Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Hi
Please unblock package libxstream-java
It fixes CVE-2017-7957, #861521, which could lead to a denial of
service during unmarshalling.
+libxstream-java (1.4.9-2) unstable; urgency=medium
+
+ * Fixed CVE-2017-7957: Attempts to create an instance of the primitive
+ type 'void' during unmarshalling lead to a remote application crash.
+ (Closes: #861521)
+
+ -- Emmanuel Bourg <ebo...@apache.org> Tue, 02 May 2017 16:52:35 +0200
https://www.debian.org/security/2017/dsa-3841
unblock libxstream-java/1.4.9-2
Regards,
Salvatore
diff -Nru libxstream-java-1.4.9/debian/changelog
libxstream-java-1.4.9/debian/changelog
--- libxstream-java-1.4.9/debian/changelog 2016-03-29 12:12:30.000000000
+0200
+++ libxstream-java-1.4.9/debian/changelog 2017-05-02 16:52:35.000000000
+0200
@@ -1,3 +1,11 @@
+libxstream-java (1.4.9-2) unstable; urgency=medium
+
+ * Fixed CVE-2017-7957: Attempts to create an instance of the primitive
+ type 'void' during unmarshalling lead to a remote application crash.
+ (Closes: #861521)
+
+ -- Emmanuel Bourg <ebo...@apache.org> Tue, 02 May 2017 16:52:35 +0200
+
libxstream-java (1.4.9-1) unstable; urgency=medium
* New upstream release
diff -Nru libxstream-java-1.4.9/debian/patches/CVE-2017-7957.patch
libxstream-java-1.4.9/debian/patches/CVE-2017-7957.patch
--- libxstream-java-1.4.9/debian/patches/CVE-2017-7957.patch 1970-01-01
01:00:00.000000000 +0100
+++ libxstream-java-1.4.9/debian/patches/CVE-2017-7957.patch 2017-05-02
16:49:06.000000000 +0200
@@ -0,0 +1,97 @@
+Description: Fixes CVE-2017-7957: When a certain denyTypes workaround is not
+ used, XStream mishandles attempts to create an instance of the primitive type
+ 'void' during unmarshalling, leading to a remote application crash, as
+ demonstrated by an xstream.fromXML("<void/>") call.
+Origin: backport, https://github.com/x-stream/xstream/commit/b3570be
+Bug-Debian: https://bugs.debian.org/861521
+---
a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
++++
b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java
+@@ -78,14 +78,18 @@
+ throw ex;
+ }
+ ErrorWritingException ex = null;
+- try {
+- return unsafe.allocateInstance(type);
+- } catch (SecurityException e) {
+- ex = new ObjectAccessException("Cannot construct type", e);
+- } catch (InstantiationException e) {
+- ex = new ConversionException("Cannot construct type", e);
+- } catch (IllegalArgumentException e) {
+- ex = new ObjectAccessException("Cannot construct type", e);
++ if (type == void.class || type == Void.class) {
++ ex = new ConversionException("Type void cannot have an instance");
++ } else {
++ try {
++ return unsafe.allocateInstance(type);
++ } catch (final SecurityException e) {
++ ex = new ObjectAccessException("Cannot construct type", e);
++ } catch (final InstantiationException e) {
++ ex = new ConversionException("Cannot construct type", e);
++ } catch (final IllegalArgumentException e) {
++ ex = new ObjectAccessException("Cannot construct type", e);
++ }
+ }
+ ex.add("construction-type", type.getName());
+ throw ex;
+---
a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
++++
b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java
+@@ -8,8 +8,9 @@
+
+ import com.thoughtworks.xstream.core.util.Primitives;
+
++
+ /**
+- * Permission for any primitive type and its boxed counterpart (incl. void).
++ * Permission for any primitive type and its boxed counterpart (excl. void).
+ *
+ * @author Jörg Schaible
+ * @since 1.4.7
+@@ -21,7 +22,8 @@
+ public static final TypePermission PRIMITIVES = new
PrimitiveTypePermission();
+
+ public boolean allows(Class type) {
+- return type != null && type.isPrimitive() || Primitives.isBoxed(type);
++ return type != null && type != void.class && type != Void.class &&
type.isPrimitive()
++ || Primitives.isBoxed(type);
+ }
+
+ public int hashCode() {
+---
a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++
b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -13,9 +13,12 @@
+ import java.beans.EventHandler;
+
+ import com.thoughtworks.xstream.XStreamException;
++import com.thoughtworks.xstream.converters.ConversionException;
+ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
++import com.thoughtworks.xstream.security.ForbiddenClassException;
+ import com.thoughtworks.xstream.security.ProxyTypePermission;
+
++
+ /**
+ * @author Jörg Schaible
+ */
+@@ -80,4 +83,23 @@
+ BUFFER.append("Executed!");
+ }
+ }
++
++ public void testDeniedInstanceOfVoid() {
++ try {
++ xstream.fromXML("<void/>");
++ fail("Thrown " + ForbiddenClassException.class.getName() + "
expected");
++ } catch (final ForbiddenClassException e) {
++ // OK
++ }
++ }
++
++ public void testAllowedInstanceOfVoid() {
++ xstream.allowTypes(void.class, Void.class);
++ try {
++ xstream.fromXML("<void/>");
++ fail("Thrown " + ConversionException.class.getName() + "
expected");
++ } catch (final ConversionException e) {
++ assertEquals("void", e.get("construction-type"));
++ }
++ }
+ }
diff -Nru libxstream-java-1.4.9/debian/patches/series
libxstream-java-1.4.9/debian/patches/series
--- libxstream-java-1.4.9/debian/patches/series 2016-03-29 11:26:24.000000000
+0200
+++ libxstream-java-1.4.9/debian/patches/series 2017-05-02 16:27:42.000000000
+0200
@@ -1 +1,2 @@
01-java7-compatibility.patch
+CVE-2017-7957.patch
