Your message dated Tue, 25 Apr 2017 19:47:15 +0000
with message-id <e1d36qd-0009dx...@fasolo.debian.org>
and subject line Bug#857343: fixed in logback 1:1.1.2-1+deb8u1
has caused the Debian Bug report #857343,
regarding logback: CVE-2017-5929: serialization vulnerability affecting the 
SocketServer and ServerSocketReceiver components
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
857343: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857343
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: liblogback-java
Version: 1:1.1.2-1
Severity: important
Tags: upstream patch

Dear Maintainer,

logback versions in wheezy, jessie and stretch are vulnerable to a
deserialization issue.
Logback would try to deserialize data from a socket, but it can't be trusted.
Upstream mitigates this issue by adding a whitelist of allowed classes to be
deserialized.

I've prepared a patch for jessie.

Regards

-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: armhf

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages liblogback-java depends on:
ii  libslf4j-java  1.7.7-1

liblogback-java recommends no packages.

Versions of packages liblogback-java suggests:
ii  glassfish-javaee  1:2.1.1-b31g+dfsg1-2
ii  libjanino-java    2.7.0-2
diff -rPu logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java logback/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java
--- logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java	1970-01-01 01:00:00.000000000 +0100
+++ logback/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java	2017-03-04 15:39:00.000000000 +0100
@@ -0,0 +1,16 @@
+package ch.qos.logback.access.net;
+
+import java.io.IOException;
+import java.io.InputStream;
+
+import ch.qos.logback.access.spi.AccessEvent;
+import ch.qos.logback.core.net.HardenedObjectInputStream;
+
+public class HardenedAccessEventInputStream extends HardenedObjectInputStream {
+
+    public HardenedAccessEventInputStream(InputStream in) throws IOException {
+        super(in, new String[] {AccessEvent.class.getName(), String[].class.getName()});
+    }
+
+}
+
diff -rPu logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java logback/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java
--- logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java	2013-09-07 12:44:46.000000000 +0200
+++ logback/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java	2017-03-05 15:09:48.000000000 +0100
@@ -15,7 +15,6 @@
 
 import java.io.BufferedInputStream;
 import java.io.IOException;
-import java.io.ObjectInputStream;
 import java.net.Socket;
 
 import ch.qos.logback.access.spi.AccessContext;
@@ -42,16 +41,15 @@
 
   Socket socket;
   AccessContext context;
-  ObjectInputStream ois;
+  HardenedAccessEventInputStream hardenedOIS;
 
   public SocketNode(Socket socket, AccessContext context) {
     this.socket = socket;
     this.context = context;
     try {
-      ois = new ObjectInputStream(new BufferedInputStream(socket
-          .getInputStream()));
+      hardenedOIS = new HardenedAccessEventInputStream(new BufferedInputStream(socket.getInputStream()));
     } catch (Exception e) {
-      System.out.println("Could not open ObjectInputStream to " + socket + e);
+      System.out.println("Could not open HardenedObjectInputStream to " + socket + e);
     }
   }
 
@@ -61,7 +59,7 @@
     try {
       while (true) {
         // read an event from the wire
-        event = (IAccessEvent) ois.readObject();
+        event = (IAccessEvent) hardenedOIS.readObject();
         //check that the event should be logged
         if (context.getFilterChainDecision(event) == FilterReply.DENY) {
           break;
@@ -81,7 +79,7 @@
     }
 
     try {
-      ois.close();
+      hardenedOIS.close();
     } catch (Exception e) {
       System.out.println("Could not close connection." + e);
     }
diff -rPu logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java logback/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java
--- logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java	1970-01-01 01:00:00.000000000 +0100
+++ logback/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java	2017-03-05 15:14:25.000000000 +0100
@@ -0,0 +1,57 @@
+package ch.qos.logback.classic.net.server;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.List;
+
+import org.slf4j.helpers.BasicMarker;
+
+import ch.qos.logback.classic.Level;
+import ch.qos.logback.classic.Logger;
+import ch.qos.logback.classic.spi.ClassPackagingData;
+import ch.qos.logback.classic.spi.IThrowableProxy;
+import ch.qos.logback.classic.spi.LoggerContextVO;
+import ch.qos.logback.classic.spi.LoggerRemoteView;
+import ch.qos.logback.classic.spi.LoggingEventVO;
+import ch.qos.logback.classic.spi.StackTraceElementProxy;
+import ch.qos.logback.classic.spi.ThrowableProxy;
+import ch.qos.logback.classic.spi.ThrowableProxyVO;
+import ch.qos.logback.core.net.HardenedObjectInputStream;
+
+public class HardenedLoggingEventInputStream extends HardenedObjectInputStream {
+
+    static final String ARRAY_PREFIX = "[L";
+    
+    static public List<String> getWhilelist() {
+        List<String> whitelist = new ArrayList<String>();
+        whitelist.add(LoggingEventVO.class.getName());
+        whitelist.add(LoggerContextVO.class.getName());
+        whitelist.add(LoggerRemoteView.class.getName());
+        whitelist.add(ThrowableProxyVO.class.getName());
+        whitelist.add(BasicMarker.class.getName());
+        whitelist.add(Level.class.getName());
+        whitelist.add(Logger.class.getName());
+        whitelist.add(StackTraceElement.class.getName());
+        whitelist.add(StackTraceElement[].class.getName());
+        whitelist.add(ThrowableProxy.class.getName());
+        whitelist.add(ThrowableProxy[].class.getName());
+        whitelist.add(IThrowableProxy.class.getName());
+        whitelist.add(IThrowableProxy[].class.getName());
+        whitelist.add(StackTraceElementProxy.class.getName());
+        whitelist.add(StackTraceElementProxy[].class.getName());
+        whitelist.add(ClassPackagingData.class.getName());
+
+        return whitelist;
+    }
+   
+    public HardenedLoggingEventInputStream(InputStream is) throws IOException {
+        super(is, getWhilelist());
+    }
+    
+    public HardenedLoggingEventInputStream(InputStream is, List<String> additionalAuthorizedClasses) throws IOException {
+        this(is);
+        super.addToWhitelist(additionalAuthorizedClasses);
+    }
+}
+
diff -rPu logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java logback/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java
--- logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java	2013-09-07 12:44:46.000000000 +0200
+++ logback/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java	2017-03-07 16:43:38.579569993 +0100
@@ -16,12 +16,12 @@
 import java.io.EOFException;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.ObjectInputStream;
 import java.net.Socket;
 
 import ch.qos.logback.classic.Logger;
 import ch.qos.logback.classic.LoggerContext;
 import ch.qos.logback.classic.spi.ILoggingEvent;
+import ch.qos.logback.core.net.HardenedObjectInputStream;
 import ch.qos.logback.core.util.CloseUtil;
 
 /**
@@ -86,7 +86,7 @@
    */
   public void run() {
     logger.info(this + ": connected"); 
-    ObjectInputStream ois = null;
+    HardenedObjectInputStream ois = null;
     try {
       ois = createObjectInputStream();
       while (true) {
@@ -124,11 +124,11 @@
     }
   }
 
-  private ObjectInputStream createObjectInputStream() throws IOException {
+  private HardenedObjectInputStream createObjectInputStream() throws IOException {
     if (inputStream != null) {
-      return new ObjectInputStream(inputStream);
+      return new HardenedLoggingEventInputStream(inputStream);
     }
-    return new ObjectInputStream(socket.getInputStream());
+    return new HardenedLoggingEventInputStream(socket.getInputStream());
   }
   
   /**
diff -rPu logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java logback/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java
--- logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java	2014-01-28 21:05:23.000000000 +0100
+++ logback/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java	2017-03-05 15:12:34.000000000 +0100
@@ -15,13 +15,13 @@
 
 import java.io.BufferedInputStream;
 import java.io.IOException;
-import java.io.ObjectInputStream;
 import java.net.Socket;
 import java.net.SocketAddress;
 
 import ch.qos.logback.classic.Logger;
 
 import ch.qos.logback.classic.LoggerContext;
+import ch.qos.logback.classic.net.server.HardenedLoggingEventInputStream;
 import ch.qos.logback.classic.spi.ILoggingEvent;
 
 // Contributors: Moses Hohman <mmhoh...@rainbow.uchicago.edu>
@@ -44,7 +44,7 @@
 
   Socket socket;
   LoggerContext context;
-  ObjectInputStream ois;
+  HardenedLoggingEventInputStream hardenedLoggingEventInputStream;
   SocketAddress remoteSocketAddress;
   
   Logger logger;
@@ -68,8 +68,7 @@
   public void run() {
 
     try {
-      ois = new ObjectInputStream(new BufferedInputStream(socket
-          .getInputStream()));
+      hardenedLoggingEventInputStream = new HardenedLoggingEventInputStream(new BufferedInputStream(socket.getInputStream()));
     } catch (Exception e) {
       logger.error("Could not open ObjectInputStream to " + socket, e);
       closed = true;
@@ -81,7 +80,7 @@
     try {
       while (!closed) {
         // read an event from the wire
-        event = (ILoggingEvent) ois.readObject();
+        event = (ILoggingEvent) hardenedLoggingEventInputStream.readObject();
         // get a logger from the hierarchy. The name of the logger is taken to
         // be the name contained in the event.
         remoteLogger = context.getLogger(event.getLoggerName());
@@ -111,13 +110,13 @@
       return;
     }
     closed = true;
-    if (ois != null) {
+    if (hardenedLoggingEventInputStream != null) {
       try {
-        ois.close();
+        hardenedLoggingEventInputStream.close();
       } catch (IOException e) {
         logger.warn("Could not close connection.", e);
       } finally {
-        ois = null;
+        hardenedLoggingEventInputStream = null;
       }
     }
   }
diff -rPu logback.orig/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java logback/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
--- logback.orig/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java	1970-01-01 01:00:00.000000000 +0100
+++ logback/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java	2017-03-07 15:49:29.360186454 +0100
@@ -0,0 +1,64 @@
+package ch.qos.logback.core.net;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InvalidClassException;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * 
+ * @author Ceki G&uuml;lc&uuml;
+ * @since 1.2.0
+ */
+public class HardenedObjectInputStream extends ObjectInputStream {
+
+    final List<String> whitelistedClassNames;
+    final static String[] JAVA_PACKAGES = new String[] { "java.lang", "java.util" };
+
+    public HardenedObjectInputStream(InputStream in, String[] whilelist) throws IOException {
+        super(in);
+        this.whitelistedClassNames = new ArrayList<String>();
+        if (whilelist != null) {
+            for (int i = 0; i < whilelist.length; i++) {
+                this.whitelistedClassNames.add(whilelist[i]);
+            }
+        }
+    }
+
+    public HardenedObjectInputStream(InputStream in, List<String> whitelist) throws IOException {
+        super(in);
+
+        this.whitelistedClassNames = new ArrayList<String>();
+        this.whitelistedClassNames.addAll(whitelist);
+    }
+
+    @Override
+    protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException {
+        String incomingClassName = anObjectStreamClass.getName();
+        if(!isWhitelisted(incomingClassName)) {
+            throw new InvalidClassException("Unauthorized deserialization attempt", anObjectStreamClass.getName());
+        }
+    
+        return super.resolveClass(anObjectStreamClass);
+    }
+
+    private boolean isWhitelisted(String incomingClassName) {
+        for(int i = 0; i < JAVA_PACKAGES.length; i++) {
+            if(incomingClassName.startsWith(JAVA_PACKAGES[i]))
+                return true;
+        }
+        for(String whiteListed: whitelistedClassNames) {
+            if(incomingClassName.equals(whiteListed))
+                return true;
+        }
+        return false;
+    }
+
+    protected void addToWhitelist(List<String> additionalAuthorizedClasses) {
+        whitelistedClassNames.addAll(additionalAuthorizedClasses);
+    }
+}
+

--- End Message ---
--- Begin Message ---
Source: logback
Source-Version: 1:1.1.2-1+deb8u1

We believe that the bug you reported is fixed in the latest version of
logback, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 857...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated logback package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 24 Apr 2017 13:41:45 +0200
Source: logback
Binary: liblogback-java liblogback-java-doc
Architecture: source all
Version: 1:1.1.2-1+deb8u1
Distribution: jessie
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Description:
 liblogback-java - flexible logging library for Java
 liblogback-java-doc - flexible logging library for Java - documentation
Closes: 857343
Changes:
 logback (1:1.1.2-1+deb8u1) jessie; urgency=high
 .
   * Team upload.
   * Fix CVE-2017-5929:
     It was discovered that logback, a flexible logging library for Java, would
     deserialize data from untrusted sockets. This issue has been resolved by
     adding a whitelist to use only trusted classes. (Closes: #857343)
Checksums-Sha1:
 279a0764fb1ff52d1aaba3925722adccee03236b 2270 logback_1.1.2-1+deb8u1.dsc
 951e6cd1c497d14fb10ebf518937928232cdc830 11560 
logback_1.1.2-1+deb8u1.debian.tar.xz
 daed26934cf922a190b4c317841b69cf985a2d14 624718 
liblogback-java_1.1.2-1+deb8u1_all.deb
 025cebc4db3445261cb9f87a5a62f832e9cdf138 1778332 
liblogback-java-doc_1.1.2-1+deb8u1_all.deb
Checksums-Sha256:
 103395aa6dbb290dd74454254fd83e04f2c02c4612d2f83c98da692b64ee240e 2270 
logback_1.1.2-1+deb8u1.dsc
 502d128e960a611893292515072edeb33bec82811c526251d29655a499a15e77 11560 
logback_1.1.2-1+deb8u1.debian.tar.xz
 fa847a1bf2f3e3e28e9196376ea21494164a8cc2c1b350cbc47aab740a2c89b6 624718 
liblogback-java_1.1.2-1+deb8u1_all.deb
 6c7b00e07633a53dd6cb5775c0968347583388b81b1014398ea8b140ba76cb3a 1778332 
liblogback-java-doc_1.1.2-1+deb8u1_all.deb
Files:
 b507b7bdd6ac787dd21281e1abd4a6e2 2270 java optional logback_1.1.2-1+deb8u1.dsc
 0c376c4b6f715d0351c1f3168ac1792c 11560 java optional 
logback_1.1.2-1+deb8u1.debian.tar.xz
 91fae7f0d03b6fe14e15164c97d9537f 624718 java optional 
liblogback-java_1.1.2-1+deb8u1_all.deb
 7c5b86df31d22cd6abdf47c71de76f75 1778332 doc optional 
liblogback-java-doc_1.1.2-1+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJY/eduXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRBQ0YzRDA4OEVGMzJFREVGNkExQTgzNUZE
OUFEMTRCOTUxM0I1MUU0AAoJENmtFLlRO1Hks7MQAKh4Qgn7VcUn9rbvY4sRkbec
DfL+H6kngUwq+C1lW/RUq9jxv6kPxBOS0KcOwbDNwKlI0aHddCYbCBypJJSV2t3u
h+WV/T7r2dvJCQB2/0ZUxzBTMLaWRzyWZZcS6Afj3yyNKlO7ms7hA5ikB3Md73fx
NNHbH11tzuUxdGaPgwhaqCrQd1vsmaWcbAvjgdHRh8ColnauixoR3dpdMPADE44E
5cq+iQLn86lkw29Zuws/sKZ1Lh+bEqAT7YmEsI75aUAgOivNkNJYTeBowyAVnvPk
lpO4rfNdMiUsCokbWRtytNJ8b24H2l59tnws4xF1bEC+HpJ2+/MlPGjPJBguvx0A
/DnCzqArOQ8j03HNc3RdwtD5FqwlSPWy/nwxuS7Xwkpmbj2BHXZx+mez6TVSee1h
r9UVwIlA1Z0LWVGN1/wXQleiuP6Xn+WmTpwMk4mCBLJ+1+eSW3rm7Lf7iFVOzrxY
eBZc2nqupqA8OyNtoaj+W6D8/AE4M1Dy6sz1DHoK7Jq+Rl5Lfx8hPY2vWJaOcFJC
uLupIBSU3BqldGxxmQ9oYqMHw65+PVPAprLjlo/GCpdy1/TpEwv45gSJvV7d1RXI
NJQNy62AID5AvLL9yqBTVqoFl+QfMde3KVd2abEjRV5Ismm0iYlljOM01wPkGHWq
D+zJf6X5D0PWH/64FkxW
=Eb+2
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to