Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
Dear release team,
I have prepared a security update for logback. [1]
The security team marked this issue as no-dsa hence I would like
to include it in the next point-release for Jessie.
Thanks
Markus
[1] https://bugs.debian.org/857343
diff -Nru logback-1.1.2/debian/changelog logback-1.1.2/debian/changelog
--- logback-1.1.2/debian/changelog 2014-04-29 06:26:58.0 +0200
+++ logback-1.1.2/debian/changelog 2017-04-07 15:48:29.0 +0200
@@ -1,3 +1,13 @@
+logback (1:1.1.2-1+deb8u1) jessie; urgency=high
+
+ * Team upload.
+ * Fix CVE-2017-5929:
+It was discovered that logback, a flexible logging library for Java, would
+deserialize data from untrusted sockets. This issue has been resolved by
+adding a whitelist to use only trusted classes. (Closes: #857343)
+
+ -- Markus Koschany Fri, 07 Apr 2017 15:48:29 +0200
+
logback (1:1.1.2-1) unstable; urgency=medium
* Team upload.
diff -Nru logback-1.1.2/debian/patches/CVE-2017-5929.patch
logback-1.1.2/debian/patches/CVE-2017-5929.patch
--- logback-1.1.2/debian/patches/CVE-2017-5929.patch1970-01-01
01:00:00.0 +0100
+++ logback-1.1.2/debian/patches/CVE-2017-5929.patch2017-04-07
15:48:29.0 +0200
@@ -0,0 +1,364 @@
+From: Markus Koschany
+Date: Fri, 7 Apr 2017 14:35:27 +0200
+Subject: CVE-2017-5929
+
+Bug-Debian: https://bugs.debian.org/857343
+Origin:
https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8
+Origin:
https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9
+Origin:
https://github.com/qos-ch/logback/commit/7fbea6127fa98fc48368ca5e8540eefe0e60cec5
+Origin:
https://github.com/qos-ch/logback/commit/3b4f605454534b3047703cb343521fcd6968
+---
+ .../access/net/HardenedAccessEventInputStream.java | 15 +
+ .../java/ch/qos/logback/access/net/SocketNode.java | 12 ++--
+ .../logback/classic/net/SimpleSocketServer.java| 1 -
+ .../ch/qos/logback/classic/net/SocketAppender.java | 2 -
+ .../ch/qos/logback/classic/net/SocketNode.java | 15 +++--
+ .../server/HardenedLoggingEventInputStream.java| 56 +
+ .../net/server/RemoteAppenderStreamClient.java | 10 +--
+ .../core/net/HardenedObjectInputStream.java| 71 ++
+ 8 files changed, 159 insertions(+), 23 deletions(-)
+ create mode 100644
logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java
+ create mode 100644
logback-classic/src/main/java/ch/qos/logback/classic/net/server/HardenedLoggingEventInputStream.java
+ create mode 100644
logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
+
+diff --git
a/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java
b/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java
+new file mode 100644
+index 000..c0ba6b0
+--- /dev/null
b/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java
+@@ -0,0 +1,15 @@
++package ch.qos.logback.access.net;
++
++import java.io.IOException;
++import java.io.InputStream;
++
++import ch.qos.logback.access.spi.AccessEvent;
++import ch.qos.logback.core.net.HardenedObjectInputStream;
++
++public class HardenedAccessEventInputStream extends HardenedObjectInputStream
{
++
++public HardenedAccessEventInputStream(InputStream in) throws IOException {
++super(in, new String[] {AccessEvent.class.getName(),
String[].class.getName()});
++}
++
++}
+diff --git
a/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java
b/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java
+index 32c6654..7db96a3 100644
+--- a/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java
b/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java
+@@ -15,7 +15,6 @@ package ch.qos.logback.access.net;
+
+ import java.io.BufferedInputStream;
+ import java.io.IOException;
+-import java.io.ObjectInputStream;
+ import java.net.Socket;
+
+ import ch.qos.logback.access.spi.AccessContext;
+@@ -42,16 +41,15 @@ public class SocketNode implements Runnable {
+
+ Socket socket;
+ AccessContext context;
+- ObjectInputStream ois;
++ HardenedAccessEventInputStream hardenedOIS;
+
+ public SocketNode(Socket socket, AccessContext context) {
+ this.socket = socket;
+ this.context = context;
+ try {
+- ois = new ObjectInputStream(new BufferedInputStream(socket
+- .getInputStream()));
++hardenedOIS = new HardenedAccessEventInputStream(new
BufferedInputStream(socket.getInputStream()));
+ } catch (Exception e) {
+- System.out.println("Could not open ObjectInputStream to " + socket + e);
++ System.out.println("Could not open HardenedObjectInputStream