Package list libxstream-java / d7270cd
Remove CVE-2021-21341-to-CVE-2021-21351.patch Markus Koschany 3 months ago
2 changed file(s) with 0 addition(s) and 145 deletion(s). Raw diff Collapse all Expand all
+0
-144
debian/patches/CVE-2021-21341-to-CVE-2021-21351.patch less more
0 From: Markus Koschany <apo@debian.org>
1 Date: Sat, 3 Apr 2021 20:47:22 +0200
2 Subject: CVE-2021-21341-to-CVE-2021-21351
3
4 Bug-Debian: https://bugs.debian.org/985843
5 Origin: https://github.com/x-stream/xstream/commit/d5e51177634afea7213b9dc2d21f101d2e258db9
6 ---
7 .../src/java/com/thoughtworks/xstream/XStream.java | 31 +++++++++++++---
8 .../acceptance/SecurityVulnerabilityTest.java | 43 ++++++++++++++++++++++
9 2 files changed, 69 insertions(+), 5 deletions(-)
10
11 diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
12 index 1d28088..5fcf401 100644
13 --- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
14 +++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
15 @@ -1,6 +1,6 @@
16 /*
17 * Copyright (C) 2003, 2004, 2005, 2006 Joe Walnes.
18 - * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020 XStream Committers.
19 + * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021 XStream Committers.
20 * All rights reserved.
21 *
22 * The software in this package is published under the terms of the BSD
23 @@ -36,7 +36,6 @@ import java.net.URL;
24 import java.nio.charset.Charset;
25 import java.text.DecimalFormatSymbols;
26 import java.util.ArrayList;
27 -import java.util.Arrays;
28 import java.util.BitSet;
29 import java.util.Calendar;
30 import java.util.Collection;
31 @@ -354,9 +353,14 @@ public class XStream {
32
33 private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
34 private static final Pattern IGNORE_ALL = Pattern.compile(".*");
35 + private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection");
36 + private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter");
37 private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
38 + private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator");
39 + private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile(
40 + "javafx\\.collections\\.ObservableList\\$.*");
41 private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
42 - private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
43 + private static final Pattern BCEL_CL = Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader");
44
45 /**
46 * Constructs a default XStream.
47 @@ -703,18 +707,35 @@ public class XStream {
48 "java.beans.EventHandler",
49 "java.lang.ProcessBuilder",
50 "javax.imageio.ImageIO$ContainsFilter",
51 - "jdk.nashorn.internal.objects.NativeString"});
52 + "jdk.nashorn.internal.objects.NativeString", //
53 + "com.sun.corba.se.impl.activation.ServerTableEntry", //
54 + "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator", //
55 + "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", //
56 + "sun.swing.SwingLazyValue"});
57 + denyTypesByRegExp(new Pattern[]{
58 + LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS,
59 + JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
60 + denyTypeHierarchy(InputStream.class);
61 + denyTypeHierarchyDynamically("java.nio.channels.Channel");
62 + denyTypeHierarchyDynamically("javax.activation.DataSource");
63 + denyTypeHierarchyDynamically("javax.sql.rowset.BaseRowSet");
64 denyTypes(new Class[]{
65 java.lang.ProcessBuilder.class,
66 jdk.nashorn.internal.objects.NativeString.class,
67 java.beans.EventHandler.class,
68 java.lang.ProcessBuilder.class,
69 java.lang.Void.class, void.class });
70 - denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
71 allowTypeHierarchy(Exception.class);
72 securityInitialized = false;
73 }
74
75 + private void denyTypeHierarchyDynamically(String className) {
76 + Class type = JVM.loadClassForName(className);
77 + if (type != null) {
78 + denyTypeHierarchy(type);
79 + }
80 + }
81 +
82 /**
83 * Setup the security framework of a XStream instance.
84 * <p>
85 diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
86 index 36b61a1..77c2bb9 100644
87 --- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
88 +++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
89 @@ -11,6 +11,7 @@
90 package com.thoughtworks.acceptance;
91
92 import java.beans.EventHandler;
93 +import java.io.ByteArrayInputStream;
94 import java.io.File;
95 import java.io.FileOutputStream;
96 import java.io.IOException;
97 @@ -271,4 +272,46 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
98 }
99 }
100 }
101 +
102 + public void testCannotInjectManipulatedByteArryInputStream() {
103 + xstream.alias("bais", ByteArrayInputStream.class);
104 + System.out.println(Integer.MAX_VALUE);
105 + final String xml = ""
106 + + "<bais>\n"
107 + + " <buf></buf>\n"
108 + + " <pos>-2147483648</pos>\n"
109 + + " <mark>0</mark>\n"
110 + + " <count>0</count>\n"
111 + + "</bais>";
112 +
113 + try {
114 + xstream.fromXML(xml);
115 + fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
116 + } catch (final ForbiddenClassException e) {
117 + assertEquals(e.getMessage(),ByteArrayInputStream.class.getName());
118 + }
119 + }
120 +
121 + public void testExplicitlyUnmarshalEndlessByteArryInputStream() {
122 + xstream.alias("bais", ByteArrayInputStream.class);
123 + xstream.allowTypes(new Class[]{ByteArrayInputStream.class});
124 +
125 + final String xml = ""
126 + + "<bais>\n"
127 + + " <buf></buf>\n"
128 + + " <pos>-2147483648</pos>\n"
129 + + " <mark>0</mark>\n"
130 + + " <count>0</count>\n"
131 + + "</bais>";
132 +
133 + final byte[] data = new byte[10];
134 + final ByteArrayInputStream bais = (ByteArrayInputStream)xstream.fromXML(xml);
135 + int i = 5;
136 + while(bais.read(data, 0, 10) == 0) {
137 + if (--i == 0) {
138 + break;
139 + }
140 + }
141 + assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
142 + }
143 }
00 01-java7-compatibility.patch
11 02-disable-beastax-driver.patch
2 CVE-2021-21341-to-CVE-2021-21351.patch