Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Dear release team,
I would like to update jackson-databind in Stretch. It is currently
affected by 20 CVE which are deemed as no-dsa by the security team.
I have added a patch that extends the blacklist to block more classes
from polymorphic deserialization.
Regards,
Markus
diff -Nru jackson-databind-2.8.6/debian/changelog
jackson-databind-2.8.6/debian/changelog
--- jackson-databind-2.8.6/debian/changelog 2019-10-05 19:21:48.000000000
+0200
+++ jackson-databind-2.8.6/debian/changelog 2020-07-09 16:42:01.000000000
+0200
@@ -1,3 +1,16 @@
+jackson-databind (2.8.6-1+deb9u7) stretch; urgency=medium
+
+ * Add multiple-CVE-BeanDeserializerFactory.patch and block more classes from
+ polymorphic deserialization.
+ This fixes 20 CVE that currently affect the package namely,
+ CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195,
+ CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620,
+ CVE-2020-11619, CVE-2020-11113, CVE-2020-11112, CVE-2020-11111,
+ CVE-2020-10969, CVE-2020-10968, CVE-2020-10673, CVE-2020-10672,
+ CVE-2019-20330, CVE-2019-17531 and CVE-2019-17267.
+
+ -- Markus Koschany <a...@debian.org> Thu, 09 Jul 2020 16:42:01 +0200
+
jackson-databind (2.8.6-1+deb9u6) stretch-security; urgency=high
* Fix CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
diff -Nru
jackson-databind-2.8.6/debian/patches/multiple-CVE-BeanDeserializerFactory.patch
jackson-databind-2.8.6/debian/patches/multiple-CVE-BeanDeserializerFactory.patch
---
jackson-databind-2.8.6/debian/patches/multiple-CVE-BeanDeserializerFactory.patch
1970-01-01 01:00:00.000000000 +0100
+++
jackson-databind-2.8.6/debian/patches/multiple-CVE-BeanDeserializerFactory.patch
2020-07-09 16:42:01.000000000 +0200
@@ -0,0 +1,189 @@
+From: Markus Koschany <a...@debian.org>
+Date: Thu, 9 Jul 2020 16:39:09 +0200
+Subject: multiple CVE BeanDeserializerFactory
+
+This is the fix for
+CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195,
+CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620, CVE-2020-11619,
+CVE-2020-11113, CVE-2020-11112, CVE-2020-11111, CVE-2020-10969, CVE-2020-10968,
+CVE-2020-10673, CVE-2020-10672, CVE-2019-20330, CVE-2019-17531 and
+CVE-2019-17267.
+---
+ .../databind/deser/BeanDeserializerFactory.java | 109 ++++++++++++++++++---
+ 1 file changed, 96 insertions(+), 13 deletions(-)
+
+diff --git
a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 77d426c..a594f08 100644
+---
a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++
b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -54,6 +54,7 @@ public class BeanDeserializerFactory
+ Set<String> s = new HashSet<>();
+ // Courtesy of [https://github.com/kantega/notsoserial]:
+ // (and wrt [databind#1599])
++
+ s.add("org.apache.commons.collections.functors.InvokerTransformer");
+
s.add("org.apache.commons.collections.functors.InstantiateTransformer");
+ s.add("org.apache.commons.collections4.functors.InvokerTransformer");
+@@ -69,10 +70,14 @@ public class BeanDeserializerFactory
+ s.add("java.util.logging.FileHandler");
+ s.add("java.rmi.server.UnicastRemoteObject");
+ // [databind#1737]; 3rd party
+-
s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
++//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
// deprecated by [databind#1855]
+
s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+-// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); //
deprecated by [databind#1931]
+-// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // -
"" -
++ // [databind#2680]
++ s.add("org.springframework.aop.config.MethodLocatingFactoryBean");
++
s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean");
++
++// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by
[databind#1931]
++// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
+ // [databind#1855]: more 3rd party
+ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
+ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+@@ -82,10 +87,11 @@ public class BeanDeserializerFactory
+ // [databind#2032]: more 3rd party; data exfiltration via xml parsed
ext entities
+ s.add("org.apache.ibatis.parsing.XPathParser");
+
+- // [databind#2052]: ldap approaches; in all cases LDAP connection
String is passed
+- // and access attempt is made:
+- s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
++ // [databind#2052]: Jodd-db, with jndi/ldap lookup
+ s.add("jodd.db.connection.DataSourceConnectionProvider");
++
++ // [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
++ s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
+ s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
+
+ // [databind#2097]: some 3rd party, one JDK-bundled
+@@ -94,31 +100,32 @@ public class BeanDeserializerFactory
+ s.add("com.sun.deploy.security.ruleset.DRSHelper");
+ s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
+
+- // [databind#2186]: yet more 3rd party gadgets
++ // [databind#2186], [databind#2670]: yet more 3rd party gadgets
+ s.add("org.jboss.util.propertyeditor.DocumentEditor");
+ s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
+ s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
++ s.add("org.apache.openjpa.ee.WASRegistryManagedRuntime"); // [#2670]
addition
+ s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+
+- // [databind#2326] (2.9.9): one more 3rd party gadget
++ // [databind#2326] (2.9.9)
+ s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
+
+- // [databind#2334]: logback-core
++ // [databind#2334]: logback-core (2.9.9.1)
+ s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
+
+- // [databind#2341]: jdom/jdom2
++ // [databind#2341]: jdom/jdom2 (2.9.9.1)
+ s.add("org.jdom.transform.XSLTransformer");
+ s.add("org.jdom2.transform.XSLTransformer");
+
+- // [databind#2387]: EHCache
++ // [databind#2387], [databind#2460]: EHCache
+
s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
++ s.add("net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup");
+
+ // [databind#2389]: logback/jndi
+ s.add("ch.qos.logback.core.db.JNDIConnectionSource");
+
+ // [databind#2410]: HikariCP/metricRegistry config
+ s.add("com.zaxxer.hikari.HikariConfig");
+-
+ // [databind#2449]: and sub-class thereof
+ s.add("com.zaxxer.hikari.HikariDataSource");
+
+@@ -129,13 +136,89 @@ public class BeanDeserializerFactory
+ s.add("org.apache.commons.configuration.JNDIConfiguration");
+ s.add("org.apache.commons.configuration2.JNDIConfiguration");
+
+- // [databind#2469]: xalan2
++ // [databind#2469]: xalan
+ s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
++ // [databind#2704]: xalan2
++ s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");
+
+ // [databind#2478]: comons-dbcp, p6spy
++ s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
+ s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
+ s.add("com.p6spy.engine.spy.P6DataSource");
+
++ // [databind#2498]: log4j-extras (1.2)
++ s.add("org.apache.log4j.receivers.db.DriverManagerConnectionSource");
++ s.add("org.apache.log4j.receivers.db.JNDIConnectionSource");
++
++ // [databind#2526]: some more ehcache
++
s.add("net.sf.ehcache.transaction.manager.selector.GenericJndiSelector");
++
s.add("net.sf.ehcache.transaction.manager.selector.GlassfishSelector");
++
++ // [databind#2620]: xbean-reflect
++ s.add("org.apache.xbean.propertyeditor.JndiConverter");
++
++ // [databind#2631]: shaded hikari-config
++ s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");
++
++ // [databind#2634]: ibatis-sqlmap, anteros-core
++
s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
++ s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
++
++ // [databind#2642]: javax.swing (jdk)
++ s.add("javax.swing.JEditorPane");
++
++ // [databind#2648], [databind#2653]: shire-core
++ s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
++ s.add("org.apache.shiro.jndi.JndiObjectFactory");
++
++ // [databind#2658]: ignite-jta (, quartz-core)
++ s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup");
++ s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
++ s.add("org.quartz.utils.JNDIConnectionProvider");
++
++ // [databind#2659]: aries.transaction.jms
++
s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");
++
s.add("org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory");
++
++ // [databind#2660]: caucho-quercus
++ s.add("com.caucho.config.types.ResourceRef");
++
++ // [databind#2662]: aoju/bus-proxy
++ s.add("org.aoju.bus.proxy.provider.RmiProvider");
++ s.add("org.aoju.bus.proxy.provider.remoting.RmiProvider");
++
++ // [databind#2664]: activemq-core, activemq-pool, activemq-pool-jms
++
++ s.add("org.apache.activemq.ActiveMQConnectionFactory"); // core
++ s.add("org.apache.activemq.ActiveMQXAConnectionFactory");
++ s.add("org.apache.activemq.spring.ActiveMQConnectionFactory");
++ s.add("org.apache.activemq.spring.ActiveMQXAConnectionFactory");
++ s.add("org.apache.activemq.pool.JcaPooledConnectionFactory"); // pool
++ s.add("org.apache.activemq.pool.PooledConnectionFactory");
++ s.add("org.apache.activemq.pool.XaPooledConnectionFactory");
++ s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory"); //
pool-jms
++ s.add("org.apache.activemq.jms.pool.JcaPooledConnectionFactory");
++ // [databind#2666]: apache/commons-jms
++ s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
++
++ // [databind#2682]: commons-jelly
++ s.add("org.apache.commons.jelly.impl.Embedded");
++
++ // [databind#2688]: apache/drill
++ s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
++
++ // [databind#2698]: weblogic w/ oracle/aq-jms
++ // (note: dependency not available via Maven Central, but as part of
++ // weblogic installation, possibly fairly old version(s))
++ s.add("oracle.jms.AQjmsQueueConnectionFactory");
++ s.add("oracle.jms.AQjmsXATopicConnectionFactory");
++ s.add("oracle.jms.AQjmsTopicConnectionFactory");
++ s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
++ s.add("oracle.jms.AQjmsXAConnectionFactory");
++
++ // [databind#2764]: org.jsecurity:
++ s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
++
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
diff -Nru jackson-databind-2.8.6/debian/patches/series
jackson-databind-2.8.6/debian/patches/series
--- jackson-databind-2.8.6/debian/patches/series 2019-10-05
19:21:48.000000000 +0200
+++ jackson-databind-2.8.6/debian/patches/series 2020-07-09
16:42:01.000000000 +0200
@@ -11,3 +11,4 @@
CVE-2018-19360.patch
CVE-2019-12086.patch
polymorphic-typing-issues.patch
+multiple-CVE-BeanDeserializerFactory.patch
