[Bug 1780844] Re: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'

Mon, 09 Jul 2018 13:46:23 -0700 

** Description changed:

  [impact]
  
  XStream through 1.4.9, when a certain denyTypes workaround is not used,
  mishandles attempts to create an instance of the primitive type 'void'
  during unmarshalling, leading to a remote application crash, as
  demonstrated by an xstream.fromXML("<void/>") call.
  
  [test case]
  
  install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial
  (or trusty) system.  Then create a file named TestCVE.java with this
  content:
  
- 
  import com.thoughtworks.xstream.XStream;
  
  public class TestCVE {
  
-       public static void main(String[] args) {
-               XStream xstream = new XStream();
-               xstream.fromXML("<void/>");
-       }
+  public static void main(String[] args) {
+   XStream xstream = new XStream();
+   xstream.fromXML("<void/>");
+  }
  
  }
  
- 
- then run this (from the same directory as the file) to compile it:
+ then run this (from the same directory as the file) to compile it,
+ noting to replace the version number if needed (1.4.8 is X version, if
+ on trusty use 1.4.7):
  
  $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java
  
- then test it:
+ then test it (again correcting version if needed):
  
  $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
  
  failure is a JVM segfault, e.g.:
  
  #
  # A fatal error has been detected by the Java Runtime Environment:
  #
  #  SIGSEGV (0xb) at pc=0x00007f6546a6f9d2, pid=9279, tid=0x00007f654816c700
  
  success is a normal java exception with backtrace, e.g.:
  
  Exception in thread "main"
  com.thoughtworks.xstream.converters.ConversionException: Type void
  cannot have an instance
  
  [regression potential]
  
  regressions could include failing to parse the stream, or otherwise
  cause exceptions or segfaults.
  
  [other info]
  
  http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
  https://x-stream.github.io/CVE-2017-7957.html
  https://github.com/x-stream/xstream/commit/b3570be

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780844

Title:
  CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an
  instance of the primitive type 'void'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to