[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
This bug was fixed in the package libxstream-java - 1.4.7-1ubuntu0.1 --- libxstream-java (1.4.7-1ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: handle void type class (LP: #1780844) - d/p/CVE-2017-7957.patch: Prevent deserialization of void. - CVE-2017-7957 -- Dan Streetman Mon, 09 Jul 2018 15:29:05 -0400 ** Changed in: libxstream-java (Ubuntu Trusty) Status: Confirmed => Fix Released ** Changed in: libxstream-java (Ubuntu Xenial) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libxstream-java in Ubuntu. https://bugs.launchpad.net/bugs/1780844 Title: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void' Status in libxstream-java package in Ubuntu: Fix Released Status in libxstream-java source package in Trusty: Fix Released Status in libxstream-java source package in Xenial: Fix Released Status in libxstream-java source package in Artful: Fix Released Status in libxstream-java source package in Bionic: Fix Released Status in libxstream-java source package in Cosmic: Fix Released Bug description: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call. [test case] install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial (or trusty) system. Then create a file named TestCVE.java with this content: import com.thoughtworks.xstream.XStream; public class TestCVE { public static void main(String[] args) { XStream xstream = new XStream(); xstream.fromXML(""); } } then run this (from the same directory as the file) to compile it, noting to replace the version number if needed (1.4.8 is X version, if on trusty use 1.4.7): $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java then test it (again correcting version if needed): $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE failure is a JVM segfault, e.g.: # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700 success is a normal java exception with backtrace, e.g.: Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance [regression potential] regressions could include failing to parse the stream, or otherwise cause exceptions or segfaults. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
This bug was fixed in the package libxstream-java - 1.4.8-1ubuntu0.1 --- libxstream-java (1.4.8-1ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: handle void type class (LP: #1780844) - d/p/CVE-2017-7957.patch: Prevent deserialization of void. - CVE-2017-7957 -- Dan Streetman Mon, 09 Jul 2018 15:21:51 -0400 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libxstream-java in Ubuntu. https://bugs.launchpad.net/bugs/1780844 Title: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void' Status in libxstream-java package in Ubuntu: Fix Released Status in libxstream-java source package in Trusty: Fix Released Status in libxstream-java source package in Xenial: Fix Released Status in libxstream-java source package in Artful: Fix Released Status in libxstream-java source package in Bionic: Fix Released Status in libxstream-java source package in Cosmic: Fix Released Bug description: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call. [test case] install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial (or trusty) system. Then create a file named TestCVE.java with this content: import com.thoughtworks.xstream.XStream; public class TestCVE { public static void main(String[] args) { XStream xstream = new XStream(); xstream.fromXML(""); } } then run this (from the same directory as the file) to compile it, noting to replace the version number if needed (1.4.8 is X version, if on trusty use 1.4.7): $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java then test it (again correcting version if needed): $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE failure is a JVM segfault, e.g.: # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700 success is a normal java exception with backtrace, e.g.: Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance [regression potential] regressions could include failing to parse the stream, or otherwise cause exceptions or segfaults. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
Xenial: ubuntu@lp1780844-x:~$ dpkg -l | grep libxstream-java ii libxstream-java 1.4.8-1 all Java library to serialize objects to XML and back again ubuntu@lp1780844-x:~$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x7fcba3ec99d2, pid=12644, tid=0x7fcba55c6700 ubuntu@lp1780844-x:~$ sudo apt-add-repository ppa:ubuntu-security-proposed/ppa Pre-release Ubuntu Security Updates that need additional work or testing. ... ubuntu@lp1780844-x:~$ dpkg -l | grep libxstream-java ii libxstream-java 1.4.8-1ubuntu0.1 all Java library to serialize objects to XML and back again ubuntu@lp1780844-x:~$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance Trusty: ubuntu@lp1780844-t:~$ dpkg -l | grep libxstream-java ii libxstream-java 1.4.7-1 all Java library to serialize objects to XML and back again ubuntu@lp1780844-t:~$ java -cp /usr/share/java/xstream-1.4.7.jar:. TestCVE # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x7f89d9429a32, pid=11183, tid=140230055626496 ubuntu@lp1780844-t:~$ sudo apt-add-repository ppa:ubuntu-security-proposed/ppa Pre-release Ubuntu Security Updates that need additional work or testing. ... ubuntu@lp1780844-t:~$ dpkg -l | grep libxstream-java ii libxstream-java 1.4.7-1ubuntu0.1 all Java library to serialize objects to XML and back again ubuntu@lp1780844-t:~$ java -cp /usr/share/java/xstream-1.4.7.jar:. TestCVE Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libxstream-java in Ubuntu. https://bugs.launchpad.net/bugs/1780844 Title: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void' Status in libxstream-java package in Ubuntu: Fix Released Status in libxstream-java source package in Trusty: Confirmed Status in libxstream-java source package in Xenial: Confirmed Status in libxstream-java source package in Artful: Fix Released Status in libxstream-java source package in Bionic: Fix Released Status in libxstream-java source package in Cosmic: Fix Released Bug description: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call. [test case] install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial (or trusty) system. Then create a file named TestCVE.java with this content: import com.thoughtworks.xstream.XStream; public class TestCVE { public static void main(String[] args) { XStream xstream = new XStream(); xstream.fromXML(""); } } then run this (from the same directory as the file) to compile it, noting to replace the version number if needed (1.4.8 is X version, if on trusty use 1.4.7): $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java then test it (again correcting version if needed): $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE failure is a JVM segfault, e.g.: # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700 success is a normal java exception with backtrace, e.g.: Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance [regression potential] regressions could include failing to parse the stream, or otherwise cause exceptions or segfaults. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
Thanks for providing the debdiffs to fix the CVE in this package for trusty and xenial. I have uploaded the updated packages to security-proposed. Please note that there are errors and warnings in the build but they do not differ before/after applying the patch. The packages are currently building and will soon be available for testing. Please let me know if you test them. https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libxstream-java in Ubuntu. https://bugs.launchpad.net/bugs/1780844 Title: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void' Status in libxstream-java package in Ubuntu: Fix Released Status in libxstream-java source package in Trusty: Confirmed Status in libxstream-java source package in Xenial: Confirmed Status in libxstream-java source package in Artful: Fix Released Status in libxstream-java source package in Bionic: Fix Released Status in libxstream-java source package in Cosmic: Fix Released Bug description: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call. [test case] install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial (or trusty) system. Then create a file named TestCVE.java with this content: import com.thoughtworks.xstream.XStream; public class TestCVE { public static void main(String[] args) { XStream xstream = new XStream(); xstream.fromXML(""); } } then run this (from the same directory as the file) to compile it, noting to replace the version number if needed (1.4.8 is X version, if on trusty use 1.4.7): $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java then test it (again correcting version if needed): $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE failure is a JVM segfault, e.g.: # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700 success is a normal java exception with backtrace, e.g.: Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance [regression potential] regressions could include failing to parse the stream, or otherwise cause exceptions or segfaults. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
** Changed in: libxstream-java (Ubuntu Trusty) Status: In Progress => Confirmed ** Changed in: libxstream-java (Ubuntu Xenial) Status: In Progress => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libxstream-java in Ubuntu. https://bugs.launchpad.net/bugs/1780844 Title: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void' Status in libxstream-java package in Ubuntu: Fix Released Status in libxstream-java source package in Trusty: Confirmed Status in libxstream-java source package in Xenial: Confirmed Status in libxstream-java source package in Artful: Fix Released Status in libxstream-java source package in Bionic: Fix Released Status in libxstream-java source package in Cosmic: Fix Released Bug description: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call. [test case] install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial (or trusty) system. Then create a file named TestCVE.java with this content: import com.thoughtworks.xstream.XStream; public class TestCVE { public static void main(String[] args) { XStream xstream = new XStream(); xstream.fromXML(""); } } then run this (from the same directory as the file) to compile it, noting to replace the version number if needed (1.4.8 is X version, if on trusty use 1.4.7): $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java then test it (again correcting version if needed): $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE failure is a JVM segfault, e.g.: # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700 success is a normal java exception with backtrace, e.g.: Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance [regression potential] regressions could include failing to parse the stream, or otherwise cause exceptions or segfaults. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
** Changed in: libxstream-java (Ubuntu Xenial) Assignee: Dan Streetman (ddstreet) => (unassigned) ** Changed in: libxstream-java (Ubuntu Trusty) Assignee: Dan Streetman (ddstreet) => (unassigned) ** Patch removed: "lp1780844-x.debdiff" https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+attachment/5161595/+files/lp1780844-x.debdiff ** Patch added: "lp1780844-t.debdiff" https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+attachment/5162366/+files/lp1780844-t.debdiff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libxstream-java in Ubuntu. https://bugs.launchpad.net/bugs/1780844 Title: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void' Status in libxstream-java package in Ubuntu: Fix Released Status in libxstream-java source package in Trusty: In Progress Status in libxstream-java source package in Xenial: In Progress Status in libxstream-java source package in Artful: Fix Released Status in libxstream-java source package in Bionic: Fix Released Status in libxstream-java source package in Cosmic: Fix Released Bug description: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call. [test case] install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial (or trusty) system. Then create a file named TestCVE.java with this content: import com.thoughtworks.xstream.XStream; public class TestCVE { public static void main(String[] args) { XStream xstream = new XStream(); xstream.fromXML(""); } } then run this (from the same directory as the file) to compile it, noting to replace the version number if needed (1.4.8 is X version, if on trusty use 1.4.7): $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java then test it (again correcting version if needed): $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE failure is a JVM segfault, e.g.: # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700 success is a normal java exception with backtrace, e.g.: Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance [regression potential] regressions could include failing to parse the stream, or otherwise cause exceptions or segfaults. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
** Patch added: "lp1780844-x.debdiff" https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+attachment/5162367/+files/lp1780844-x.debdiff ** Tags added: patch ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7957 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libxstream-java in Ubuntu. https://bugs.launchpad.net/bugs/1780844 Title: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void' Status in libxstream-java package in Ubuntu: Fix Released Status in libxstream-java source package in Trusty: In Progress Status in libxstream-java source package in Xenial: In Progress Status in libxstream-java source package in Artful: Fix Released Status in libxstream-java source package in Bionic: Fix Released Status in libxstream-java source package in Cosmic: Fix Released Bug description: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call. [test case] install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial (or trusty) system. Then create a file named TestCVE.java with this content: import com.thoughtworks.xstream.XStream; public class TestCVE { public static void main(String[] args) { XStream xstream = new XStream(); xstream.fromXML(""); } } then run this (from the same directory as the file) to compile it, noting to replace the version number if needed (1.4.8 is X version, if on trusty use 1.4.7): $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java then test it (again correcting version if needed): $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE failure is a JVM segfault, e.g.: # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700 success is a normal java exception with backtrace, e.g.: Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance [regression potential] regressions could include failing to parse the stream, or otherwise cause exceptions or segfaults. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
Thank you for preparing this. Rather than use the SRU process, this should go through the security sponsorship process. Then it can be delivered into the security pocket and will need a security sponsor. Please see https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue for details. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libxstream-java in Ubuntu. https://bugs.launchpad.net/bugs/1780844 Title: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void' Status in libxstream-java package in Ubuntu: Fix Released Status in libxstream-java source package in Trusty: In Progress Status in libxstream-java source package in Xenial: In Progress Status in libxstream-java source package in Artful: Fix Released Status in libxstream-java source package in Bionic: Fix Released Status in libxstream-java source package in Cosmic: Fix Released Bug description: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call. [test case] install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial (or trusty) system. Then create a file named TestCVE.java with this content: import com.thoughtworks.xstream.XStream; public class TestCVE { public static void main(String[] args) { XStream xstream = new XStream(); xstream.fromXML(""); } } then run this (from the same directory as the file) to compile it, noting to replace the version number if needed (1.4.8 is X version, if on trusty use 1.4.7): $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java then test it (again correcting version if needed): $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE failure is a JVM segfault, e.g.: # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700 success is a normal java exception with backtrace, e.g.: Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance [regression potential] regressions could include failing to parse the stream, or otherwise cause exceptions or segfaults. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
** Description changed: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call. [test case] install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial (or trusty) system. Then create a file named TestCVE.java with this content: - import com.thoughtworks.xstream.XStream; public class TestCVE { - public static void main(String[] args) { - XStream xstream = new XStream(); - xstream.fromXML(""); - } + public static void main(String[] args) { + XStream xstream = new XStream(); + xstream.fromXML(""); + } } - - then run this (from the same directory as the file) to compile it: + then run this (from the same directory as the file) to compile it, + noting to replace the version number if needed (1.4.8 is X version, if + on trusty use 1.4.7): $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java - then test it: + then test it (again correcting version if needed): $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE failure is a JVM segfault, e.g.: # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700 success is a normal java exception with backtrace, e.g.: Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance [regression potential] regressions could include failing to parse the stream, or otherwise cause exceptions or segfaults. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libxstream-java in Ubuntu. https://bugs.launchpad.net/bugs/1780844 Title: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void' Status in libxstream-java package in Ubuntu: Fix Released Status in libxstream-java source package in Trusty: In Progress Status in libxstream-java source package in Xenial: In Progress Status in libxstream-java source package in Artful: Fix Released Status in libxstream-java source package in Bionic: Fix Released Status in libxstream-java source package in Cosmic: Fix Released Bug description: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call. [test case] install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial (or trusty) system. Then create a file named TestCVE.java with this content: import com.thoughtworks.xstream.XStream; public class TestCVE { public static void main(String[] args) { XStream xstream = new XStream(); xstream.fromXML(""); } } then run this (from the same directory as the file) to compile it, noting to replace the version number if needed (1.4.8 is X version, if on trusty use 1.4.7): $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java then test it (again correcting version if needed): $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE failure is a JVM segfault, e.g.: # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700 success is a normal java exception with backtrace, e.g.: Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance [regression potential] regressions could include failing to parse the stream, or otherwise cause exceptions or segfaults. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
** Description changed: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call. [test case] - self-test for failure is provided as part of the upstream commit + install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial + (or trusty) system. Then create a file named TestCVE.java with this + content: + + + import com.thoughtworks.xstream.XStream; + + public class TestCVE { + + public static void main(String[] args) { + XStream xstream = new XStream(); + xstream.fromXML(""); + } + + } + + + then run this (from the same directory as the file) to compile it: + + $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java + + then test it: + + $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE + + failure is a JVM segfault, e.g.: + + # + # A fatal error has been detected by the Java Runtime Environment: + # + # SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700 + + success is a normal java exception with backtrace, e.g.: + + Exception in thread "main" + com.thoughtworks.xstream.converters.ConversionException: Type void + cannot have an instance [regression potential] - regressions could include failing to parse the stream. + regressions could include failing to parse the stream, or otherwise + cause exceptions or segfaults. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libxstream-java in Ubuntu. https://bugs.launchpad.net/bugs/1780844 Title: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void' Status in libxstream-java package in Ubuntu: Fix Released Status in libxstream-java source package in Trusty: In Progress Status in libxstream-java source package in Xenial: In Progress Status in libxstream-java source package in Artful: Fix Released Status in libxstream-java source package in Bionic: Fix Released Status in libxstream-java source package in Cosmic: Fix Released Bug description: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call. [test case] install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial (or trusty) system. Then create a file named TestCVE.java with this content: import com.thoughtworks.xstream.XStream; public class TestCVE { public static void main(String[] args) { XStream xstream = new XStream(); xstream.fromXML(""); } } then run this (from the same directory as the file) to compile it: $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java then test it: $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE failure is a JVM segfault, e.g.: # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700 success is a normal java exception with backtrace, e.g.: Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance [regression potential] regressions could include failing to parse the stream, or otherwise cause exceptions or segfaults. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
** Patch removed: "lp1780844-x.debdiff" https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+attachment/5161571/+files/lp1780844-x.debdiff ** Patch added: "lp1780844-x.debdiff" https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+attachment/5161595/+files/lp1780844-x.debdiff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libxstream-java in Ubuntu. https://bugs.launchpad.net/bugs/1780844 Title: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void' Status in libxstream-java package in Ubuntu: Fix Released Status in libxstream-java source package in Trusty: In Progress Status in libxstream-java source package in Xenial: In Progress Status in libxstream-java source package in Artful: Fix Released Status in libxstream-java source package in Bionic: Fix Released Status in libxstream-java source package in Cosmic: Fix Released Bug description: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call. [test case] install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial (or trusty) system. Then create a file named TestCVE.java with this content: import com.thoughtworks.xstream.XStream; public class TestCVE { public static void main(String[] args) { XStream xstream = new XStream(); xstream.fromXML(""); } } then run this (from the same directory as the file) to compile it: $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java then test it: $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE failure is a JVM segfault, e.g.: # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x7f6546a6f9d2, pid=9279, tid=0x7f654816c700 success is a normal java exception with backtrace, e.g.: Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance [regression potential] regressions could include failing to parse the stream, or otherwise cause exceptions or segfaults. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
** Patch added: "lp1780844-x.debdiff" https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+attachment/5161571/+files/lp1780844-x.debdiff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libxstream-java in Ubuntu. https://bugs.launchpad.net/bugs/1780844 Title: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void' Status in libxstream-java package in Ubuntu: Fix Released Status in libxstream-java source package in Trusty: In Progress Status in libxstream-java source package in Xenial: In Progress Status in libxstream-java source package in Artful: Fix Released Status in libxstream-java source package in Bionic: Fix Released Status in libxstream-java source package in Cosmic: Fix Released Bug description: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call. [test case] self-test for failure is provided as part of the upstream commit [regression potential] regressions could include failing to parse the stream. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'
CVE already included in version 1.4.10 and later, which covers A/B/C. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libxstream-java in Ubuntu. https://bugs.launchpad.net/bugs/1780844 Title: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void' Status in libxstream-java package in Ubuntu: Fix Released Status in libxstream-java source package in Trusty: In Progress Status in libxstream-java source package in Xenial: In Progress Status in libxstream-java source package in Artful: Fix Released Status in libxstream-java source package in Bionic: Fix Released Status in libxstream-java source package in Cosmic: Fix Released Bug description: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call. [test case] self-test for failure is provided as part of the upstream commit [regression potential] regressions could include failing to parse the stream. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp