Codebase list libxstream-java / debian/1.4.7-2+deb8u2
Fixed CVE-2017-7957: Remote application crash when unmarshalling void types (Closes: #861521) Emmanuel Bourg 6 years ago
3 changed file(s) with 84 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+8
-0
debian/changelog less more
0 libxstream-java (1.4.7-2+deb8u2) jessie-security; urgency=high
1
2 * Fixed CVE-2017-7957: Attempts to create an instance of the primitive
3 type 'void' during unmarshalling lead to a remote application crash.
4 (Closes: #861521)
5
6 -- Emmanuel Bourg <ebourg@apache.org> Tue, 02 May 2017 17:21:00 +0200
7
08 libxstream-java (1.4.7-2+deb8u1) jessie-security; urgency=high
19
210 * Security update:
+75
-0
debian/patches/CVE-2017-7957.patch less more
0 Description: Fixes CVE-2017-7957: When a certain denyTypes workaround is not
1 used, XStream mishandles attempts to create an instance of the primitive type
2 'void' during unmarshalling, leading to a remote application crash, as
3 demonstrated by an xstream.fromXML("<void/>") call.
4 Origin: backport, https://github.com/x-stream/xstream/commit/b3570be
5 Bug-Debian: https://bugs.debian.org/861521
6 --- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
7 +++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
8 @@ -72,6 +72,9 @@
9 if (exception != null) {
10 throw new ObjectAccessException("Cannot construct " + type.getName(), exception);
11 }
12 + if (type == void.class || type == Void.class) {
13 + throw new ObjectAccessException("Type void cannot have an instance");
14 + }
15 try {
16 return unsafe.allocateInstance(type);
17 } catch (SecurityException e) {
18 --- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
19 +++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
20 @@ -9,7 +9,7 @@
21 import com.thoughtworks.xstream.core.util.Primitives;
22
23 /**
24 - * Permission for any primitive type and its boxed counterpart (incl. void).
25 + * Permission for any primitive type and its boxed counterpart (excl. void).
26 *
27 * @author J&ouml;rg Schaible
28 * @since 1.4.7
29 @@ -21,7 +21,8 @@
30 public static final TypePermission PRIMITIVES = new PrimitiveTypePermission();
31
32 public boolean allows(Class type) {
33 - return type != null && type.isPrimitive() || Primitives.isBoxed(type);
34 + return type != null && type != void.class && type != Void.class && type.isPrimitive()
35 + || Primitives.isBoxed(type);
36 }
37
38 public int hashCode() {
39 --- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
40 +++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
41 @@ -13,7 +13,9 @@
42 import java.beans.EventHandler;
43
44 import com.thoughtworks.xstream.XStreamException;
45 +import com.thoughtworks.xstream.converters.ConversionException;
46 import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
47 +import com.thoughtworks.xstream.security.ForbiddenClassException;
48 import com.thoughtworks.xstream.security.ProxyTypePermission;
49
50 /**
51 @@ -80,4 +82,23 @@
52 BUFFER.append("Executed!");
53 }
54 }
55 +
56 + public void testDeniedInstanceOfVoid() {
57 + try {
58 + xstream.fromXML("<void/>");
59 + fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
60 + } catch (final ForbiddenClassException e) {
61 + // OK
62 + }
63 + }
64 +
65 + public void testAllowedInstanceOfVoid() {
66 + xstream.allowTypes(void.class, Void.class);
67 + try {
68 + xstream.fromXML("<void/>");
69 + fail("Thrown " + ConversionException.class.getName() + " expected");
70 + } catch (final ConversionException e) {
71 + assertEquals("void", e.get("construction-type"));
72 + }
73 + }
74 }
+1
-0
debian/patches/series less more
00 CVE-2016-3674.patch
1 CVE-2017-7957.patch