Hi Abhijith, hi Markus On Mon, Jan 08, 2018 at 04:01:17PM +0100, Markus Koschany wrote: > Am 08.01.2018 um 13:32 schrieb Abhijith PA: > > Hello. :) > > > > https://bugzilla.redhat.com/show_bug.cgi?id=1465573#c24 says it affects > > all 5.x version. But Debian haven't shipped this version yet. And > > upstream patched files doesn't exist in 4.3.3 (version in Debian sid). > > So could you please elaborate on how your research find 4.3.3 affected ? > > Hello, > > I also had a look at this bug yesterday and I came to the same > conclusion. The upstream patch doesn't work for the 4.x branch. I am not > sure if we are affected at all.
First, take my initial post with the note I have written there. I'm not too familiar with libhibernate-java, and did the following inspection. The upstream patch is https://github.com/hibernate/hibernate-validator/commit/0ed45f37c4680998167179e631113a2c9cb5d113 which as you noted, is in the 5.x branch. Looking at 4.3.3-3 in unstable, and the above it touches private Member getAccessible which is found in engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java. This code is found in unstable engine/src/main/java/org/hibernate/validator/internal/engine/ValidatorImpl.java 1418 private Member getAccessible(Member original) { 1419 if ( ( (AccessibleObject) original ).isAccessible() ) { 1420 return original; 1421 } 1422 1423 Member member = accessibleMembers.get( original ); 1424 1425 if ( member != null ) { 1426 return member; 1427 } 1428 1429 Class<?> clazz = original.getDeclaringClass(); >From my undrstanding, before continuing in 1429, upstream added in the 5.x branch a call to SecurityManager sm = System.getSecurityManager();, doing the permission check (note that this has been added newly as file as well in the 5.x branch) and then continues. in GetDeclaredField.java, in, GetDeclaredField: 40 @Override 41 public Field run() { 42 try { 43 final Field field = clazz.getDeclaredField( fieldName ); 44 field.setAccessible( true ); 45 return field; 46 } 47 catch ( NoSuchFieldException e ) { 48 return null; 49 } 50 } So the patched files exits, and similar code flow is present. I explicitly have not looked (yet) at 4.0.2.GA which is in jessie (and wheezy), just the 4.3.3 based versions in stable and unstable yet. What do you miss? Regards, Salvatore
