Commit 735f1214aad6ba873c10b6dc62ead1a1bea1e779 - libxstream-java

Update: properly applied to buster code Accidentally it was committed as patch for unstable without changes, so now I should fix it. Hideki Yamane 2 years ago

1 changed file(s) with 17 addition(s) and 22 deletion(s). Raw diff Collapse all Expand all

+17

-22

debian/patches/0004-Fix-CVE-2021-29505-from-upstream-commit-Closes-98949.patch less more

6	6	xstream/src/java/com/thoughtworks/xstream/XStream.java \| 6 ++++--
7	7	1 file changed, 4 insertions(+), 2 deletions(-)
8	8
9		diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
10		index b5e43af..7a166ca 100644
11		--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
12		+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
13		@@ -336,11 +336,13 @@ public class XStream {
	9	Index: libxstream-java/xstream/src/java/com/thoughtworks/xstream/XStream.java
	10	===================================================================
	11	--- libxstream-java.orig/xstream/src/java/com/thoughtworks/xstream/XStream.java
	12	+++ libxstream-java/xstream/src/java/com/thoughtworks/xstream/XStream.java
	13	@@ -354,8 +354,10 @@ public class XStream {
	14
	15	private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
14	16	private static final Pattern IGNORE_ALL = Pattern.compile(".*");
15		private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection");
16		private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter");
17	17	+ private static final Pattern LAZY_ENUMERATORS = Pattern.compile(".\\.Lazy(?:Search)?Enumeration.");
18	18	private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
19		private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator");
20		private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile(
21		"javafx\\.collections\\.ObservableList\\$.*");
22	19	private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
23	20	+ private static final Pattern JAVA_RMI = Pattern.compile("(?:java\|sun)\\.rmi\\..*");
24		private static final Pattern BCEL_CL = Pattern.compile(".\\.bcel\\..\\.util\\.ClassLoader");
	21	private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
25	22
26	23	/**
27		@@ -657,8 +659,8 @@ public class XStream {
28		"sun.awt.datatransfer.DataTransferer$IndexOrderComparator", //
29		"sun.swing.SwingLazyValue"});
30		denyTypesByRegExp(new Pattern[]{
31		- LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS,
32		- JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
33		+ LAZY_ITERATORS, LAZY_ENUMERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVA_RMI, JAVAX_CRYPTO,
34		+ JAXWS_ITERATORS, JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
35		denyTypeHierarchy(InputStream.class);
36		denyTypeHierarchyDynamically("java.nio.channels.Channel");
37		denyTypeHierarchyDynamically("javax.activation.DataSource");
	24	@@ -710,7 +712,7 @@ public class XStream {
	25	java.beans.EventHandler.class,
	26	java.lang.ProcessBuilder.class,
	27	java.lang.Void.class, void.class });
	28	- denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
	29	+ denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM, LAZY_ENUMERATORS,JAVA_RMI});
	30	allowTypeHierarchy(Exception.class);
	31	securityInitialized = false;
	32	}