Codebase list jackson-databind / 6740caf
Import Debian changes 2.4.2-2+deb8u3 jackson-databind (2.4.2-2+deb8u3) jessie-security; urgency=high * Team upload. * Fix CVE-2017-17485 and CVE-2018-5968: Bybass of deserialization blackist to disallow unauthenticated remote code execution. These CVE exist due to an incomplete fix for CVE-2017-7525. (Closes: #888316, #888318) jackson-databind (2.4.2-2+deb8u2) jessie-security; urgency=high * Team upload * CVE-2017-15095: incomplete fixes for CVE-2017-7525 Markus Koschany 6 years ago
8 changed file(s) with 334 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+17
-0
debian/changelog less more
0 jackson-databind (2.4.2-2+deb8u3) jessie-security; urgency=high
1
2 * Team upload.
3 * Fix CVE-2017-17485 and CVE-2018-5968:
4 Bybass of deserialization blackist to disallow unauthenticated remote code
5 execution. These CVE exist due to an incomplete fix for CVE-2017-7525.
6 (Closes: #888316, #888318)
7
8 -- Markus Koschany <apo@debian.org> Sat, 27 Jan 2018 19:37:47 +0100
9
10 jackson-databind (2.4.2-2+deb8u2) jessie-security; urgency=high
11
12 * Team upload
13 * CVE-2017-15095: incomplete fixes for CVE-2017-7525
14
15 -- Sebastien Delafond <seb@debian.org> Thu, 16 Nov 2017 09:13:27 +0100
16
017 jackson-databind (2.4.2-2+deb8u1) jessie-security; urgency=high
118
219 * Team upload.
+2
-0
debian/gbp.conf less more
0 [buildpackage]
1 compression = gz
+26
-0
debian/patches/CVE-2017-15095_1.patch less more
0 From: Tatu Saloranta <tatu.saloranta@iki.fi>
1 Date: Wed, 26 Apr 2017 20:22:25 -0700
2 Subject: Minor improvement wrt #1599 (also cover vanilla xalan impl)
3 Origin: https://github.com/FasterXML/jackson-databind//commit/3bfbb835e530055c1941ddf87fde0b08d08dcd38
4 Bug: https://github.com/FasterXML/jackson-databind/issues/1599
5 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15095
6
7 ---
8 .../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 1 +
9 1 file changed, 1 insertion(+)
10
11 diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
12 index cbbb90c2b..586513ddd 100644
13 --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
14 +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
15 @@ -57,6 +57,7 @@ public class BeanDeserializerFactory
16 s.add("org.codehaus.groovy.runtime.MethodClosure");
17 s.add("org.springframework.beans.factory.ObjectFactory");
18 s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
19 + s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
20 DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
21 }
22
23 --
24 2.15.0.rc2
25
+23
-0
debian/patches/CVE-2017-15095_2.patch less more
0 From: Tatu Saloranta <tatu.saloranta@iki.fi>
1 Date: Fri, 30 Jun 2017 09:30:13 -0700
2 Subject: Fix #1680
3 Origin: https://github.com/FasterXML/jackson-databind//commit/e8f043d1aac9b82eee907e0f0c3abbdea723a935
4 Bug: https://github.com/FasterXML/jackson-databind/issues/1680
5 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15095
6
7 diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
8 index 586513ddd..f2244e0c3 100644
9 --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
10 +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
11 @@ -58,6 +58,8 @@ public class BeanDeserializerFactory
12 s.add("org.springframework.beans.factory.ObjectFactory");
13 s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
14 s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
15 + // [databind#1680]: may or may not be problem, take no chance
16 + s.add("com.sun.rowset.JdbcRowSetImpl");
17 DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
18 }
19
20 --
21 2.15.0.rc2
22
+161
-0
debian/patches/CVE-2017-15095_3.patch less more
0 From: Tatu Saloranta <tatu.saloranta@iki.fi>
1 Date: Thu, 17 Aug 2017 15:12:47 -0700
2 Subject: Fix #1737
3 Origin: https://github.com/FasterXML/jackson-databind//commit/ddfddfba6414adbecaff99684ef66eebd3a92e92
4 Bug: https://github.com/FasterXML/jackson-databind/issues/1737
5 Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15095
6
7 diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
8 index 9850cf75c..9301c666a 100644
9 --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
10 +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
11 @@ -49,7 +49,7 @@ public class BeanDeserializerFactory
12 static {
13 Set<String> s = new HashSet<>();
14 // Courtesy of [https://github.com/kantega/notsoserial]:
15 - // (and wrt [databind#1599]
16 + // (and wrt [databind#1599])
17 s.add("org.apache.commons.collections.functors.InvokerTransformer");
18 s.add("org.apache.commons.collections.functors.InstantiateTransformer");
19 s.add("org.apache.commons.collections4.functors.InvokerTransformer");
20 @@ -61,6 +61,15 @@ public class BeanDeserializerFactory
21 s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
22 // [databind#1680]: may or may not be problem, take no chance
23 s.add("com.sun.rowset.JdbcRowSetImpl");
24 + // [databind#1737]; JDK provided
25 + s.add("java.util.logging.FileHandler");
26 + s.add("java.rmi.server.UnicastRemoteObject");
27 + // [databind#1737]; 3rd party
28 + s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
29 + s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
30 + s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
31 + s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
32 +
33 DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
34 }
35
36 diff --git a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
37 index 1906eadb6..8721b9b6a 100644
38 --- a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
39 +++ b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
40 @@ -1,5 +1,6 @@
41 package com.fasterxml.jackson.databind.interop;
42
43 +import com.fasterxml.jackson.annotation.JsonTypeInfo;
44 import com.fasterxml.jackson.databind.*;
45
46 /**
47 @@ -12,12 +13,29 @@ public class IllegalTypesCheckTest extends BaseMapTest
48 public int id;
49 public Object obj;
50 }
51 +
52 + static class PolyWrapper {
53 + @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS,
54 + include = JsonTypeInfo.As.WRAPPER_ARRAY)
55 + public Object v;
56 + }
57
58 - public void testIssue1599() throws Exception
59 + /*
60 + /**********************************************************
61 + /* Unit tests
62 + /**********************************************************
63 + */
64 +
65 + private final ObjectMapper MAPPER = objectMapper();
66 +
67 + // // // Tests for [databind#1599]
68 +
69 + public void testXalanTypes1599() throws Exception
70 {
71 + final String clsName = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl";
72 final String JSON = aposToQuotes(
73 "{'id': 124,\n"
74 -+" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n"
75 ++" 'obj':[ '"+clsName+"',\n"
76 +" {\n"
77 +" 'transletBytecodes' : [ 'AAIAZQ==' ],\n"
78 +" 'transletName' : 'a.b',\n"
79 @@ -32,9 +50,75 @@ public class IllegalTypesCheckTest extends BaseMapTest
80 mapper.readValue(JSON, Bean1599.class);
81 fail("Should not pass");
82 } catch (JsonMappingException e) {
83 - verifyException(e, "Illegal type");
84 - verifyException(e, "to deserialize");
85 - verifyException(e, "prevented for security reasons");
86 + _verifySecurityException(e, clsName);
87 + }
88 + }
89 +
90 + // // // Tests for [databind#1737]
91 +
92 + public void testJDKTypes1737() throws Exception
93 + {
94 + _testTypes1737(java.util.logging.FileHandler.class);
95 + _testTypes1737(java.rmi.server.UnicastRemoteObject.class);
96 + }
97 +
98 + // 17-Aug-2017, tatu: Ideally would test handling of 3rd party types, too,
99 + // but would require adding dependencies. This may be practical when
100 + // checking done by module, but for now let's not do that for databind.
101 +
102 + /*
103 + public void testSpringTypes1737() throws Exception
104 + {
105 + _testTypes1737("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
106 + _testTypes1737("org.springframework.beans.factory.config.PropertyPathFactoryBean");
107 + }
108 +
109 + public void testC3P0Types1737() throws Exception
110 + {
111 + _testTypes1737("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
112 + _testTypes1737("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
113 + }
114 + */
115 +
116 + private void _testTypes1737(Class<?> nasty) throws Exception {
117 + _testTypes1737(nasty.getName());
118 + }
119 +
120 + private void _testTypes1737(String clsName) throws Exception
121 + {
122 + // While usually exploited via default typing let's not require
123 + // it here; mechanism still the same
124 + String json = aposToQuotes(
125 + "{'v':['"+clsName+"','/tmp/foobar.txt']}"
126 + );
127 + try {
128 + MAPPER.readValue(json, PolyWrapper.class);
129 + fail("Should not pass");
130 + } catch (JsonMappingException e) {
131 + _verifySecurityException(e, clsName);
132 + }
133 + }
134 +
135 + protected void _verifySecurityException(Throwable t, String clsName) throws Exception
136 + {
137 + // 17-Aug-2017, tatu: Expected type more granular in 2.9 (over 2.8)
138 + _verifyException(t, JsonMappingException.class,
139 + "Illegal type",
140 + "to deserialize",
141 + "prevented for security reasons");
142 + verifyException(t, clsName);
143 + }
144 +
145 + protected void _verifyException(Throwable t, Class<?> expExcType,
146 + String... patterns) throws Exception
147 + {
148 + Class<?> actExc = t.getClass();
149 + if (!expExcType.isAssignableFrom(actExc)) {
150 + fail("Expected Exception of type '"+expExcType.getName()+"', got '"
151 + +actExc.getName()+"', message: "+t.getMessage());
152 + }
153 + for (String pattern : patterns) {
154 + verifyException(t, pattern);
155 }
156 }
157 }
158 --
159 2.15.0.rc2
160
+75
-0
debian/patches/CVE-2017-17485.patch less more
0 From: Markus Koschany <apo@debian.org>
1 Date: Sat, 27 Jan 2018 20:16:02 +0100
2 Subject: CVE-2017-17485
3
4 Bug-Debian: https://bugs.debian.org/888318
5 Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1855
6 Origin: https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d
7 Origin: https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf
8 Origin: https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd
9 ---
10 .../databind/deser/BeanDeserializerFactory.java | 37 +++++++++++++++++++---
11 1 file changed, 32 insertions(+), 5 deletions(-)
12
13 diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
14 index c536b46..9b56b08 100644
15 --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
16 +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
17 @@ -38,6 +38,8 @@ public class BeanDeserializerFactory
18 {
19 private static final long serialVersionUID = 1;
20
21 + protected final static String PREFIX_STRING = "org.springframework.";
22 +
23 /**
24 * Signature of <b>Throwable.initCause</b> method.
25 */
26 @@ -75,6 +77,9 @@ public class BeanDeserializerFactory
27 s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
28 s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
29 s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
30 + // [databind#1855]: more 3rd party
31 + s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
32 + s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
33 // [databind#1899]: more 3rd party
34 s.add("org.hibernate.jmx.StatisticsService");
35 s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
36 @@ -932,11 +937,33 @@ public class BeanDeserializerFactory
37 {
38 // There are certain nasty classes that could cause problems, mostly
39 // via default typing -- catch them here.
40 - String full = type.getRawClass().getName();
41
42 - if (_cfgIllegalClassNames.contains(full)) {
43 - throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons");
44 - }
45 - }
46 + final Class<?> raw = type.getRawClass();
47 + String full = raw.getName();
48 +
49 + main_check:
50 + do {
51 + if (_cfgIllegalClassNames.contains(full)) {
52 + break;
53 + }
54 +
55 + // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
56 + // for some Spring framework types
57 + if (full.startsWith(PREFIX_STRING)) {
58 + for (Class<?> cls = raw; cls != Object.class; cls = cls.getSuperclass()) {
59 + String name = cls.getSimpleName();
60 + // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
61 + if ("AbstractPointcutAdvisor".equals(name)
62 + // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts
63 + || "AbstractApplicationContext".equals(name)) {
64 + break main_check;
65 + }
66 + }
67 + }
68 + return;
69 + } while (false);
70 +
71 + throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons");
72 + }
73
74 }
+25
-0
debian/patches/CVE-2018-5968.patch less more
0 From: Markus Koschany <apo@debian.org>
1 Date: Sat, 27 Jan 2018 19:00:33 +0100
2 Subject: CVE-2018-5968
3
4 Bug-Debian: https://bugs.debian.org/888316
5 Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1899
6 Origin: https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05
7 ---
8 .../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 3 +++
9 1 file changed, 3 insertions(+)
10
11 diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
12 index 86b5c08..10ada70 100644
13 --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
14 +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
15 @@ -69,6 +69,9 @@ public class BeanDeserializerFactory
16 s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
17 s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
18 s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
19 + // [databind#1899]: more 3rd party
20 + s.add("org.hibernate.jmx.StatisticsService");
21 + s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
22
23 DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
24 }
+5
-0
debian/patches/series less more
00 fix-using-bundle.diff
11 CVE-2017-7525.patch
2 CVE-2017-15095_1.patch
3 CVE-2017-15095_2.patch
4 CVE-2017-15095_3.patch
5 CVE-2018-5968.patch
6 CVE-2017-17485.patch