Import Debian changes 2.4.2-2+deb8u3
jackson-databind (2.4.2-2+deb8u3) jessie-security; urgency=high
* Team upload.
* Fix CVE-2017-17485 and CVE-2018-5968:
Bybass of deserialization blackist to disallow unauthenticated remote code
execution. These CVE exist due to an incomplete fix for CVE-2017-7525.
(Closes: #888316, #888318)
jackson-databind (2.4.2-2+deb8u2) jessie-security; urgency=high
* Team upload
* CVE-2017-15095: incomplete fixes for CVE-2017-7525
Markus Koschany
6 years ago
0 | jackson-databind (2.4.2-2+deb8u3) jessie-security; urgency=high | |
1 | ||
2 | * Team upload. | |
3 | * Fix CVE-2017-17485 and CVE-2018-5968: | |
4 | Bybass of deserialization blackist to disallow unauthenticated remote code | |
5 | execution. These CVE exist due to an incomplete fix for CVE-2017-7525. | |
6 | (Closes: #888316, #888318) | |
7 | ||
8 | -- Markus Koschany <apo@debian.org> Sat, 27 Jan 2018 19:37:47 +0100 | |
9 | ||
10 | jackson-databind (2.4.2-2+deb8u2) jessie-security; urgency=high | |
11 | ||
12 | * Team upload | |
13 | * CVE-2017-15095: incomplete fixes for CVE-2017-7525 | |
14 | ||
15 | -- Sebastien Delafond <seb@debian.org> Thu, 16 Nov 2017 09:13:27 +0100 | |
16 | ||
0 | 17 | jackson-databind (2.4.2-2+deb8u1) jessie-security; urgency=high |
1 | 18 | |
2 | 19 | * Team upload. |
0 | From: Tatu Saloranta <tatu.saloranta@iki.fi> | |
1 | Date: Wed, 26 Apr 2017 20:22:25 -0700 | |
2 | Subject: Minor improvement wrt #1599 (also cover vanilla xalan impl) | |
3 | Origin: https://github.com/FasterXML/jackson-databind//commit/3bfbb835e530055c1941ddf87fde0b08d08dcd38 | |
4 | Bug: https://github.com/FasterXML/jackson-databind/issues/1599 | |
5 | Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15095 | |
6 | ||
7 | --- | |
8 | .../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 1 + | |
9 | 1 file changed, 1 insertion(+) | |
10 | ||
11 | diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | |
12 | index cbbb90c2b..586513ddd 100644 | |
13 | --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | |
14 | +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | |
15 | @@ -57,6 +57,7 @@ public class BeanDeserializerFactory | |
16 | s.add("org.codehaus.groovy.runtime.MethodClosure"); | |
17 | s.add("org.springframework.beans.factory.ObjectFactory"); | |
18 | s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); | |
19 | + s.add("org.apache.xalan.xsltc.trax.TemplatesImpl"); | |
20 | DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); | |
21 | } | |
22 | ||
23 | -- | |
24 | 2.15.0.rc2 | |
25 |
0 | From: Tatu Saloranta <tatu.saloranta@iki.fi> | |
1 | Date: Fri, 30 Jun 2017 09:30:13 -0700 | |
2 | Subject: Fix #1680 | |
3 | Origin: https://github.com/FasterXML/jackson-databind//commit/e8f043d1aac9b82eee907e0f0c3abbdea723a935 | |
4 | Bug: https://github.com/FasterXML/jackson-databind/issues/1680 | |
5 | Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15095 | |
6 | ||
7 | diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | |
8 | index 586513ddd..f2244e0c3 100644 | |
9 | --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | |
10 | +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | |
11 | @@ -58,6 +58,8 @@ public class BeanDeserializerFactory | |
12 | s.add("org.springframework.beans.factory.ObjectFactory"); | |
13 | s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); | |
14 | s.add("org.apache.xalan.xsltc.trax.TemplatesImpl"); | |
15 | + // [databind#1680]: may or may not be problem, take no chance | |
16 | + s.add("com.sun.rowset.JdbcRowSetImpl"); | |
17 | DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); | |
18 | } | |
19 | ||
20 | -- | |
21 | 2.15.0.rc2 | |
22 |
0 | From: Tatu Saloranta <tatu.saloranta@iki.fi> | |
1 | Date: Thu, 17 Aug 2017 15:12:47 -0700 | |
2 | Subject: Fix #1737 | |
3 | Origin: https://github.com/FasterXML/jackson-databind//commit/ddfddfba6414adbecaff99684ef66eebd3a92e92 | |
4 | Bug: https://github.com/FasterXML/jackson-databind/issues/1737 | |
5 | Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15095 | |
6 | ||
7 | diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | |
8 | index 9850cf75c..9301c666a 100644 | |
9 | --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | |
10 | +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | |
11 | @@ -49,7 +49,7 @@ public class BeanDeserializerFactory | |
12 | static { | |
13 | Set<String> s = new HashSet<>(); | |
14 | // Courtesy of [https://github.com/kantega/notsoserial]: | |
15 | - // (and wrt [databind#1599] | |
16 | + // (and wrt [databind#1599]) | |
17 | s.add("org.apache.commons.collections.functors.InvokerTransformer"); | |
18 | s.add("org.apache.commons.collections.functors.InstantiateTransformer"); | |
19 | s.add("org.apache.commons.collections4.functors.InvokerTransformer"); | |
20 | @@ -61,6 +61,15 @@ public class BeanDeserializerFactory | |
21 | s.add("org.apache.xalan.xsltc.trax.TemplatesImpl"); | |
22 | // [databind#1680]: may or may not be problem, take no chance | |
23 | s.add("com.sun.rowset.JdbcRowSetImpl"); | |
24 | + // [databind#1737]; JDK provided | |
25 | + s.add("java.util.logging.FileHandler"); | |
26 | + s.add("java.rmi.server.UnicastRemoteObject"); | |
27 | + // [databind#1737]; 3rd party | |
28 | + s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); | |
29 | + s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); | |
30 | + s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); | |
31 | + s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); | |
32 | + | |
33 | DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); | |
34 | } | |
35 | ||
36 | diff --git a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java | |
37 | index 1906eadb6..8721b9b6a 100644 | |
38 | --- a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java | |
39 | +++ b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java | |
40 | @@ -1,5 +1,6 @@ | |
41 | package com.fasterxml.jackson.databind.interop; | |
42 | ||
43 | +import com.fasterxml.jackson.annotation.JsonTypeInfo; | |
44 | import com.fasterxml.jackson.databind.*; | |
45 | ||
46 | /** | |
47 | @@ -12,12 +13,29 @@ public class IllegalTypesCheckTest extends BaseMapTest | |
48 | public int id; | |
49 | public Object obj; | |
50 | } | |
51 | + | |
52 | + static class PolyWrapper { | |
53 | + @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS, | |
54 | + include = JsonTypeInfo.As.WRAPPER_ARRAY) | |
55 | + public Object v; | |
56 | + } | |
57 | ||
58 | - public void testIssue1599() throws Exception | |
59 | + /* | |
60 | + /********************************************************** | |
61 | + /* Unit tests | |
62 | + /********************************************************** | |
63 | + */ | |
64 | + | |
65 | + private final ObjectMapper MAPPER = objectMapper(); | |
66 | + | |
67 | + // // // Tests for [databind#1599] | |
68 | + | |
69 | + public void testXalanTypes1599() throws Exception | |
70 | { | |
71 | + final String clsName = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"; | |
72 | final String JSON = aposToQuotes( | |
73 | "{'id': 124,\n" | |
74 | -+" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n" | |
75 | ++" 'obj':[ '"+clsName+"',\n" | |
76 | +" {\n" | |
77 | +" 'transletBytecodes' : [ 'AAIAZQ==' ],\n" | |
78 | +" 'transletName' : 'a.b',\n" | |
79 | @@ -32,9 +50,75 @@ public class IllegalTypesCheckTest extends BaseMapTest | |
80 | mapper.readValue(JSON, Bean1599.class); | |
81 | fail("Should not pass"); | |
82 | } catch (JsonMappingException e) { | |
83 | - verifyException(e, "Illegal type"); | |
84 | - verifyException(e, "to deserialize"); | |
85 | - verifyException(e, "prevented for security reasons"); | |
86 | + _verifySecurityException(e, clsName); | |
87 | + } | |
88 | + } | |
89 | + | |
90 | + // // // Tests for [databind#1737] | |
91 | + | |
92 | + public void testJDKTypes1737() throws Exception | |
93 | + { | |
94 | + _testTypes1737(java.util.logging.FileHandler.class); | |
95 | + _testTypes1737(java.rmi.server.UnicastRemoteObject.class); | |
96 | + } | |
97 | + | |
98 | + // 17-Aug-2017, tatu: Ideally would test handling of 3rd party types, too, | |
99 | + // but would require adding dependencies. This may be practical when | |
100 | + // checking done by module, but for now let's not do that for databind. | |
101 | + | |
102 | + /* | |
103 | + public void testSpringTypes1737() throws Exception | |
104 | + { | |
105 | + _testTypes1737("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); | |
106 | + _testTypes1737("org.springframework.beans.factory.config.PropertyPathFactoryBean"); | |
107 | + } | |
108 | + | |
109 | + public void testC3P0Types1737() throws Exception | |
110 | + { | |
111 | + _testTypes1737("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); | |
112 | + _testTypes1737("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); | |
113 | + } | |
114 | + */ | |
115 | + | |
116 | + private void _testTypes1737(Class<?> nasty) throws Exception { | |
117 | + _testTypes1737(nasty.getName()); | |
118 | + } | |
119 | + | |
120 | + private void _testTypes1737(String clsName) throws Exception | |
121 | + { | |
122 | + // While usually exploited via default typing let's not require | |
123 | + // it here; mechanism still the same | |
124 | + String json = aposToQuotes( | |
125 | + "{'v':['"+clsName+"','/tmp/foobar.txt']}" | |
126 | + ); | |
127 | + try { | |
128 | + MAPPER.readValue(json, PolyWrapper.class); | |
129 | + fail("Should not pass"); | |
130 | + } catch (JsonMappingException e) { | |
131 | + _verifySecurityException(e, clsName); | |
132 | + } | |
133 | + } | |
134 | + | |
135 | + protected void _verifySecurityException(Throwable t, String clsName) throws Exception | |
136 | + { | |
137 | + // 17-Aug-2017, tatu: Expected type more granular in 2.9 (over 2.8) | |
138 | + _verifyException(t, JsonMappingException.class, | |
139 | + "Illegal type", | |
140 | + "to deserialize", | |
141 | + "prevented for security reasons"); | |
142 | + verifyException(t, clsName); | |
143 | + } | |
144 | + | |
145 | + protected void _verifyException(Throwable t, Class<?> expExcType, | |
146 | + String... patterns) throws Exception | |
147 | + { | |
148 | + Class<?> actExc = t.getClass(); | |
149 | + if (!expExcType.isAssignableFrom(actExc)) { | |
150 | + fail("Expected Exception of type '"+expExcType.getName()+"', got '" | |
151 | + +actExc.getName()+"', message: "+t.getMessage()); | |
152 | + } | |
153 | + for (String pattern : patterns) { | |
154 | + verifyException(t, pattern); | |
155 | } | |
156 | } | |
157 | } | |
158 | -- | |
159 | 2.15.0.rc2 | |
160 |
0 | From: Markus Koschany <apo@debian.org> | |
1 | Date: Sat, 27 Jan 2018 20:16:02 +0100 | |
2 | Subject: CVE-2017-17485 | |
3 | ||
4 | Bug-Debian: https://bugs.debian.org/888318 | |
5 | Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1855 | |
6 | Origin: https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d | |
7 | Origin: https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf | |
8 | Origin: https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd | |
9 | --- | |
10 | .../databind/deser/BeanDeserializerFactory.java | 37 +++++++++++++++++++--- | |
11 | 1 file changed, 32 insertions(+), 5 deletions(-) | |
12 | ||
13 | diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | |
14 | index c536b46..9b56b08 100644 | |
15 | --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | |
16 | +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | |
17 | @@ -38,6 +38,8 @@ public class BeanDeserializerFactory | |
18 | { | |
19 | private static final long serialVersionUID = 1; | |
20 | ||
21 | + protected final static String PREFIX_STRING = "org.springframework."; | |
22 | + | |
23 | /** | |
24 | * Signature of <b>Throwable.initCause</b> method. | |
25 | */ | |
26 | @@ -75,6 +77,9 @@ public class BeanDeserializerFactory | |
27 | s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); | |
28 | s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); | |
29 | s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); | |
30 | + // [databind#1855]: more 3rd party | |
31 | + s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); | |
32 | + s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); | |
33 | // [databind#1899]: more 3rd party | |
34 | s.add("org.hibernate.jmx.StatisticsService"); | |
35 | s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory"); | |
36 | @@ -932,11 +937,33 @@ public class BeanDeserializerFactory | |
37 | { | |
38 | // There are certain nasty classes that could cause problems, mostly | |
39 | // via default typing -- catch them here. | |
40 | - String full = type.getRawClass().getName(); | |
41 | ||
42 | - if (_cfgIllegalClassNames.contains(full)) { | |
43 | - throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons"); | |
44 | - } | |
45 | - } | |
46 | + final Class<?> raw = type.getRawClass(); | |
47 | + String full = raw.getName(); | |
48 | + | |
49 | + main_check: | |
50 | + do { | |
51 | + if (_cfgIllegalClassNames.contains(full)) { | |
52 | + break; | |
53 | + } | |
54 | + | |
55 | + // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling | |
56 | + // for some Spring framework types | |
57 | + if (full.startsWith(PREFIX_STRING)) { | |
58 | + for (Class<?> cls = raw; cls != Object.class; cls = cls.getSuperclass()) { | |
59 | + String name = cls.getSimpleName(); | |
60 | + // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there? | |
61 | + if ("AbstractPointcutAdvisor".equals(name) | |
62 | + // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts | |
63 | + || "AbstractApplicationContext".equals(name)) { | |
64 | + break main_check; | |
65 | + } | |
66 | + } | |
67 | + } | |
68 | + return; | |
69 | + } while (false); | |
70 | + | |
71 | + throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons"); | |
72 | + } | |
73 | ||
74 | } |
0 | From: Markus Koschany <apo@debian.org> | |
1 | Date: Sat, 27 Jan 2018 19:00:33 +0100 | |
2 | Subject: CVE-2018-5968 | |
3 | ||
4 | Bug-Debian: https://bugs.debian.org/888316 | |
5 | Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1899 | |
6 | Origin: https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05 | |
7 | --- | |
8 | .../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 3 +++ | |
9 | 1 file changed, 3 insertions(+) | |
10 | ||
11 | diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | |
12 | index 86b5c08..10ada70 100644 | |
13 | --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | |
14 | +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | |
15 | @@ -69,6 +69,9 @@ public class BeanDeserializerFactory | |
16 | s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); | |
17 | s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); | |
18 | s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); | |
19 | + // [databind#1899]: more 3rd party | |
20 | + s.add("org.hibernate.jmx.StatisticsService"); | |
21 | + s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory"); | |
22 | ||
23 | DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); | |
24 | } |