   * Remove all test cases from CVE-2017-5929.patch and only apply the minimal
     changes to make it easier to review the package. Tests are disabled anyway.
Checksums-Sha1:
 0f818b40addffd9000c2ae5bf85a8fadf183e321 2408 logback_1.1.9-3.dsc
 439c5a96a938124118754750fe6f6c17871c7475 13524 logback_1.1.9-3.debian.tar.xz
 7d59e7da161541f30327e9ab3a5cd82a90c03cd8 15164 logback_1.1.9-3_amd64.buildinfo
Checksums-Sha256:
 889b956159efc88f2afd1274f7677a6ec2953ce21e22aff3fed58f8c3fa19325 2408 
logback_1.1.9-3.dsc
 cfdb6de7a2d5dd2c7cb004ec8309fa56b241c329a85984170eb85332a28db6b5 13524 
logback_1.1.9-3.debian.tar.xz
 3e2bfa71d2a5677bb73d2f1c2f06388cdf57aca676f88623dc498fa8ca8bfd70 15164 
logback_1.1.9-3_amd64.buildinfo
Files:
 7fe1580466b7fe6eb34d08ed8f5f5578 2408 java optional logback_1.1.9-3.dsc
 a2442304b426b0755a3e98419a0b44d0 13524 java optional 
logback_1.1.9-3.debian.tar.xz
 deb12871e55f268fd8cf88be8ffaf836 15164 java optional 
logback_1.1.9-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAljjpn9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkjvIP/jixGBcpyP0MvSrtixrZRGjU8Ht+5zwma85H
Pd5fU6nziTHqJhaWxQrTicWijRLl73LQPLcOSU6CrJAHs1RlOhWKNUWExW5tUz+w
A5/c1YhXrQ1uTCM0RZKPk58ovnVL6GOZxtWbOPLQaTBW10rRHcnDsA26HW6AJjQX
W/3w1XXvcnoQV22hypN4lF5B8hwQC57xlM8v8FHzucrypTdmkwWBQDy3KI5p+AAE
dnL0SCrszazJSVNmfgMYlGM2FmQFkJVyS7zHUd45hUv6y9g6D4QNCmj5tHc7qQ2u
IYS+nPy/9xFANN2wj8l7WBsEai40uVc9vnrkb4piUYZzsAbKCNRx15U/EuzPE6tC
W44iUDBPPvVIxDlp1/FDekKGg6UMrB0Wt0hS2Kw9k5MViA50FZK4nTeyqwPfXqMe
f5FdE9exhNFvidQgyIy4elEjuShFUGMAaXpsWnaUpURbnT02Go/9TMWTjeRAzG6Q
OLTJcP8xIeeOJGnaZL6olkwPkR8p5ZoMzSZKurfvTpD93ABhRnO6jd9IOLtsc15R
1Z2sRNSkiuBN+reSpbmtXZz+7gsF16XH5ug5pCfXQ84M1XonGLiyGqbweQ0sPrFJ
n2coSjV+hryUnhdldCSQNMs0Ssc3Z+OSk3okmGz0jDgrklE6k0bjVXH5QEfQXN/b
13aFLPTN
=bpU+
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to