This is an automated email from the git hooks/post-receive script. tmancill pushed a commit to branch exp in repository logback.
commit 56b36f44d16faa38d34263eed28f4480069e2c40 Author: tony mancill <tmanc...@debian.org> Date: Tue Nov 28 19:52:28 2017 -0800 Clean up unneeded patches --- debian/patches/01-compile-groovy.patch | 65 ------ debian/patches/03-servlet-3.1.patch | 70 ------ debian/patches/CVE-2017-5929-part2.patch | 390 ------------------------------- debian/patches/CVE-2017-5929.patch | 114 --------- debian/patches/series | 4 - 5 files changed, 643 deletions(-) diff --git a/debian/patches/01-compile-groovy.patch b/debian/patches/01-compile-groovy.patch deleted file mode 100644 index 909467f..0000000 --- a/debian/patches/01-compile-groovy.patch +++ /dev/null @@ -1,65 +0,0 @@ -Description: Compile logback-classic with the groovyc Ant task instead of groovy-eclipse-compiler (not yet in Debian) -Author: Emmanuel Bourg <ebo...@apache.org> -Forwarded: not-needed ---- a/logback-classic/pom.xml -+++ b/logback-classic/pom.xml -@@ -236,48 +236,24 @@ - <groupId>org.apache.maven.plugins</groupId> - <artifactId>maven-antrun-plugin</artifactId> - <version>1.7</version> -- <dependencies> -- <dependency> -- <groupId>org.apache.ant</groupId> -- <artifactId>ant-junit</artifactId> -- <version>1.8.1</version> -- </dependency> -- <dependency> -- <groupId>junit</groupId> -- <artifactId>junit</artifactId> -- <version>${junit.version}</version> -- </dependency> -- </dependencies> -- - <executions> - <execution> -- <id>ant-osgi-test</id> -- <phase>package</phase> -- <configuration> -- <target> -- <property name="currentVersion" value="${project.version}"/> -- <property name="slf4j.version" value="${slf4j.version}"/> -- <property name="basedir" value="${basedir}"/> -- <ant antfile="${basedir}/osgi-build.xml"/> -- </target> -- </configuration> -+ <id>compile-groovy</id> -+ <phase>process-resources</phase> - <goals> - <goal>run</goal> - </goals> -- </execution> -- -- <execution> -- <id>ant-integration-test</id> -- <phase>package</phase> - <configuration> -- <target> -- <property name="slf4j.version" value="${slf4j.version}"/> -- <ant antfile="${basedir}/integration.xml"/> -- </target> -+ <tasks> -+ <taskdef name="groovyc" classname="org.codehaus.groovy.ant.Groovyc" classpathref="maven.compile.classpath"/> -+ <mkdir dir="${project.build.outputDirectory}"/> -+ <groovyc destdir="${project.build.outputDirectory}" classpathref="maven.compile.classpath"> -+ <src path="${basedir}/src/main/java"/> -+ <src path="${basedir}/src/main/groovy"/> -+ <javac source="1.6" target="1.6" debug="on"/> -+ </groovyc> -+ </tasks> - </configuration> -- <goals> -- <goal>run</goal> -- </goals> - </execution> - </executions> - </plugin> diff --git a/debian/patches/03-servlet-3.1.patch b/debian/patches/03-servlet-3.1.patch deleted file mode 100644 index 79e3ee1..0000000 --- a/debian/patches/03-servlet-3.1.patch +++ /dev/null @@ -1,70 +0,0 @@ -Author: Apollon Oikonomopoulos <apoi...@debian.org> -Description: Patch logback-access to comply with the servlet 3.1 API - This is a partial backport of upstream commit 9ad7cc6141. -Forwarded: not-needed (fixed upstream) -Last-Update: 2017-03-01 ---- a/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletInputStream.java -+++ b/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletInputStream.java -@@ -18,6 +18,7 @@ - import java.io.IOException; - import java.io.InputStream; - -+import javax.servlet.ReadListener; - import javax.servlet.ServletInputStream; - import javax.servlet.http.HttpServletRequest; - -@@ -71,4 +72,19 @@ - byte[] getInputBuffer() { - return inputBuffer; - } -+ -+ @Override -+ public boolean isFinished() { -+ throw new RuntimeException("Not yet implemented"); -+ } -+ -+ @Override -+ public boolean isReady() { -+ throw new RuntimeException("Not yet implemented"); -+ } -+ -+ @Override -+ public void setReadListener(ReadListener listener) { -+ throw new RuntimeException("Not yet implemented"); -+ } - } ---- a/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletOutputStream.java -+++ b/logback-access/src/main/java/ch/qos/logback/access/servlet/TeeServletOutputStream.java -@@ -16,6 +16,7 @@ - import java.io.ByteArrayOutputStream; - import java.io.IOException; - -+import javax.servlet.WriteListener; - import javax.servlet.ServletOutputStream; - import javax.servlet.ServletResponse; - -@@ -82,4 +83,14 @@ - underlyingStream.flush(); - baosCopy.flush(); - } -+ -+ @Override -+ public boolean isReady() { -+ throw new RuntimeException("Not yet implemented"); -+ } -+ -+ @Override -+ public void setWriteListener(WriteListener listener) { -+ throw new RuntimeException("Not yet implemented"); -+ } - } ---- a/logback-access/src/main/java/ch/qos/logback/access/tomcat/LogbackValve.java -+++ b/logback-access/src/main/java/ch/qos/logback/access/tomcat/LogbackValve.java -@@ -328,7 +328,6 @@ - return aai.detachAppender(name); - } - -- @Override - public String getInfo() { - return "Logback's implementation of ValveBase"; - } diff --git a/debian/patches/CVE-2017-5929-part2.patch b/debian/patches/CVE-2017-5929-part2.patch deleted file mode 100644 index f14e1fa..0000000 --- a/debian/patches/CVE-2017-5929-part2.patch +++ /dev/null @@ -1,390 +0,0 @@ -From: Markus Koschany <a...@debian.org> -Date: Tue, 4 Apr 2017 14:22:43 +0200 -Subject: CVE-2017-5929-part2 - -This is part2 to fix CVE-2017-5929 - -Origin: https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9 -Origin: https://github.com/qos-ch/logback/commit/7fbea6127fa98fc48368ca5e8540eefe0e60cec5 -Origin: https://github.com/qos-ch/logback/commit/3b4f605454534b304770eeee3cb343521fcd6968 ---- - .../access/net/HardenedAccessEventInputStream.java | 15 ++++++ - .../java/ch/qos/logback/access/net/SocketNode.java | 11 ++--- - .../ch/qos/logback/classic/net/SocketAppender.java | 2 - - .../ch/qos/logback/classic/net/SocketNode.java | 14 +++--- - .../server/HardenedLoggingEventInputStream.java | 56 ++++++++++++++++++++++ - .../server/LogbackClassicSerializationHelper.java | 28 ----------- - .../net/server/RemoteAppenderStreamClient.java | 10 ++-- - .../core/net/HardenedObjectInputStream.java | 47 +++++++++++++----- - 8 files changed, 123 insertions(+), 60 deletions(-) - create mode 100644 logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java - create mode 100644 logback-classic/src/main/java/ch/qos/logback/classic/net/server/HardenedLoggingEventInputStream.java - delete mode 100644 logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java - -diff --git a/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java b/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java -new file mode 100644 -index 0000000..c0ba6b0 ---- /dev/null -+++ b/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java -@@ -0,0 +1,15 @@ -+package ch.qos.logback.access.net; -+ -+import java.io.IOException; -+import java.io.InputStream; -+ -+import ch.qos.logback.access.spi.AccessEvent; -+import ch.qos.logback.core.net.HardenedObjectInputStream; -+ -+public class HardenedAccessEventInputStream extends HardenedObjectInputStream { -+ -+ public HardenedAccessEventInputStream(InputStream in) throws IOException { -+ super(in, new String[] {AccessEvent.class.getName(), String[].class.getName()}); -+ } -+ -+} -diff --git a/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java b/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java -index e164774..aeb7b14 100644 ---- a/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java -+++ b/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java -@@ -15,7 +15,6 @@ package ch.qos.logback.access.net; - - import java.io.BufferedInputStream; - import java.io.IOException; --import java.io.ObjectInputStream; - import java.net.Socket; - - import ch.qos.logback.access.spi.AccessContext; -@@ -42,15 +41,15 @@ public class SocketNode implements Runnable { - - Socket socket; - AccessContext context; -- ObjectInputStream ois; -+ HardenedAccessEventInputStream hardenedOIS; - - public SocketNode(Socket socket, AccessContext context) { - this.socket = socket; - this.context = context; - try { -- ois = new ObjectInputStream(new BufferedInputStream(socket.getInputStream())); -+ hardenedOIS = new HardenedAccessEventInputStream(new BufferedInputStream(socket.getInputStream())); - } catch (Exception e) { -- System.out.println("Could not open ObjectInputStream to " + socket + e); -+ System.out.println("Could not open HardenedObjectInputStream to " + socket + e); - } - } - -@@ -61,7 +60,7 @@ public class SocketNode implements Runnable { - try { - while (true) { - // read an event from the wire -- event = (IAccessEvent) ois.readObject(); -+ event = (IAccessEvent) hardenedOIS.readObject(); - // check that the event should be logged - if (context.getFilterChainDecision(event) == FilterReply.DENY) { - break; -@@ -81,7 +80,7 @@ public class SocketNode implements Runnable { - } - - try { -- ois.close(); -+ hardenedOIS.close(); - } catch (Exception e) { - System.out.println("Could not close connection." + e); - } -diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketAppender.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketAppender.java -index 82518c7..0590cae 100644 ---- a/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketAppender.java -+++ b/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketAppender.java -@@ -14,8 +14,6 @@ - // Contributors: Dan MacDonald <d...@redknee.com> - package ch.qos.logback.classic.net; - --import java.net.InetAddress; -- - import ch.qos.logback.classic.spi.ILoggingEvent; - import ch.qos.logback.core.net.AbstractSocketAppender; - import ch.qos.logback.core.spi.PreSerializationTransformer; -diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java -index 4c01cbe..8faf6a6 100644 ---- a/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java -+++ b/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java -@@ -15,13 +15,13 @@ package ch.qos.logback.classic.net; - - import java.io.BufferedInputStream; - import java.io.IOException; --import java.io.ObjectInputStream; - import java.net.Socket; - import java.net.SocketAddress; - - import ch.qos.logback.classic.Logger; - - import ch.qos.logback.classic.LoggerContext; -+import ch.qos.logback.classic.net.server.HardenedLoggingEventInputStream; - import ch.qos.logback.classic.spi.ILoggingEvent; - - // Contributors: Moses Hohman <mmhoh...@rainbow.uchicago.edu> -@@ -44,7 +44,7 @@ public class SocketNode implements Runnable { - - Socket socket; - LoggerContext context; -- ObjectInputStream ois; -+ HardenedLoggingEventInputStream hardenedLoggingEventInputStream; - SocketAddress remoteSocketAddress; - - Logger logger; -@@ -68,7 +68,7 @@ public class SocketNode implements Runnable { - public void run() { - - try { -- ois = new ObjectInputStream(new BufferedInputStream(socket.getInputStream())); -+ hardenedLoggingEventInputStream = new HardenedLoggingEventInputStream(new BufferedInputStream(socket.getInputStream())); - } catch (Exception e) { - logger.error("Could not open ObjectInputStream to " + socket, e); - closed = true; -@@ -80,7 +80,7 @@ public class SocketNode implements Runnable { - try { - while (!closed) { - // read an event from the wire -- event = (ILoggingEvent) ois.readObject(); -+ event = (ILoggingEvent) hardenedLoggingEventInputStream.readObject(); - // get a logger from the hierarchy. The name of the logger is taken to - // be the name contained in the event. - remoteLogger = context.getLogger(event.getLoggerName()); -@@ -110,13 +110,13 @@ public class SocketNode implements Runnable { - return; - } - closed = true; -- if (ois != null) { -+ if (hardenedLoggingEventInputStream != null) { - try { -- ois.close(); -+ hardenedLoggingEventInputStream.close(); - } catch (IOException e) { - logger.warn("Could not close connection.", e); - } finally { -- ois = null; -+ hardenedLoggingEventInputStream = null; - } - } - } -diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/server/HardenedLoggingEventInputStream.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/server/HardenedLoggingEventInputStream.java -new file mode 100644 -index 0000000..522a30f ---- /dev/null -+++ b/logback-classic/src/main/java/ch/qos/logback/classic/net/server/HardenedLoggingEventInputStream.java -@@ -0,0 +1,56 @@ -+package ch.qos.logback.classic.net.server; -+ -+import java.io.IOException; -+import java.io.InputStream; -+import java.util.ArrayList; -+import java.util.List; -+ -+import org.slf4j.helpers.BasicMarker; -+ -+import ch.qos.logback.classic.Level; -+import ch.qos.logback.classic.Logger; -+import ch.qos.logback.classic.spi.ClassPackagingData; -+import ch.qos.logback.classic.spi.IThrowableProxy; -+import ch.qos.logback.classic.spi.LoggerContextVO; -+import ch.qos.logback.classic.spi.LoggerRemoteView; -+import ch.qos.logback.classic.spi.LoggingEventVO; -+import ch.qos.logback.classic.spi.StackTraceElementProxy; -+import ch.qos.logback.classic.spi.ThrowableProxy; -+import ch.qos.logback.classic.spi.ThrowableProxyVO; -+import ch.qos.logback.core.net.HardenedObjectInputStream; -+ -+public class HardenedLoggingEventInputStream extends HardenedObjectInputStream { -+ -+ static final String ARRAY_PREFIX = "[L"; -+ -+ static public List<String> getWhilelist() { -+ List<String> whitelist = new ArrayList<String>(); -+ whitelist.add(LoggingEventVO.class.getName()); -+ whitelist.add(LoggerContextVO.class.getName()); -+ whitelist.add(LoggerRemoteView.class.getName()); -+ whitelist.add(ThrowableProxyVO.class.getName()); -+ whitelist.add(BasicMarker.class.getName()); -+ whitelist.add(Level.class.getName()); -+ whitelist.add(Logger.class.getName()); -+ whitelist.add(StackTraceElement.class.getName()); -+ whitelist.add(StackTraceElement[].class.getName()); -+ whitelist.add(ThrowableProxy.class.getName()); -+ whitelist.add(ThrowableProxy[].class.getName()); -+ whitelist.add(IThrowableProxy.class.getName()); -+ whitelist.add(IThrowableProxy[].class.getName()); -+ whitelist.add(StackTraceElementProxy.class.getName()); -+ whitelist.add(StackTraceElementProxy[].class.getName()); -+ whitelist.add(ClassPackagingData.class.getName()); -+ -+ return whitelist; -+ } -+ -+ public HardenedLoggingEventInputStream(InputStream is) throws IOException { -+ super(is, getWhilelist()); -+ } -+ -+ public HardenedLoggingEventInputStream(InputStream is, List<String> additionalAuthorizedClasses) throws IOException { -+ this(is); -+ super.addToWhitelist(additionalAuthorizedClasses); -+ } -+} -diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java -deleted file mode 100644 -index 00a974f..0000000 ---- a/logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java -+++ /dev/null -@@ -1,28 +0,0 @@ --package ch.qos.logback.classic.net.server; -- --import java.util.ArrayList; --import java.util.List; -- --import org.slf4j.helpers.BasicMarker; -- --import ch.qos.logback.classic.Logger; --import ch.qos.logback.classic.spi.LoggerContextVO; --import ch.qos.logback.classic.spi.LoggingEventVO; --import ch.qos.logback.classic.spi.ThrowableProxyVO; -- --public class LogbackClassicSerializationHelper { -- -- -- -- static public List<String> getWhilelist() { -- List<String> whitelist = new ArrayList<String>(); -- whitelist.add(LoggingEventVO.class.getName()); -- whitelist.add(LoggerContextVO.class.getName()); -- whitelist.add(ThrowableProxyVO.class.getName()); -- whitelist.add(StackTraceElement.class.getName()); -- whitelist.add(BasicMarker.class.getName()); -- whitelist.add(BasicMarker.class.getName()); -- whitelist.add(Logger.class.getName()); -- return whitelist; -- } --} -diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java -index 5be7e24..71e1b0b 100644 ---- a/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java -+++ b/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java -@@ -16,12 +16,12 @@ package ch.qos.logback.classic.net.server; - import java.io.EOFException; - import java.io.IOException; - import java.io.InputStream; --import java.io.ObjectInputStream; - import java.net.Socket; - - import ch.qos.logback.classic.Logger; - import ch.qos.logback.classic.LoggerContext; - import ch.qos.logback.classic.spi.ILoggingEvent; -+import ch.qos.logback.core.net.HardenedObjectInputStream; - import ch.qos.logback.core.util.CloseUtil; - - /** -@@ -87,7 +87,7 @@ class RemoteAppenderStreamClient implements RemoteAppenderClient { - */ - public void run() { - logger.info(this + ": connected"); -- ObjectInputStream ois = null; -+ HardenedObjectInputStream ois = null; - try { - ois = createObjectInputStream(); - while (true) { -@@ -120,11 +120,11 @@ class RemoteAppenderStreamClient implements RemoteAppenderClient { - } - } - -- private ObjectInputStream createObjectInputStream() throws IOException { -+ private HardenedObjectInputStream createObjectInputStream() throws IOException { - if (inputStream != null) { -- return new ObjectInputStream(inputStream); -+ return new HardenedLoggingEventInputStream(inputStream); - } -- return new ObjectInputStream(socket.getInputStream()); -+ return new HardenedLoggingEventInputStream(socket.getInputStream()); - } - - /** -diff --git a/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java -index 439e2bd..d1b7301 100644 ---- a/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java -+++ b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java -@@ -6,43 +6,66 @@ import java.io.InvalidClassException; - import java.io.ObjectInputStream; - import java.io.ObjectStreamClass; - import java.util.ArrayList; --import java.util.Collections; - import java.util.List; - - /** -+ * HardenedObjectInputStream restricts the set of classes that can be deserialized to a set of -+ * explicitly whitelisted classes. This prevents certain type of attacks from being successful. -+ * -+ * <p>It is assumed that classes in the "java.lang" and "java.util" packages are -+ * always authorized.</p> - * - * @author Ceki Gülcü - * @since 1.2.0 - */ - public class HardenedObjectInputStream extends ObjectInputStream { - -- List<String> whitelistedClassNames; -- String[] javaPackages = new String[] {"java.lang", "java.util"}; -- -- public HardenedObjectInputStream(InputStream in, List<String> whilelist) throws IOException { -+ final List<String> whitelistedClassNames; -+ final static String[] JAVA_PACKAGES = new String[] { "java.lang", "java.util" }; -+ -+ public HardenedObjectInputStream(InputStream in, String[] whilelist) throws IOException { - super(in); -- this.whitelistedClassNames = Collections.synchronizedList(new ArrayList<String>(whilelist)); -+ -+ this.whitelistedClassNames = new ArrayList<String>(); -+ if (whilelist != null) { -+ for (int i = 0; i < whilelist.length; i++) { -+ this.whitelistedClassNames.add(whilelist[i]); -+ } -+ } -+ } -+ -+ public HardenedObjectInputStream(InputStream in, List<String> whitelist) throws IOException { -+ super(in); -+ -+ this.whitelistedClassNames = new ArrayList<String>(); -+ this.whitelistedClassNames.addAll(whitelist); - } - - @Override - protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException { -+ - String incomingClassName = anObjectStreamClass.getName(); -- if(!isWhitelisted(incomingClassName)) { -+ -+ if (!isWhitelisted(incomingClassName)) { - throw new InvalidClassException("Unauthorized deserialization attempt", anObjectStreamClass.getName()); - } -- -+ - return super.resolveClass(anObjectStreamClass); - } - - private boolean isWhitelisted(String incomingClassName) { -- for(int i = 0; i < javaPackages.length; i++) { -- if(incomingClassName.startsWith(javaPackages[i])) -+ for (int i = 0; i < JAVA_PACKAGES.length; i++) { -+ if (incomingClassName.startsWith(JAVA_PACKAGES[i])) - return true; - } -- for(String className: whitelistedClassNames) { -- if(incomingClassName.equals(className)) -+ for (String whiteListed : whitelistedClassNames) { -+ if (incomingClassName.equals(whiteListed)) - return true; - } - return false; - } -+ -+ protected void addToWhitelist(List<String> additionalAuthorizedClasses) { -+ whitelistedClassNames.addAll(additionalAuthorizedClasses); -+ } - } diff --git a/debian/patches/CVE-2017-5929.patch b/debian/patches/CVE-2017-5929.patch deleted file mode 100644 index cdf1058..0000000 --- a/debian/patches/CVE-2017-5929.patch +++ /dev/null @@ -1,114 +0,0 @@ -From: Markus Koschany <a...@debian.org> -Date: Tue, 28 Mar 2017 14:51:54 +0200 -Subject: CVE-2017-5929 - -Bug-Debian: https://bugs.debian.org/857343 -Origin: https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8 ---- - .../logback/classic/net/SimpleSocketServer.java | 1 - - .../server/LogbackClassicSerializationHelper.java | 28 +++++++++++++ - .../core/net/HardenedObjectInputStream.java | 48 ++++++++++++++++++++++ - 3 files changed, 76 insertions(+), 1 deletion(-) - create mode 100644 logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java - create mode 100644 logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java - -diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java -index 13bf6f7..17fda2a 100644 ---- a/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java -+++ b/logback-classic/src/main/java/ch/qos/logback/classic/net/SimpleSocketServer.java -@@ -14,7 +14,6 @@ - package ch.qos.logback.classic.net; - - import java.io.IOException; --import java.lang.reflect.Constructor; - import java.net.ServerSocket; - import java.net.Socket; - import java.util.ArrayList; -diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java b/logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java -new file mode 100644 -index 0000000..00a974f ---- /dev/null -+++ b/logback-classic/src/main/java/ch/qos/logback/classic/net/server/LogbackClassicSerializationHelper.java -@@ -0,0 +1,28 @@ -+package ch.qos.logback.classic.net.server; -+ -+import java.util.ArrayList; -+import java.util.List; -+ -+import org.slf4j.helpers.BasicMarker; -+ -+import ch.qos.logback.classic.Logger; -+import ch.qos.logback.classic.spi.LoggerContextVO; -+import ch.qos.logback.classic.spi.LoggingEventVO; -+import ch.qos.logback.classic.spi.ThrowableProxyVO; -+ -+public class LogbackClassicSerializationHelper { -+ -+ -+ -+ static public List<String> getWhilelist() { -+ List<String> whitelist = new ArrayList<String>(); -+ whitelist.add(LoggingEventVO.class.getName()); -+ whitelist.add(LoggerContextVO.class.getName()); -+ whitelist.add(ThrowableProxyVO.class.getName()); -+ whitelist.add(StackTraceElement.class.getName()); -+ whitelist.add(BasicMarker.class.getName()); -+ whitelist.add(BasicMarker.class.getName()); -+ whitelist.add(Logger.class.getName()); -+ return whitelist; -+ } -+} -diff --git a/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java -new file mode 100644 -index 0000000..439e2bd ---- /dev/null -+++ b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java -@@ -0,0 +1,48 @@ -+package ch.qos.logback.core.net; -+ -+import java.io.IOException; -+import java.io.InputStream; -+import java.io.InvalidClassException; -+import java.io.ObjectInputStream; -+import java.io.ObjectStreamClass; -+import java.util.ArrayList; -+import java.util.Collections; -+import java.util.List; -+ -+/** -+ * -+ * @author Ceki Gülcü -+ * @since 1.2.0 -+ */ -+public class HardenedObjectInputStream extends ObjectInputStream { -+ -+ List<String> whitelistedClassNames; -+ String[] javaPackages = new String[] {"java.lang", "java.util"}; -+ -+ public HardenedObjectInputStream(InputStream in, List<String> whilelist) throws IOException { -+ super(in); -+ this.whitelistedClassNames = Collections.synchronizedList(new ArrayList<String>(whilelist)); -+ } -+ -+ @Override -+ protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException { -+ String incomingClassName = anObjectStreamClass.getName(); -+ if(!isWhitelisted(incomingClassName)) { -+ throw new InvalidClassException("Unauthorized deserialization attempt", anObjectStreamClass.getName()); -+ } -+ -+ return super.resolveClass(anObjectStreamClass); -+ } -+ -+ private boolean isWhitelisted(String incomingClassName) { -+ for(int i = 0; i < javaPackages.length; i++) { -+ if(incomingClassName.startsWith(javaPackages[i])) -+ return true; -+ } -+ for(String className: whitelistedClassNames) { -+ if(incomingClassName.equals(className)) -+ return true; -+ } -+ return false; -+ } -+} diff --git a/debian/patches/series b/debian/patches/series index 5bdde9d..a6c5743 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,6 +1,2 @@ -#01-compile-groovy.patch 02-remove-google-ads.patch -#CVE-2017-5929.patch -#CVE-2017-5929-part2.patch -#03-servlet-3.1.patch 04-privacy-breach.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/logback.git _______________________________________________ pkg-java-commits mailing list pkg-java-comm...@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits