This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch jessie
in repository jackson-databind.

commit e5b8348a62f2ca4472f7564fe39a9c6e8bb05b93
Author: Markus Koschany <a...@debian.org>
Date:   Thu Oct 19 01:43:41 2017 +0200

    Fix CVE-2017-7525
---
 debian/changelog                   |   7 ++
 debian/patches/CVE-2017-7525.patch | 132 +++++++++++++++++++++++++++++++++++++
 debian/patches/series              |   1 +
 3 files changed, 140 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 8ad0f2f..1f60670 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+jackson-databind (2.4.2-2+deb8u1) jessie-security; urgency=high
+
+  * Team upload.
+  *
+
+ -- Markus Koschany <a...@debian.org>  Thu, 19 Oct 2017 01:44:42 +0200
+
 jackson-databind (2.4.2-2) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/patches/CVE-2017-7525.patch 
b/debian/patches/CVE-2017-7525.patch
new file mode 100644
index 0000000..5c5531f
--- /dev/null
+++ b/debian/patches/CVE-2017-7525.patch
@@ -0,0 +1,132 @@
+From: Markus Koschany <a...@debian.org>
+Date: Thu, 19 Oct 2017 01:42:44 +0200
+Subject: CVE-2017-7525
+
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1599
+Bug-Debian: https://bugs.debian.org/870848
+Origin: 
https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1
+---
+ .../databind/deser/BeanDeserializerFactory.java    | 50 ++++++++++++++++++++++
+ .../databind/interop/IllegalTypesCheckTest.java    | 40 +++++++++++++++++
+ 2 files changed, 90 insertions(+)
+ create mode 100644 
src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
+
+diff --git 
a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
 
b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index a10cc45..f45b1b4 100644
+--- 
a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ 
b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -44,6 +44,36 @@ public class BeanDeserializerFactory
+     private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { 
Throwable.class };
+ 
+     private final static Class<?>[] NO_VIEWS = new Class<?>[0];
++
++    /**
++     * Set of well-known "nasty classes", deserialization of which is 
considered dangerous
++     * and should (and is) prevented by default.
++     *
++     * @since 2.8.9
++     */
++    protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
++    static {
++        Set<String> s = new HashSet<>();
++        // Courtesy of [https://github.com/kantega/notsoserial]:
++        // (and wrt [databind#1599]
++        s.add("org.apache.commons.collections.functors.InvokerTransformer");
++        
s.add("org.apache.commons.collections.functors.InstantiateTransformer");
++        s.add("org.apache.commons.collections4.functors.InvokerTransformer");
++        
s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
++        s.add("org.codehaus.groovy.runtime.ConvertedClosure");
++        s.add("org.codehaus.groovy.runtime.MethodClosure");
++        s.add("org.springframework.beans.factory.ObjectFactory");
++        s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
++        DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
++    }
++
++    /**
++     * Set of class names of types that are never to be deserialized.
++     *
++     * @since 2.8.9
++     */
++    protected Set<String> _cfgIllegalClassNames = 
DEFAULT_NO_DESER_CLASS_NAMES;
++
+     
+     /*
+     /**********************************************************
+@@ -164,6 +194,8 @@ public class BeanDeserializerFactory
+         if (!isPotentialBeanType(type.getRawClass())) {
+             return null;
+         }
++        // For checks like [databind#1599]
++        checkIllegalTypes(ctxt, type, beanDesc);
+         // Use generic bean introspection to build deserializer
+         return buildBeanDeserializer(ctxt, type, beanDesc);
+     }
+@@ -875,4 +907,22 @@ public class BeanDeserializerFactory
+         }
+         return status;
+     }
++
++     /**
++     * @since 2.8.9
++     */
++    protected void checkIllegalTypes(DeserializationContext ctxt, JavaType 
type,
++            BeanDescription beanDesc)
++        throws JsonMappingException
++    {
++        // There are certain nasty classes that could cause problems, mostly
++        // via default typing -- catch them here.
++        String full = type.getRawClass().getName();
++
++        if (_cfgIllegalClassNames.contains(full)) {
++            ctxt.reportBadTypeDefinition(beanDesc,
++                    "Illegal type (%s) to deserialize: prevented for security 
reasons", full);
++        }
++    }
++
+ }
+diff --git 
a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
 
b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
+new file mode 100644
+index 0000000..1906ead
+--- /dev/null
++++ 
b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
+@@ -0,0 +1,40 @@
++package com.fasterxml.jackson.databind.interop;
++
++import com.fasterxml.jackson.databind.*;
++
++/**
++ * Test case(s) to guard against handling of types that are illegal to handle
++ * due to security constraints.
++ */
++public class IllegalTypesCheckTest extends BaseMapTest
++{
++    static class Bean1599 {
++        public int id;
++        public Object obj;
++    }
++    
++    public void testIssue1599() throws Exception
++    {
++        final String JSON = aposToQuotes(
++ "{'id': 124,\n"
+++" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n"
+++"  {\n"
+++"    'transletBytecodes' : [ 'AAIAZQ==' ],\n"
+++"    'transletName' : 'a.b',\n"
+++"    'outputProperties' : { }\n"
+++"  }\n"
+++" ]\n"
+++"}"
++        );
++        ObjectMapper mapper = new ObjectMapper();
++        mapper.enableDefaultTyping();
++        try {
++            mapper.readValue(JSON, Bean1599.class);
++            fail("Should not pass");
++        } catch (JsonMappingException e) {
++            verifyException(e, "Illegal type");
++            verifyException(e, "to deserialize");
++            verifyException(e, "prevented for security reasons");
++        }
++    }
++}
diff --git a/debian/patches/series b/debian/patches/series
index c39825f..100c05d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 fix-using-bundle.diff
+CVE-2017-7525.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-java/jackson-databind.git

_______________________________________________
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits

Reply via email to