Codebase list libxstream-java / 494f9a3
patch for CVE-2021-29505 Hideki Yamane authored 2 years ago Markus Koschany committed 2 years ago
3 changed file(s) with 51 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+12
-0
debian/changelog less more
0 libxstream-java (1.4.15-3) unstable; urgency=medium
1
2 * Team upload.
3 * debian/patches
4 - Add 0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch to
5 deal with CVE-2021-29505 (Closes: 98949)
6
7 For more detail, see
8 https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
9
10 -- Hideki Yamane <henrich@debian.org> Thu, 17 Jun 2021 21:45:48 +0900
11
012 libxstream-java (1.4.15-2) unstable; urgency=high
113
214 * Team upload.
+38
-0
debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch less more
0 From: Hideki Yamane <henrich@debian.org>
1 Date: Thu, 17 Jun 2021 21:42:35 +0900
2 Subject: Fix CVE-2021-29505 from upstream commit (Closes:#989491)
3
4 See https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227
5 ---
6 xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 ++++--
7 1 file changed, 4 insertions(+), 2 deletions(-)
8
9 diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
10 index b5e43af..7a166ca 100644
11 --- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
12 +++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
13 @@ -336,11 +336,13 @@ public class XStream {
14 private static final Pattern IGNORE_ALL = Pattern.compile(".*");
15 private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection");
16 private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter");
17 + private static final Pattern LAZY_ENUMERATORS = Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*");
18 private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
19 private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator");
20 private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile(
21 "javafx\\.collections\\.ObservableList\\$.*");
22 private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
23 + private static final Pattern JAVA_RMI = Pattern.compile("(?:java|sun)\\.rmi\\..*");
24 private static final Pattern BCEL_CL = Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader");
25
26 /**
27 @@ -657,8 +659,8 @@ public class XStream {
28 "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", //
29 "sun.swing.SwingLazyValue"});
30 denyTypesByRegExp(new Pattern[]{
31 - LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS,
32 - JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
33 + LAZY_ITERATORS, LAZY_ENUMERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVA_RMI, JAVAX_CRYPTO,
34 + JAXWS_ITERATORS, JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
35 denyTypeHierarchy(InputStream.class);
36 denyTypeHierarchyDynamically("java.nio.channels.Channel");
37 denyTypeHierarchyDynamically("javax.activation.DataSource");
+1
-0
debian/patches/series less more
00 01-java7-compatibility.patch
11 02-disable-beastax-driver.patch
22 CVE-2021-21341-to-CVE-2021-21351.patch
3 0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch