Source: jsap
Version: 2.1-4
Severity: normal
X-Debbugs-Cc: a...@debian.org
Dear maintainer,
libxstream-java has been upgraded to version 1.4.18. XStream now uses
a whitelist as the default for its security framework. For instance jsap
will fail when you try to read arguments from a jsap file like
Before
======
# java -cp .:/usr/share/java/xstream.jar
com.martiansoftware.jsap.examples.Manual_HelloWorld_9
Security framework of XStream not explicitly initialized, using predefined
black list on your own risk.
Hi, World!
Now
===
# java -cp .:/usr/share/java/xstream.jar
com.martiansoftware.jsap.examples.Manual_HelloWorld_9
Exception in thread "main"
com.thoughtworks.xstream.security.ForbiddenClassException:
com.martiansoftware.jsap.xml.JSAPConfig
at
com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26)
at
com.thoughtworks.xstream.mapper.SecurityMapper.realClass(SecurityMapper.java:74)
at
com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125)
at
com.thoughtworks.xstream.mapper.CachingMapper.realClass(CachingMapper.java:47)
at
com.thoughtworks.xstream.core.util.HierarchicalStreams.readClassType(HierarchicalStreams.java:29)
at
com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:133)
at
com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1482)
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1462)
at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1333)
at com.martiansoftware.jsap.xml.JSAPConfig.configure(JSAPConfig.java:42)
at com.martiansoftware.jsap.JSAP.<init>(JSAP.java:366)
at
com.martiansoftware.jsap.examples.Manual_HelloWorld_9.main(Manual_HelloWorld_9.java:22)
Please find attached a patch that allows all classes from the
com.martiansoftware.jsap.xml package
Regards,
Markus
-- System Information:
Debian Release: 11.0
APT prefers stable-security
APT policy: (900, 'stable-security'), (900, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru jsap-2.1/debian/changelog jsap-2.1/debian/changelog
--- jsap-2.1/debian/changelog 2021-08-15 14:19:53.000000000 +0200
+++ jsap-2.1/debian/changelog 2021-09-27 22:36:22.000000000 +0200
@@ -1,3 +1,10 @@
+jsap (2.1-4.1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ *
+
+ -- Markus Koschany <a...@debian.org> Mon, 27 Sep 2021 22:36:22 +0200
+
jsap (2.1-4) unstable; urgency=medium
* Setting Salsa VCS paths
diff -Nru jsap-2.1/debian/patches/series jsap-2.1/debian/patches/series
--- jsap-2.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ jsap-2.1/debian/patches/series 2021-09-27 22:36:22.000000000 +0200
@@ -0,0 +1 @@
+xstream-1.4.18.patch
diff -Nru jsap-2.1/debian/patches/xstream-1.4.18.patch
jsap-2.1/debian/patches/xstream-1.4.18.patch
--- jsap-2.1/debian/patches/xstream-1.4.18.patch 1970-01-01
01:00:00.000000000 +0100
+++ jsap-2.1/debian/patches/xstream-1.4.18.patch 2021-09-27
22:36:22.000000000 +0200
@@ -0,0 +1,20 @@
+From: Markus Koschany <a...@debian.org>
+Date: Mon, 27 Sep 2021 22:35:30 +0200
+Subject: xstream 1.4.18
+
+---
+ src/java/com/martiansoftware/jsap/xml/JSAPXStream.java | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/java/com/martiansoftware/jsap/xml/JSAPXStream.java
b/src/java/com/martiansoftware/jsap/xml/JSAPXStream.java
+index 5f19a37..2206d63 100644
+--- a/src/java/com/martiansoftware/jsap/xml/JSAPXStream.java
++++ b/src/java/com/martiansoftware/jsap/xml/JSAPXStream.java
+@@ -19,6 +19,7 @@ class JSAPXStream extends XStream {
+
+ public JSAPXStream() {
+ super(new DomDriver());
++ allowTypesByWildcard(new String[]
{JSAPXStream.class.getPackage().getName()+".*" });
+ alias("jsap", JSAPConfig.class);
+ alias("flaggedOption", FlaggedOptionConfig.class);
+ alias("unflaggedOption", UnflaggedOptionConfig.class);
