[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
This bug was fixed in the package libxstream-java - 1.4.7-1ubuntu0.1
---
libxstream-java (1.4.7-1ubuntu0.1) trusty-security; urgency=medium
* SECURITY UPDATE: handle void type class (LP: #1780844)
- d/p/CVE-2017-7957.patch: Prevent deserialization of void.
- CVE-2017-7957
-- Dan Streetman Mon, 09 Jul 2018 15:29:05
-0400
** Changed in: libxstream-java (Ubuntu Trusty)
Status: Confirmed => Fix Released
** Changed in: libxstream-java (Ubuntu Xenial)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libxstream-java in Ubuntu.
https://bugs.launchpad.net/bugs/1780844
Title:
CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an
instance of the primitive type 'void'
Status in libxstream-java package in Ubuntu:
Fix Released
Status in libxstream-java source package in Trusty:
Fix Released
Status in libxstream-java source package in Xenial:
Fix Released
Status in libxstream-java source package in Artful:
Fix Released
Status in libxstream-java source package in Bionic:
Fix Released
Status in libxstream-java source package in Cosmic:
Fix Released
Bug description:
[impact]
XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("") call.
[test case]
install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial
(or trusty) system. Then create a file named TestCVE.java with this
content:
import com.thoughtworks.xstream.XStream;
public class TestCVE {
public static void main(String[] args) {
XStream xstream = new XStream();
xstream.fromXML("");
}
}
then run this (from the same directory as the file) to compile it,
noting to replace the version number if needed (1.4.8 is X version, if
on trusty use 1.4.7):
$ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java
then test it (again correcting version if needed):
$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
failure is a JVM segfault, e.g.:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700
success is a normal java exception with backtrace, e.g.:
Exception in thread "main"
com.thoughtworks.xstream.converters.ConversionException: Type void
cannot have an instance
[regression potential]
regressions could include failing to parse the stream, or otherwise
cause exceptions or segfaults.
[other info]
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
This bug was fixed in the package libxstream-java - 1.4.8-1ubuntu0.1
---
libxstream-java (1.4.8-1ubuntu0.1) xenial-security; urgency=medium
* SECURITY UPDATE: handle void type class (LP: #1780844)
- d/p/CVE-2017-7957.patch: Prevent deserialization of void.
- CVE-2017-7957
-- Dan Streetman Mon, 09 Jul 2018 15:21:51
-0400
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libxstream-java in Ubuntu.
https://bugs.launchpad.net/bugs/1780844
Title:
CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an
instance of the primitive type 'void'
Status in libxstream-java package in Ubuntu:
Fix Released
Status in libxstream-java source package in Trusty:
Fix Released
Status in libxstream-java source package in Xenial:
Fix Released
Status in libxstream-java source package in Artful:
Fix Released
Status in libxstream-java source package in Bionic:
Fix Released
Status in libxstream-java source package in Cosmic:
Fix Released
Bug description:
[impact]
XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("") call.
[test case]
install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial
(or trusty) system. Then create a file named TestCVE.java with this
content:
import com.thoughtworks.xstream.XStream;
public class TestCVE {
public static void main(String[] args) {
XStream xstream = new XStream();
xstream.fromXML("");
}
}
then run this (from the same directory as the file) to compile it,
noting to replace the version number if needed (1.4.8 is X version, if
on trusty use 1.4.7):
$ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java
then test it (again correcting version if needed):
$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
failure is a JVM segfault, e.g.:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700
success is a normal java exception with backtrace, e.g.:
Exception in thread "main"
com.thoughtworks.xstream.converters.ConversionException: Type void
cannot have an instance
[regression potential]
regressions could include failing to parse the stream, or otherwise
cause exceptions or segfaults.
[other info]
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
Xenial:
ubuntu@lp1780844-x:~$ dpkg -l | grep libxstream-java
ii libxstream-java 1.4.8-1
all Java library to serialize objects to XML and back again
ubuntu@lp1780844-x:~$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x7fcba3ec99d2, pid=12644, tid=0x7fcba55c6700
ubuntu@lp1780844-x:~$ sudo apt-add-repository ppa:ubuntu-security-proposed/ppa
Pre-release Ubuntu Security Updates that need additional work or testing.
...
ubuntu@lp1780844-x:~$ dpkg -l | grep libxstream-java
ii libxstream-java 1.4.8-1ubuntu0.1
all Java library to serialize objects to XML and back again
ubuntu@lp1780844-x:~$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
Exception in thread "main"
com.thoughtworks.xstream.converters.ConversionException: Type void cannot have
an instance
Trusty:
ubuntu@lp1780844-t:~$ dpkg -l | grep libxstream-java
ii libxstream-java 1.4.7-1
all Java library to serialize objects to XML and back again
ubuntu@lp1780844-t:~$ java -cp /usr/share/java/xstream-1.4.7.jar:. TestCVE
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x7f89d9429a32, pid=11183, tid=140230055626496
ubuntu@lp1780844-t:~$ sudo apt-add-repository ppa:ubuntu-security-proposed/ppa
Pre-release Ubuntu Security Updates that need additional work or testing.
...
ubuntu@lp1780844-t:~$ dpkg -l | grep libxstream-java
ii libxstream-java 1.4.7-1ubuntu0.1
all Java library to serialize objects to XML and back again
ubuntu@lp1780844-t:~$ java -cp /usr/share/java/xstream-1.4.7.jar:. TestCVE
Exception in thread "main"
com.thoughtworks.xstream.converters.ConversionException: Type void cannot have
an instance
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libxstream-java in Ubuntu.
https://bugs.launchpad.net/bugs/1780844
Title:
CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an
instance of the primitive type 'void'
Status in libxstream-java package in Ubuntu:
Fix Released
Status in libxstream-java source package in Trusty:
Confirmed
Status in libxstream-java source package in Xenial:
Confirmed
Status in libxstream-java source package in Artful:
Fix Released
Status in libxstream-java source package in Bionic:
Fix Released
Status in libxstream-java source package in Cosmic:
Fix Released
Bug description:
[impact]
XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("") call.
[test case]
install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial
(or trusty) system. Then create a file named TestCVE.java with this
content:
import com.thoughtworks.xstream.XStream;
public class TestCVE {
public static void main(String[] args) {
XStream xstream = new XStream();
xstream.fromXML("");
}
}
then run this (from the same directory as the file) to compile it,
noting to replace the version number if needed (1.4.8 is X version, if
on trusty use 1.4.7):
$ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java
then test it (again correcting version if needed):
$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
failure is a JVM segfault, e.g.:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700
success is a normal java exception with backtrace, e.g.:
Exception in thread "main"
com.thoughtworks.xstream.converters.ConversionException: Type void
cannot have an instance
[regression potential]
regressions could include failing to parse the stream, or otherwise
cause exceptions or segfaults.
[other info]
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
Thanks for providing the debdiffs to fix the CVE in this package for trusty and
xenial. I have uploaded the updated packages to security-proposed. Please note
that there are errors and warnings in the build but they do not differ
before/after applying the patch. The packages are currently building and will
soon be available for testing. Please let me know if you test them.
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libxstream-java in Ubuntu.
https://bugs.launchpad.net/bugs/1780844
Title:
CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an
instance of the primitive type 'void'
Status in libxstream-java package in Ubuntu:
Fix Released
Status in libxstream-java source package in Trusty:
Confirmed
Status in libxstream-java source package in Xenial:
Confirmed
Status in libxstream-java source package in Artful:
Fix Released
Status in libxstream-java source package in Bionic:
Fix Released
Status in libxstream-java source package in Cosmic:
Fix Released
Bug description:
[impact]
XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("") call.
[test case]
install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial
(or trusty) system. Then create a file named TestCVE.java with this
content:
import com.thoughtworks.xstream.XStream;
public class TestCVE {
public static void main(String[] args) {
XStream xstream = new XStream();
xstream.fromXML("");
}
}
then run this (from the same directory as the file) to compile it,
noting to replace the version number if needed (1.4.8 is X version, if
on trusty use 1.4.7):
$ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java
then test it (again correcting version if needed):
$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
failure is a JVM segfault, e.g.:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700
success is a normal java exception with backtrace, e.g.:
Exception in thread "main"
com.thoughtworks.xstream.converters.ConversionException: Type void
cannot have an instance
[regression potential]
regressions could include failing to parse the stream, or otherwise
cause exceptions or segfaults.
[other info]
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
** Changed in: libxstream-java (Ubuntu Trusty)
Status: In Progress => Confirmed
** Changed in: libxstream-java (Ubuntu Xenial)
Status: In Progress => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libxstream-java in Ubuntu.
https://bugs.launchpad.net/bugs/1780844
Title:
CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an
instance of the primitive type 'void'
Status in libxstream-java package in Ubuntu:
Fix Released
Status in libxstream-java source package in Trusty:
Confirmed
Status in libxstream-java source package in Xenial:
Confirmed
Status in libxstream-java source package in Artful:
Fix Released
Status in libxstream-java source package in Bionic:
Fix Released
Status in libxstream-java source package in Cosmic:
Fix Released
Bug description:
[impact]
XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("") call.
[test case]
install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial
(or trusty) system. Then create a file named TestCVE.java with this
content:
import com.thoughtworks.xstream.XStream;
public class TestCVE {
public static void main(String[] args) {
XStream xstream = new XStream();
xstream.fromXML("");
}
}
then run this (from the same directory as the file) to compile it,
noting to replace the version number if needed (1.4.8 is X version, if
on trusty use 1.4.7):
$ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java
then test it (again correcting version if needed):
$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
failure is a JVM segfault, e.g.:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700
success is a normal java exception with backtrace, e.g.:
Exception in thread "main"
com.thoughtworks.xstream.converters.ConversionException: Type void
cannot have an instance
[regression potential]
regressions could include failing to parse the stream, or otherwise
cause exceptions or segfaults.
[other info]
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
** Changed in: libxstream-java (Ubuntu Xenial)
Assignee: Dan Streetman (ddstreet) => (unassigned)
** Changed in: libxstream-java (Ubuntu Trusty)
Assignee: Dan Streetman (ddstreet) => (unassigned)
** Patch removed: "lp1780844-x.debdiff"
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+attachment/5161595/+files/lp1780844-x.debdiff
** Patch added: "lp1780844-t.debdiff"
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+attachment/5162366/+files/lp1780844-t.debdiff
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libxstream-java in Ubuntu.
https://bugs.launchpad.net/bugs/1780844
Title:
CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an
instance of the primitive type 'void'
Status in libxstream-java package in Ubuntu:
Fix Released
Status in libxstream-java source package in Trusty:
In Progress
Status in libxstream-java source package in Xenial:
In Progress
Status in libxstream-java source package in Artful:
Fix Released
Status in libxstream-java source package in Bionic:
Fix Released
Status in libxstream-java source package in Cosmic:
Fix Released
Bug description:
[impact]
XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("") call.
[test case]
install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial
(or trusty) system. Then create a file named TestCVE.java with this
content:
import com.thoughtworks.xstream.XStream;
public class TestCVE {
public static void main(String[] args) {
XStream xstream = new XStream();
xstream.fromXML("");
}
}
then run this (from the same directory as the file) to compile it,
noting to replace the version number if needed (1.4.8 is X version, if
on trusty use 1.4.7):
$ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java
then test it (again correcting version if needed):
$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
failure is a JVM segfault, e.g.:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700
success is a normal java exception with backtrace, e.g.:
Exception in thread "main"
com.thoughtworks.xstream.converters.ConversionException: Type void
cannot have an instance
[regression potential]
regressions could include failing to parse the stream, or otherwise
cause exceptions or segfaults.
[other info]
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
** Patch added: "lp1780844-x.debdiff"
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+attachment/5162367/+files/lp1780844-x.debdiff
** Tags added: patch
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7957
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libxstream-java in Ubuntu.
https://bugs.launchpad.net/bugs/1780844
Title:
CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an
instance of the primitive type 'void'
Status in libxstream-java package in Ubuntu:
Fix Released
Status in libxstream-java source package in Trusty:
In Progress
Status in libxstream-java source package in Xenial:
In Progress
Status in libxstream-java source package in Artful:
Fix Released
Status in libxstream-java source package in Bionic:
Fix Released
Status in libxstream-java source package in Cosmic:
Fix Released
Bug description:
[impact]
XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("") call.
[test case]
install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial
(or trusty) system. Then create a file named TestCVE.java with this
content:
import com.thoughtworks.xstream.XStream;
public class TestCVE {
public static void main(String[] args) {
XStream xstream = new XStream();
xstream.fromXML("");
}
}
then run this (from the same directory as the file) to compile it,
noting to replace the version number if needed (1.4.8 is X version, if
on trusty use 1.4.7):
$ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java
then test it (again correcting version if needed):
$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
failure is a JVM segfault, e.g.:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700
success is a normal java exception with backtrace, e.g.:
Exception in thread "main"
com.thoughtworks.xstream.converters.ConversionException: Type void
cannot have an instance
[regression potential]
regressions could include failing to parse the stream, or otherwise
cause exceptions or segfaults.
[other info]
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
Thank you for preparing this. Rather than use the SRU process, this
should go through the security sponsorship process. Then it can be
delivered into the security pocket and will need a security sponsor.
Please see https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue for
details.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libxstream-java in Ubuntu.
https://bugs.launchpad.net/bugs/1780844
Title:
CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an
instance of the primitive type 'void'
Status in libxstream-java package in Ubuntu:
Fix Released
Status in libxstream-java source package in Trusty:
In Progress
Status in libxstream-java source package in Xenial:
In Progress
Status in libxstream-java source package in Artful:
Fix Released
Status in libxstream-java source package in Bionic:
Fix Released
Status in libxstream-java source package in Cosmic:
Fix Released
Bug description:
[impact]
XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("") call.
[test case]
install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial
(or trusty) system. Then create a file named TestCVE.java with this
content:
import com.thoughtworks.xstream.XStream;
public class TestCVE {
public static void main(String[] args) {
XStream xstream = new XStream();
xstream.fromXML("");
}
}
then run this (from the same directory as the file) to compile it,
noting to replace the version number if needed (1.4.8 is X version, if
on trusty use 1.4.7):
$ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java
then test it (again correcting version if needed):
$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
failure is a JVM segfault, e.g.:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700
success is a normal java exception with backtrace, e.g.:
Exception in thread "main"
com.thoughtworks.xstream.converters.ConversionException: Type void
cannot have an instance
[regression potential]
regressions could include failing to parse the stream, or otherwise
cause exceptions or segfaults.
[other info]
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
** Description changed:
[impact]
XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("") call.
[test case]
install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial
(or trusty) system. Then create a file named TestCVE.java with this
content:
-
import com.thoughtworks.xstream.XStream;
public class TestCVE {
- public static void main(String[] args) {
- XStream xstream = new XStream();
- xstream.fromXML("");
- }
+ public static void main(String[] args) {
+ XStream xstream = new XStream();
+ xstream.fromXML("");
+ }
}
-
- then run this (from the same directory as the file) to compile it:
+ then run this (from the same directory as the file) to compile it,
+ noting to replace the version number if needed (1.4.8 is X version, if
+ on trusty use 1.4.7):
$ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java
- then test it:
+ then test it (again correcting version if needed):
$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
failure is a JVM segfault, e.g.:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700
success is a normal java exception with backtrace, e.g.:
Exception in thread "main"
com.thoughtworks.xstream.converters.ConversionException: Type void
cannot have an instance
[regression potential]
regressions could include failing to parse the stream, or otherwise
cause exceptions or segfaults.
[other info]
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libxstream-java in Ubuntu.
https://bugs.launchpad.net/bugs/1780844
Title:
CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an
instance of the primitive type 'void'
Status in libxstream-java package in Ubuntu:
Fix Released
Status in libxstream-java source package in Trusty:
In Progress
Status in libxstream-java source package in Xenial:
In Progress
Status in libxstream-java source package in Artful:
Fix Released
Status in libxstream-java source package in Bionic:
Fix Released
Status in libxstream-java source package in Cosmic:
Fix Released
Bug description:
[impact]
XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("") call.
[test case]
install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial
(or trusty) system. Then create a file named TestCVE.java with this
content:
import com.thoughtworks.xstream.XStream;
public class TestCVE {
public static void main(String[] args) {
XStream xstream = new XStream();
xstream.fromXML("");
}
}
then run this (from the same directory as the file) to compile it,
noting to replace the version number if needed (1.4.8 is X version, if
on trusty use 1.4.7):
$ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java
then test it (again correcting version if needed):
$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
failure is a JVM segfault, e.g.:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700
success is a normal java exception with backtrace, e.g.:
Exception in thread "main"
com.thoughtworks.xstream.converters.ConversionException: Type void
cannot have an instance
[regression potential]
regressions could include failing to parse the stream, or otherwise
cause exceptions or segfaults.
[other info]
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
** Description changed:
[impact]
XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("") call.
[test case]
- self-test for failure is provided as part of the upstream commit
+ install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial
+ (or trusty) system. Then create a file named TestCVE.java with this
+ content:
+
+
+ import com.thoughtworks.xstream.XStream;
+
+ public class TestCVE {
+
+ public static void main(String[] args) {
+ XStream xstream = new XStream();
+ xstream.fromXML("");
+ }
+
+ }
+
+
+ then run this (from the same directory as the file) to compile it:
+
+ $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java
+
+ then test it:
+
+ $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
+
+ failure is a JVM segfault, e.g.:
+
+ #
+ # A fatal error has been detected by the Java Runtime Environment:
+ #
+ # SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700
+
+ success is a normal java exception with backtrace, e.g.:
+
+ Exception in thread "main"
+ com.thoughtworks.xstream.converters.ConversionException: Type void
+ cannot have an instance
[regression potential]
- regressions could include failing to parse the stream.
+ regressions could include failing to parse the stream, or otherwise
+ cause exceptions or segfaults.
[other info]
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libxstream-java in Ubuntu.
https://bugs.launchpad.net/bugs/1780844
Title:
CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an
instance of the primitive type 'void'
Status in libxstream-java package in Ubuntu:
Fix Released
Status in libxstream-java source package in Trusty:
In Progress
Status in libxstream-java source package in Xenial:
In Progress
Status in libxstream-java source package in Artful:
Fix Released
Status in libxstream-java source package in Bionic:
Fix Released
Status in libxstream-java source package in Cosmic:
Fix Released
Bug description:
[impact]
XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("") call.
[test case]
install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial
(or trusty) system. Then create a file named TestCVE.java with this
content:
import com.thoughtworks.xstream.XStream;
public class TestCVE {
public static void main(String[] args) {
XStream xstream = new XStream();
xstream.fromXML("");
}
}
then run this (from the same directory as the file) to compile it:
$ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java
then test it:
$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
failure is a JVM segfault, e.g.:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700
success is a normal java exception with backtrace, e.g.:
Exception in thread "main"
com.thoughtworks.xstream.converters.ConversionException: Type void
cannot have an instance
[regression potential]
regressions could include failing to parse the stream, or otherwise
cause exceptions or segfaults.
[other info]
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
** Patch removed: "lp1780844-x.debdiff"
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+attachment/5161571/+files/lp1780844-x.debdiff
** Patch added: "lp1780844-x.debdiff"
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+attachment/5161595/+files/lp1780844-x.debdiff
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libxstream-java in Ubuntu.
https://bugs.launchpad.net/bugs/1780844
Title:
CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an
instance of the primitive type 'void'
Status in libxstream-java package in Ubuntu:
Fix Released
Status in libxstream-java source package in Trusty:
In Progress
Status in libxstream-java source package in Xenial:
In Progress
Status in libxstream-java source package in Artful:
Fix Released
Status in libxstream-java source package in Bionic:
Fix Released
Status in libxstream-java source package in Cosmic:
Fix Released
Bug description:
[impact]
XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("") call.
[test case]
install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial
(or trusty) system. Then create a file named TestCVE.java with this
content:
import com.thoughtworks.xstream.XStream;
public class TestCVE {
public static void main(String[] args) {
XStream xstream = new XStream();
xstream.fromXML("");
}
}
then run this (from the same directory as the file) to compile it:
$ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java
then test it:
$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
failure is a JVM segfault, e.g.:
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700
success is a normal java exception with backtrace, e.g.:
Exception in thread "main"
com.thoughtworks.xstream.converters.ConversionException: Type void
cannot have an instance
[regression potential]
regressions could include failing to parse the stream, or otherwise
cause exceptions or segfaults.
[other info]
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
** Patch added: "lp1780844-x.debdiff"
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+attachment/5161571/+files/lp1780844-x.debdiff
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libxstream-java in Ubuntu.
https://bugs.launchpad.net/bugs/1780844
Title:
CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an
instance of the primitive type 'void'
Status in libxstream-java package in Ubuntu:
Fix Released
Status in libxstream-java source package in Trusty:
In Progress
Status in libxstream-java source package in Xenial:
In Progress
Status in libxstream-java source package in Artful:
Fix Released
Status in libxstream-java source package in Bionic:
Fix Released
Status in libxstream-java source package in Cosmic:
Fix Released
Bug description:
[impact]
XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("") call.
[test case]
self-test for failure is provided as part of the upstream commit
[regression potential]
regressions could include failing to parse the stream.
[other info]
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
CVE already included in version 1.4.10 and later, which covers A/B/C.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libxstream-java in Ubuntu.
https://bugs.launchpad.net/bugs/1780844
Title:
CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an
instance of the primitive type 'void'
Status in libxstream-java package in Ubuntu:
Fix Released
Status in libxstream-java source package in Trusty:
In Progress
Status in libxstream-java source package in Xenial:
In Progress
Status in libxstream-java source package in Artful:
Fix Released
Status in libxstream-java source package in Bionic:
Fix Released
Status in libxstream-java source package in Cosmic:
Fix Released
Bug description:
[impact]
XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("") call.
[test case]
self-test for failure is provided as part of the upstream commit
[regression potential]
regressions could include failing to parse the stream.
[other info]
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
