Add debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch
Hideki Yamane
2 years ago
0 | From: Hideki Yamane <henrich@debian.org> | |
1 | Date: Thu, 17 Jun 2021 21:42:35 +0900 | |
2 | Subject: Fix CVE-2021-29505 from upstream commit (Closes:#989491) | |
3 | ||
4 | See https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227 | |
5 | --- | |
6 | xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 ++++-- | |
7 | 1 file changed, 4 insertions(+), 2 deletions(-) | |
8 | ||
9 | diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java | |
10 | index b5e43af..7a166ca 100644 | |
11 | --- a/xstream/src/java/com/thoughtworks/xstream/XStream.java | |
12 | +++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java | |
13 | @@ -336,11 +336,13 @@ public class XStream { | |
14 | private static final Pattern IGNORE_ALL = Pattern.compile(".*"); | |
15 | private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection"); | |
16 | private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter"); | |
17 | + private static final Pattern LAZY_ENUMERATORS = Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*"); | |
18 | private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator"); | |
19 | private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator"); | |
20 | private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile( | |
21 | "javafx\\.collections\\.ObservableList\\$.*"); | |
22 | private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*"); | |
23 | + private static final Pattern JAVA_RMI = Pattern.compile("(?:java|sun)\\.rmi\\..*"); | |
24 | private static final Pattern BCEL_CL = Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader"); | |
25 | ||
26 | /** | |
27 | @@ -657,8 +659,8 @@ public class XStream { | |
28 | "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", // | |
29 | "sun.swing.SwingLazyValue"}); | |
30 | denyTypesByRegExp(new Pattern[]{ | |
31 | - LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS, | |
32 | - JAVAFX_OBSERVABLE_LIST__, BCEL_CL}); | |
33 | + LAZY_ITERATORS, LAZY_ENUMERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVA_RMI, JAVAX_CRYPTO, | |
34 | + JAXWS_ITERATORS, JAVAFX_OBSERVABLE_LIST__, BCEL_CL}); | |
35 | denyTypeHierarchy(InputStream.class); | |
36 | denyTypeHierarchyDynamically("java.nio.channels.Channel"); | |
37 | denyTypeHierarchyDynamically("javax.activation.DataSource"); |