Bug#888316: jackson-databind: CVE-2018-5968

2018-02-11 Thread Markus Koschany 


Am 11.02.2018 um 08:42 schrieb Sébastien Delafond:
[...]
> Hi Markus,
> 
> thanks a lot for patches. I've reviewed them, and your approach is
> sound: please upload.
> 
> Cheers,
> 
> --Seb

Hi Seb,

thanks for the review. I've just uploaded both packages.

Cheers,

Markus



signature.asc
Description: OpenPGP digital signature

Bug#888316: jackson-databind: CVE-2018-5968

2018-02-10 Thread Sébastien Delafond 
On Jan/27, Markus Koschany wrote:
> I have prepared security updates of jackson-databind for Stretch and
> Jessie and would appreciate another look at the patches.
> 
> The fix for CVE-2018-5968 is straightforward. The blacklist is simply
> extended.
> 
> However upstream decided to refactor the code for CVE-2017-17485 and I
> decided to apply the changes to BeanDeserializerFactory.java again
> instead of using the new helper class SubTypeValidator. Here is my
> thought process how to create the patch based on the solution in
> upstream bug 1855 [1]
> 
> 1. Extend the blacklist. [2]
> 2. Instead of creating a new method validateSubType, I copied the fix
> into checkIllegalTypes in BeanDeserializerFactory again.[3] The behavior
> remains the same. This code catches some specific cases for the spring
> framework.
> 3. I also applied the regression fix in [4] (also mentioned in bug 1855)
> 4. I believe that [5] only applies to the refactored code and since we
> don't use that it is irrelevant for us.

Hi Markus,

thanks a lot for patches. I've reviewed them, and your approach is
sound: please upload.

Cheers,

--Seb


signature.asc
Description: PGP signature

Bug#888316: jackson-databind: CVE-2018-5968

2018-01-27 Thread Markus Koschany 
Hi folks,

Am 25.01.2018 um 15:23 schrieb Salvatore Bonaccorso:
> Hi Markus,
> 
> On Thu, Jan 25, 2018 at 02:40:10PM +0100, Markus Koschany wrote:
>> Hi,
>>
>> On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso
>>  wrote:
>>> Source: jackson-databind
>>> Version: 2.9.1-1
>>> Severity: grave
>>> Tags: patch security upstream
>>> Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899
>>> Control: found -1 2.8.6-1+deb9u2
>>> Control: found -1 2.4.2-2+deb8u2
>>>
>>> Hi,
>>>
>>> the following vulnerability was published for jackson-databind.
>>
>> [...]
>>
>> Thanks for reporting. I had a look at jackson-databind in Stretch. We
>> just need to apply the patch to BeanDeserializerFactory.java again. As
>> for Sid upgrading to the latest upstream release 2.9.4 should also
>> resolve this. I'm working on it now.
> 
> Perfect, thank you! We (Moritz) have added it to the dsa-needed list
> for jessie and stretch, so once you have the update can you contact
> the security team alias, one of us will then ack the upload.

I have prepared security updates of jackson-databind for Stretch and
Jessie and would appreciate another look at the patches.

The fix for CVE-2018-5968 is straightforward. The blacklist is simply
extended.

However upstream decided to refactor the code for CVE-2017-17485 and I
decided to apply the changes to BeanDeserializerFactory.java again
instead of using the new helper class SubTypeValidator. Here is my
thought process how to create the patch based on the solution in
upstream bug 1855 [1]

1. Extend the blacklist. [2]
2. Instead of creating a new method validateSubType, I copied the fix
into checkIllegalTypes in BeanDeserializerFactory again.[3] The behavior
remains the same. This code catches some specific cases for the spring
framework.
3. I also applied the regression fix in [4] (also mentioned in bug 1855)
4. I believe that [5] only applies to the refactored code and since we
don't use that it is irrelevant for us.

Regards,

Markus

[1] https://github.com/FasterXML/jackson-databind/issues/1855
[2]
https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d
[3]
https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf
[4]
https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd
[5]
https://github.com/FasterXML/jackson-databind/commit/978798382ceb72229e5036aa1442943933d6d171
diff -Nru jackson-databind-2.4.2/debian/changelog 
jackson-databind-2.4.2/debian/changelog
--- jackson-databind-2.4.2/debian/changelog 2017-11-16 09:13:27.0 
+0100
+++ jackson-databind-2.4.2/debian/changelog 2018-01-27 19:37:47.0 
+0100
@@ -1,3 +1,13 @@
+jackson-databind (2.4.2-2+deb8u3) jessie-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2017-17485 and CVE-2018-5968:
+Bybass of deserialization blackist to disallow unauthenticated remote code
+execution. These CVE exist due to an incomplete fix for CVE-2017-7525.
+(Closes: #888316, #888318)
+
+ -- Markus Koschany   Sat, 27 Jan 2018 19:37:47 +0100
+
 jackson-databind (2.4.2-2+deb8u2) jessie-security; urgency=high
 
   * Team upload
diff -Nru jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch 
jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch
--- jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch  1970-01-01 
01:00:00.0 +0100
+++ jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch  2018-01-27 
19:37:47.0 +0100
@@ -0,0 +1,75 @@
+From: Markus Koschany 
+Date: Sat, 27 Jan 2018 20:16:02 +0100
+Subject: CVE-2017-17485
+
+Bug-Debian: https://bugs.debian.org/888318
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1855
+Origin: 
https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d
+Origin: 
https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf
+Origin: 
https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd
+---
+ .../databind/deser/BeanDeserializerFactory.java| 37 +++---
+ 1 file changed, 32 insertions(+), 5 deletions(-)
+
+diff --git 
a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
 
b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index c536b46..9b56b08 100644
+--- 
a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
 
b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -38,6 +38,8 @@ public class BeanDeserializerFactory
+ {
+ private static final long serialVersionUID = 1;
+ 
++protected final static String PREFIX_STRING = "org.springframework.";
++
+ /**
+  * Signature of Throwable.initCause method.
+  */
+@@ -75,6 +77,9 @@ public class BeanDeserializerFactory
+

Bug#888316: jackson-databind: CVE-2018-5968

2018-01-25 Thread Salvatore Bonaccorso 
Hi Markus,

On Thu, Jan 25, 2018 at 02:40:10PM +0100, Markus Koschany wrote:
> Hi,
> 
> On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso
>  wrote:
> > Source: jackson-databind
> > Version: 2.9.1-1
> > Severity: grave
> > Tags: patch security upstream
> > Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899
> > Control: found -1 2.8.6-1+deb9u2
> > Control: found -1 2.4.2-2+deb8u2
> > 
> > Hi,
> > 
> > the following vulnerability was published for jackson-databind.
> 
> [...]
> 
> Thanks for reporting. I had a look at jackson-databind in Stretch. We
> just need to apply the patch to BeanDeserializerFactory.java again. As
> for Sid upgrading to the latest upstream release 2.9.4 should also
> resolve this. I'm working on it now.

Perfect, thank you! We (Moritz) have added it to the dsa-needed list
for jessie and stretch, so once you have the update can you contact
the security team alias, one of us will then ack the upload.

Regards,
Salvatore

Bug#888316: jackson-databind: CVE-2018-5968

2018-01-25 Thread Markus Koschany 
Hi,

On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso
 wrote:
> Source: jackson-databind
> Version: 2.9.1-1
> Severity: grave
> Tags: patch security upstream
> Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899
> Control: found -1 2.8.6-1+deb9u2
> Control: found -1 2.4.2-2+deb8u2
> 
> Hi,
> 
> the following vulnerability was published for jackson-databind.

[...]

Thanks for reporting. I had a look at jackson-databind in Stretch. We
just need to apply the patch to BeanDeserializerFactory.java again. As
for Sid upgrading to the latest upstream release 2.9.4 should also
resolve this. I'm working on it now.

Regards,

Markus






signature.asc
Description: OpenPGP digital signature

Bug#888316: jackson-databind: CVE-2018-5968

2018-01-24 Thread Salvatore Bonaccorso 
Source: jackson-databind
Version: 2.9.1-1
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899
Control: found -1 2.8.6-1+deb9u2
Control: found -1 2.4.2-2+deb8u2

Hi,

the following vulnerability was published for jackson-databind.

CVE-2018-5968[0]:
| FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3
| allows unauthenticated remote code execution because of an incomplete
| fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws.
| This is exploitable via two different gadgets that bypass a blacklist.

The upstream issue is at [1], with upstrema fix [2]. If I see it
correctly with commit [3] the code was shuffled a bit around, so the
patched file is different in meanwhile. If you disagree on the
analysis, given I'm unfamiliar iwth jackson-databind let me know.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-5968
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968
[1] https://github.com/FasterXML/jackson-databind/issues/1899
[2] 
https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05
[3] 
https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf

Regards,
Salvatore