Codebase list libxstream-java / d8022a9
Fix CVE-2021-21341-to-CVE-2021-21351 Markus Koschany 3 years ago
3 changed file(s) with 170 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+25
-0
debian/changelog less more
0 libxstream-java (1.4.15-2) unstable; urgency=high
1
2 * Team upload.
3 * Fix CVE-2021-21341 to CVE-2021-21351:
4 In XStream there is a vulnerability which may allow a remote attacker to
5 load and execute arbitrary code from a remote host only by manipulating the
6 processed input stream.
7
8 The type hierarchies for java.io.InputStream, java.nio.channels.Channel,
9 javax.activation.DataSource and javax.sql.rowsel.BaseRowSet are now
10 blacklisted as well as the individual types
11 com.sun.corba.se.impl.activation.ServerTableEntry,
12 com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
13 sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and
14 sun.swing.SwingLazyValue. Additionally the internal type
15 Accessor$GetterSetterReflection of JAXB, the internal types
16 MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of
17 JAX-WS, all inner classes of javafx.collections.ObservableList and an
18 internal ClassLoader used in a private BCEL copy are now part of the
19 default blacklist and the deserialization of XML containing one of the two
20 types will fail. You will have to enable these types by explicit
21 configuration, if you need them.
22
23 -- Markus Koschany <apo@debian.org> Sat, 03 Apr 2021 19:17:05 +0200
24
025 libxstream-java (1.4.15-1) unstable; urgency=medium
126
227 * Team upload.
+144
-0
debian/patches/CVE-2021-21341-to-CVE-2021-21351.patch less more
0 From: Markus Koschany <apo@debian.org>
1 Date: Sat, 3 Apr 2021 20:47:22 +0200
2 Subject: CVE-2021-21341-to-CVE-2021-21351
3
4 Bug-Debian: https://bugs.debian.org/985843
5 Origin: https://github.com/x-stream/xstream/commit/d5e51177634afea7213b9dc2d21f101d2e258db9
6 ---
7 .../src/java/com/thoughtworks/xstream/XStream.java | 31 +++++++++++++---
8 .../acceptance/SecurityVulnerabilityTest.java | 43 ++++++++++++++++++++++
9 2 files changed, 69 insertions(+), 5 deletions(-)
10
11 diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
12 index 1d28088..5fcf401 100644
13 --- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
14 +++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
15 @@ -1,6 +1,6 @@
16 /*
17 * Copyright (C) 2003, 2004, 2005, 2006 Joe Walnes.
18 - * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020 XStream Committers.
19 + * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021 XStream Committers.
20 * All rights reserved.
21 *
22 * The software in this package is published under the terms of the BSD
23 @@ -36,7 +36,6 @@ import java.net.URL;
24 import java.nio.charset.Charset;
25 import java.text.DecimalFormatSymbols;
26 import java.util.ArrayList;
27 -import java.util.Arrays;
28 import java.util.BitSet;
29 import java.util.Calendar;
30 import java.util.Collection;
31 @@ -354,9 +353,14 @@ public class XStream {
32
33 private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
34 private static final Pattern IGNORE_ALL = Pattern.compile(".*");
35 + private static final Pattern GETTER_SETTER_REFLECTION = Pattern.compile(".*\\$GetterSetterReflection");
36 + private static final Pattern PRIVILEGED_GETTER = Pattern.compile(".*\\$PrivilegedGetter");
37 private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
38 + private static final Pattern JAXWS_ITERATORS = Pattern.compile(".*\\$ServiceNameIterator");
39 + private static final Pattern JAVAFX_OBSERVABLE_LIST__ = Pattern.compile(
40 + "javafx\\.collections\\.ObservableList\\$.*");
41 private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
42 - private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
43 + private static final Pattern BCEL_CL = Pattern.compile(".*\\.bcel\\..*\\.util\\.ClassLoader");
44
45 /**
46 * Constructs a default XStream.
47 @@ -703,18 +707,35 @@ public class XStream {
48 "java.beans.EventHandler",
49 "java.lang.ProcessBuilder",
50 "javax.imageio.ImageIO$ContainsFilter",
51 - "jdk.nashorn.internal.objects.NativeString"});
52 + "jdk.nashorn.internal.objects.NativeString", //
53 + "com.sun.corba.se.impl.activation.ServerTableEntry", //
54 + "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator", //
55 + "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", //
56 + "sun.swing.SwingLazyValue"});
57 + denyTypesByRegExp(new Pattern[]{
58 + LAZY_ITERATORS, GETTER_SETTER_REFLECTION, PRIVILEGED_GETTER, JAVAX_CRYPTO, JAXWS_ITERATORS,
59 + JAVAFX_OBSERVABLE_LIST__, BCEL_CL});
60 + denyTypeHierarchy(InputStream.class);
61 + denyTypeHierarchyDynamically("java.nio.channels.Channel");
62 + denyTypeHierarchyDynamically("javax.activation.DataSource");
63 + denyTypeHierarchyDynamically("javax.sql.rowset.BaseRowSet");
64 denyTypes(new Class[]{
65 java.lang.ProcessBuilder.class,
66 jdk.nashorn.internal.objects.NativeString.class,
67 java.beans.EventHandler.class,
68 java.lang.ProcessBuilder.class,
69 java.lang.Void.class, void.class });
70 - denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
71 allowTypeHierarchy(Exception.class);
72 securityInitialized = false;
73 }
74
75 + private void denyTypeHierarchyDynamically(String className) {
76 + Class type = JVM.loadClassForName(className);
77 + if (type != null) {
78 + denyTypeHierarchy(type);
79 + }
80 + }
81 +
82 /**
83 * Setup the security framework of a XStream instance.
84 * <p>
85 diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
86 index 36b61a1..77c2bb9 100644
87 --- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
88 +++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
89 @@ -11,6 +11,7 @@
90 package com.thoughtworks.acceptance;
91
92 import java.beans.EventHandler;
93 +import java.io.ByteArrayInputStream;
94 import java.io.File;
95 import java.io.FileOutputStream;
96 import java.io.IOException;
97 @@ -271,4 +272,46 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
98 }
99 }
100 }
101 +
102 + public void testCannotInjectManipulatedByteArryInputStream() {
103 + xstream.alias("bais", ByteArrayInputStream.class);
104 + System.out.println(Integer.MAX_VALUE);
105 + final String xml = ""
106 + + "<bais>\n"
107 + + " <buf></buf>\n"
108 + + " <pos>-2147483648</pos>\n"
109 + + " <mark>0</mark>\n"
110 + + " <count>0</count>\n"
111 + + "</bais>";
112 +
113 + try {
114 + xstream.fromXML(xml);
115 + fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
116 + } catch (final ForbiddenClassException e) {
117 + assertEquals(e.getMessage(),ByteArrayInputStream.class.getName());
118 + }
119 + }
120 +
121 + public void testExplicitlyUnmarshalEndlessByteArryInputStream() {
122 + xstream.alias("bais", ByteArrayInputStream.class);
123 + xstream.allowTypes(new Class[]{ByteArrayInputStream.class});
124 +
125 + final String xml = ""
126 + + "<bais>\n"
127 + + " <buf></buf>\n"
128 + + " <pos>-2147483648</pos>\n"
129 + + " <mark>0</mark>\n"
130 + + " <count>0</count>\n"
131 + + "</bais>";
132 +
133 + final byte[] data = new byte[10];
134 + final ByteArrayInputStream bais = (ByteArrayInputStream)xstream.fromXML(xml);
135 + int i = 5;
136 + while(bais.read(data, 0, 10) == 0) {
137 + if (--i == 0) {
138 + break;
139 + }
140 + }
141 + assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
142 + }
143 }
+1
-0
debian/patches/series less more
00 01-java7-compatibility.patch
11 02-disable-beastax-driver.patch
2 CVE-2021-21341-to-CVE-2021-21351.patch