Bug#888316: jackson-databind: CVE-2018-5968
Am 11.02.2018 um 08:42 schrieb Sébastien Delafond: [...] > Hi Markus, > > thanks a lot for patches. I've reviewed them, and your approach is > sound: please upload. > > Cheers, > > --Seb Hi Seb, thanks for the review. I've just uploaded both packages. Cheers, Markus signature.asc Description: OpenPGP digital signature
Bug#888316: jackson-databind: CVE-2018-5968
On Jan/27, Markus Koschany wrote: > I have prepared security updates of jackson-databind for Stretch and > Jessie and would appreciate another look at the patches. > > The fix for CVE-2018-5968 is straightforward. The blacklist is simply > extended. > > However upstream decided to refactor the code for CVE-2017-17485 and I > decided to apply the changes to BeanDeserializerFactory.java again > instead of using the new helper class SubTypeValidator. Here is my > thought process how to create the patch based on the solution in > upstream bug 1855 [1] > > 1. Extend the blacklist. [2] > 2. Instead of creating a new method validateSubType, I copied the fix > into checkIllegalTypes in BeanDeserializerFactory again.[3] The behavior > remains the same. This code catches some specific cases for the spring > framework. > 3. I also applied the regression fix in [4] (also mentioned in bug 1855) > 4. I believe that [5] only applies to the refactored code and since we > don't use that it is irrelevant for us. Hi Markus, thanks a lot for patches. I've reviewed them, and your approach is sound: please upload. Cheers, --Seb signature.asc Description: PGP signature
Bug#888316: jackson-databind: CVE-2018-5968
Hi folks, Am 25.01.2018 um 15:23 schrieb Salvatore Bonaccorso: > Hi Markus, > > On Thu, Jan 25, 2018 at 02:40:10PM +0100, Markus Koschany wrote: >> Hi, >> >> On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso >>wrote: >>> Source: jackson-databind >>> Version: 2.9.1-1 >>> Severity: grave >>> Tags: patch security upstream >>> Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899 >>> Control: found -1 2.8.6-1+deb9u2 >>> Control: found -1 2.4.2-2+deb8u2 >>> >>> Hi, >>> >>> the following vulnerability was published for jackson-databind. >> >> [...] >> >> Thanks for reporting. I had a look at jackson-databind in Stretch. We >> just need to apply the patch to BeanDeserializerFactory.java again. As >> for Sid upgrading to the latest upstream release 2.9.4 should also >> resolve this. I'm working on it now. > > Perfect, thank you! We (Moritz) have added it to the dsa-needed list > for jessie and stretch, so once you have the update can you contact > the security team alias, one of us will then ack the upload. I have prepared security updates of jackson-databind for Stretch and Jessie and would appreciate another look at the patches. The fix for CVE-2018-5968 is straightforward. The blacklist is simply extended. However upstream decided to refactor the code for CVE-2017-17485 and I decided to apply the changes to BeanDeserializerFactory.java again instead of using the new helper class SubTypeValidator. Here is my thought process how to create the patch based on the solution in upstream bug 1855 [1] 1. Extend the blacklist. [2] 2. Instead of creating a new method validateSubType, I copied the fix into checkIllegalTypes in BeanDeserializerFactory again.[3] The behavior remains the same. This code catches some specific cases for the spring framework. 3. I also applied the regression fix in [4] (also mentioned in bug 1855) 4. I believe that [5] only applies to the refactored code and since we don't use that it is irrelevant for us. Regards, Markus [1] https://github.com/FasterXML/jackson-databind/issues/1855 [2] https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d [3] https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf [4] https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd [5] https://github.com/FasterXML/jackson-databind/commit/978798382ceb72229e5036aa1442943933d6d171 diff -Nru jackson-databind-2.4.2/debian/changelog jackson-databind-2.4.2/debian/changelog --- jackson-databind-2.4.2/debian/changelog 2017-11-16 09:13:27.0 +0100 +++ jackson-databind-2.4.2/debian/changelog 2018-01-27 19:37:47.0 +0100 @@ -1,3 +1,13 @@ +jackson-databind (2.4.2-2+deb8u3) jessie-security; urgency=high + + * Team upload. + * Fix CVE-2017-17485 and CVE-2018-5968: +Bybass of deserialization blackist to disallow unauthenticated remote code +execution. These CVE exist due to an incomplete fix for CVE-2017-7525. +(Closes: #888316, #888318) + + -- Markus Koschany Sat, 27 Jan 2018 19:37:47 +0100 + jackson-databind (2.4.2-2+deb8u2) jessie-security; urgency=high * Team upload diff -Nru jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch --- jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch 1970-01-01 01:00:00.0 +0100 +++ jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch 2018-01-27 19:37:47.0 +0100 @@ -0,0 +1,75 @@ +From: Markus Koschany +Date: Sat, 27 Jan 2018 20:16:02 +0100 +Subject: CVE-2017-17485 + +Bug-Debian: https://bugs.debian.org/888318 +Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1855 +Origin: https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d +Origin: https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf +Origin: https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd +--- + .../databind/deser/BeanDeserializerFactory.java| 37 +++--- + 1 file changed, 32 insertions(+), 5 deletions(-) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +index c536b46..9b56b08 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +@@ -38,6 +38,8 @@ public class BeanDeserializerFactory + { + private static final long serialVersionUID = 1; + ++protected final static String PREFIX_STRING = "org.springframework."; ++ + /** + * Signature of Throwable.initCause method. + */ +@@ -75,6 +77,9 @@ public class BeanDeserializerFactory +
Bug#888316: jackson-databind: CVE-2018-5968
Hi Markus, On Thu, Jan 25, 2018 at 02:40:10PM +0100, Markus Koschany wrote: > Hi, > > On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso >wrote: > > Source: jackson-databind > > Version: 2.9.1-1 > > Severity: grave > > Tags: patch security upstream > > Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899 > > Control: found -1 2.8.6-1+deb9u2 > > Control: found -1 2.4.2-2+deb8u2 > > > > Hi, > > > > the following vulnerability was published for jackson-databind. > > [...] > > Thanks for reporting. I had a look at jackson-databind in Stretch. We > just need to apply the patch to BeanDeserializerFactory.java again. As > for Sid upgrading to the latest upstream release 2.9.4 should also > resolve this. I'm working on it now. Perfect, thank you! We (Moritz) have added it to the dsa-needed list for jessie and stretch, so once you have the update can you contact the security team alias, one of us will then ack the upload. Regards, Salvatore
Bug#888316: jackson-databind: CVE-2018-5968
Hi, On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorsowrote: > Source: jackson-databind > Version: 2.9.1-1 > Severity: grave > Tags: patch security upstream > Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899 > Control: found -1 2.8.6-1+deb9u2 > Control: found -1 2.4.2-2+deb8u2 > > Hi, > > the following vulnerability was published for jackson-databind. [...] Thanks for reporting. I had a look at jackson-databind in Stretch. We just need to apply the patch to BeanDeserializerFactory.java again. As for Sid upgrading to the latest upstream release 2.9.4 should also resolve this. I'm working on it now. Regards, Markus signature.asc Description: OpenPGP digital signature
Bug#888316: jackson-databind: CVE-2018-5968
Source: jackson-databind Version: 2.9.1-1 Severity: grave Tags: patch security upstream Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899 Control: found -1 2.8.6-1+deb9u2 Control: found -1 2.4.2-2+deb8u2 Hi, the following vulnerability was published for jackson-databind. CVE-2018-5968[0]: | FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 | allows unauthenticated remote code execution because of an incomplete | fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. | This is exploitable via two different gadgets that bypass a blacklist. The upstream issue is at [1], with upstrema fix [2]. If I see it correctly with commit [3] the code was shuffled a bit around, so the patched file is different in meanwhile. If you disagree on the analysis, given I'm unfamiliar iwth jackson-databind let me know. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-5968 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968 [1] https://github.com/FasterXML/jackson-databind/issues/1899 [2] https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05 [3] https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf Regards, Salvatore