Codebase list libxstream-java / 383b39c
Fixed CVE-2017-7957: Remote application crash when unmarshalling void types (Closes: #861521) Emmanuel Bourg 6 years ago
3 changed file(s) with 106 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
0 libxstream-java (1.4.9-2) unstable; urgency=medium
1
2 * Fixed CVE-2017-7957: Attempts to create an instance of the primitive
3 type 'void' during unmarshalling lead to a remote application crash.
4 (Closes: #861521)
5
6 -- Emmanuel Bourg <ebourg@apache.org> Tue, 02 May 2017 16:52:35 +0200
7
08 libxstream-java (1.4.9-1) unstable; urgency=medium
19
210 * New upstream release
0 Description: Fixes CVE-2017-7957: When a certain denyTypes workaround is not
1 used, XStream mishandles attempts to create an instance of the primitive type
2 'void' during unmarshalling, leading to a remote application crash, as
3 demonstrated by an xstream.fromXML("<void/>") call.
4 Origin: backport, https://github.com/x-stream/xstream/commit/b3570be
5 Bug-Debian: https://bugs.debian.org/861521
6 --- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
7 +++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
8 @@ -78,14 +78,18 @@
9 throw ex;
10 }
11 ErrorWritingException ex = null;
12 - try {
13 - return unsafe.allocateInstance(type);
14 - } catch (SecurityException e) {
15 - ex = new ObjectAccessException("Cannot construct type", e);
16 - } catch (InstantiationException e) {
17 - ex = new ConversionException("Cannot construct type", e);
18 - } catch (IllegalArgumentException e) {
19 - ex = new ObjectAccessException("Cannot construct type", e);
20 + if (type == void.class || type == Void.class) {
21 + ex = new ConversionException("Type void cannot have an instance");
22 + } else {
23 + try {
24 + return unsafe.allocateInstance(type);
25 + } catch (final SecurityException e) {
26 + ex = new ObjectAccessException("Cannot construct type", e);
27 + } catch (final InstantiationException e) {
28 + ex = new ConversionException("Cannot construct type", e);
29 + } catch (final IllegalArgumentException e) {
30 + ex = new ObjectAccessException("Cannot construct type", e);
31 + }
32 }
33 ex.add("construction-type", type.getName());
34 throw ex;
35 --- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
36 +++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
37 @@ -8,8 +8,9 @@
38
39 import com.thoughtworks.xstream.core.util.Primitives;
40
41 +
42 /**
43 - * Permission for any primitive type and its boxed counterpart (incl. void).
44 + * Permission for any primitive type and its boxed counterpart (excl. void).
45 *
46 * @author J&ouml;rg Schaible
47 * @since 1.4.7
48 @@ -21,7 +22,8 @@
49 public static final TypePermission PRIMITIVES = new PrimitiveTypePermission();
50
51 public boolean allows(Class type) {
52 - return type != null && type.isPrimitive() || Primitives.isBoxed(type);
53 + return type != null && type != void.class && type != Void.class && type.isPrimitive()
54 + || Primitives.isBoxed(type);
55 }
56
57 public int hashCode() {
58 --- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
59 +++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
60 @@ -13,9 +13,12 @@
61 import java.beans.EventHandler;
62
63 import com.thoughtworks.xstream.XStreamException;
64 +import com.thoughtworks.xstream.converters.ConversionException;
65 import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
66 +import com.thoughtworks.xstream.security.ForbiddenClassException;
67 import com.thoughtworks.xstream.security.ProxyTypePermission;
68
69 +
70 /**
71 * @author J&ouml;rg Schaible
72 */
73 @@ -80,4 +83,23 @@
74 BUFFER.append("Executed!");
75 }
76 }
77 +
78 + public void testDeniedInstanceOfVoid() {
79 + try {
80 + xstream.fromXML("<void/>");
81 + fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
82 + } catch (final ForbiddenClassException e) {
83 + // OK
84 + }
85 + }
86 +
87 + public void testAllowedInstanceOfVoid() {
88 + xstream.allowTypes(void.class, Void.class);
89 + try {
90 + xstream.fromXML("<void/>");
91 + fail("Thrown " + ConversionException.class.getName() + " expected");
92 + } catch (final ConversionException e) {
93 + assertEquals("void", e.get("construction-type"));
94 + }
95 + }
96 }
00 01-java7-compatibility.patch
1 CVE-2017-7957.patch