Codebase list libxstream-java / 0cfdd47
Add debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch Hideki Yamane 2 years ago
2 changed file(s) with 39 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+38
-0
debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch less more
0 From: Hideki Yamane <henrich@debian.org>
1 Date: Thu, 17 Jun 2021 21:42:35 +0900
2 Subject: Fix CVE-2021-29505 from upstream commit (Closes:#989491)
3
4 See https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227
5 ---
6 xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 ++++--
7 1 file changed, 4 insertions(+), 2 deletions(-)
8
9 diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
10 index b5e43af..7a166ca 100644
11 --- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
12 +++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
13 @@ -336,11 +336,13 @@ public class XStream {
14 private static final Pattern IGNORE_ALL = Pattern.compile(".*");
15 private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection");
16 private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter");
17 + private static final Pattern LAZY_ENUMERATORS = Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*");
18 private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
19 private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator");
20 private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile(
21 "javafx\\.collections\\.ObservableList\\$.*");
22 private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
23 + private static final Pattern JAVA_RMI = Pattern.compile("(?:java|sun)\\.rmi\\..*");
24 private static final Pattern BCEL_CL = Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader");
25
26 /**
27 @@ -657,8 +659,8 @@ public class XStream {
28 "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", //
29 "sun.swing.SwingLazyValue"});
30 denyTypesByRegExp(new Pattern[]{
31 - LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS,
32 - JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
33 + LAZY_ITERATORS, LAZY_ENUMERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVA_RMI, JAVAX_CRYPTO,
34 + JAXWS_ITERATORS, JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
35 denyTypeHierarchy(InputStream.class);
36 denyTypeHierarchyDynamically("java.nio.channels.Channel");
37 denyTypeHierarchyDynamically("javax.activation.DataSource");
+1
-0
debian/patches/series less more
11 CVE-2020-26217.patch
22 CVE-2020-26258.patch
33 CVE-2020-26259.patch
4 0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch