diff options
| author | Sudip Mukherjee <sudipm.mukherjee@gmail.com> | 2020-09-19 20:20:21 +0100 |
|---|---|---|
| committer | git-ubuntu importer <ubuntu-devel-discuss@lists.ubuntu.com> | 2020-09-20 04:31:16 +0000 |
| commit | 838259458d5b41c2ce0f6708b7a6cd7a8f6e5590 (patch) | |
| tree | 8032e8a59d3fb9031ad38129c43fd558cb36a205 | |
| parent | 9edd5b4046839d966efae451713323d382186164 (diff) | |
1.9.13-2 (patches unapplied)HEADimport/1.9.13-2ubuntu/stonking-develubuntu/stonkingubuntu/resolute-develubuntu/resoluteubuntu/questing-develubuntu/questingubuntu/plucky-develubuntu/pluckyubuntu/oracular-develubuntu/oracularubuntu/noble-develubuntu/nobleubuntu/mantic-develubuntu/manticubuntu/lunar-develubuntu/lunarubuntu/kinetic-develubuntu/kineticubuntu/jammy-develubuntu/jammyubuntu/impish-develubuntu/impishubuntu/hirsute-proposedubuntu/hirsute-develubuntu/hirsuteubuntu/develdebian/siddebian/bullseyedebian/bookworm
Imported using git-ubuntu import.
Notes
Notes:
* Team upload.
* Add upstream fixes.
- Serializing types for deeply nested Maps.
- Set Secure Processing flag on DocumentBuilderFactory.
- Set setExpandEntityReferences(false). (Fixes: CVE-2019-10172)
- WriteRawValue surrogate pair fix.
- Fix deserialization.
- All known security fixes. (Fixes: CVE-2017-15095 and CVE-2017-7525)
* Update Standards-Version to 4.5.0
* Use debhelper-compat.
- Update compat level to 13.
| -rw-r--r-- | debian/changelog | 16 | ||||
| -rw-r--r-- | debian/compat | 1 | ||||
| -rw-r--r-- | debian/control | 4 | ||||
| -rw-r--r-- | debian/patches/0001-fixed-234.patch | 113 | ||||
| -rw-r--r-- | debian/patches/0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch | 54 | ||||
| -rw-r--r-- | debian/patches/0003-setExpandEntityReferences-false.patch | 45 | ||||
| -rw-r--r-- | debian/patches/0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch | 90 | ||||
| -rw-r--r-- | debian/patches/0005-fix-deserialization.patch | 86 | ||||
| -rw-r--r-- | debian/patches/0006-Backport-all-known-security-fixes-from-2.x-that-were.patch | 239 | ||||
| -rw-r--r-- | debian/patches/series | 6 |
10 files changed, 651 insertions, 3 deletions
diff --git a/debian/changelog b/debian/changelog index 5dabd6e..980630e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,19 @@ +libjackson-json-java (1.9.13-2) unstable; urgency=medium + + * Team upload. + * Add upstream fixes. + - Serializing types for deeply nested Maps. + - Set Secure Processing flag on DocumentBuilderFactory. + - Set setExpandEntityReferences(false). (Fixes: CVE-2019-10172) + - WriteRawValue surrogate pair fix. + - Fix deserialization. + - All known security fixes. (Fixes: CVE-2017-15095 and CVE-2017-7525) + * Update Standards-Version to 4.5.0 + * Use debhelper-compat. + - Update compat level to 13. + + -- Sudip Mukherjee <sudipm.mukherjee@gmail.com> Sat, 19 Sep 2020 20:20:21 +0100 + libjackson-json-java (1.9.13-1) unstable; urgency=medium * Team upload. diff --git a/debian/compat b/debian/compat deleted file mode 100644 index b4de394..0000000 --- a/debian/compat +++ /dev/null @@ -1 +0,0 @@ -11 diff --git a/debian/control b/debian/control index c72765d..3615a9b 100644 --- a/debian/control +++ b/debian/control @@ -6,7 +6,7 @@ Uploaders: James Page <james.page@ubuntu.com> Build-Depends: ant (>= 1.6.0), bnd (>= 2.1.0), - debhelper (>= 11), + debhelper-compat (= 13), default-jdk, default-jdk-doc, javahelper (>= 0.30), @@ -18,7 +18,7 @@ Build-Depends: libjoda-time-java, maven-repo-helper (>= 1.5~), libnet-luminis-build-plugin-java (>= 0.2.0-3) -Standards-Version: 4.3.0 +Standards-Version: 4.5.0 Vcs-Git: https://salsa.debian.org/java-team/libjackson-json-java.git Vcs-Browser: https://salsa.debian.org/java-team/libjackson-json-java Homepage: https://github.com/FasterXML/jackson diff --git a/debian/patches/0001-fixed-234.patch b/debian/patches/0001-fixed-234.patch new file mode 100644 index 0000000..d39c09e --- /dev/null +++ b/debian/patches/0001-fixed-234.patch @@ -0,0 +1,113 @@ +From 8404cf0b1fb700e5a179abd71137f3057846b80f Mon Sep 17 00:00:00 2001 +From: cowtowncoder <cowtowncoder@cc757fca-8a48-0410-80b4-e22f7f27f4c6> +Date: Tue, 13 Aug 2013 04:26:38 +0000 +Subject: [PATCH] fixed #234 + +--- + +upstream link: https://github.com/FasterXML/jackson-1/commit/8404cf0b1fb700e5a179abd71137f3057846b80f + +diff --git a/src/mapper/java/org/codehaus/jackson/map/ser/std/MapSerializer.java b/src/mapper/java/org/codehaus/jackson/map/ser/std/MapSerializer.java +index c2c447cb..041da2f4 100644 +--- a/src/mapper/java/org/codehaus/jackson/map/ser/std/MapSerializer.java ++++ b/src/mapper/java/org/codehaus/jackson/map/ser/std/MapSerializer.java +@@ -344,7 +344,11 @@ public class MapSerializer + if (cc == prevValueClass) { + currSerializer = prevValueSerializer; + } else { +- currSerializer = provider.findValueSerializer(cc, _property); ++ if (_valueType.hasGenericTypes()) { ++ currSerializer = provider.findValueSerializer(provider.constructSpecializedType(_valueType, cc), _property); ++ } else { ++ currSerializer = provider.findValueSerializer(cc, _property); ++ } + prevValueSerializer = currSerializer; + prevValueClass = cc; + } +@@ -417,6 +421,5 @@ public class MapSerializer + } + return result.serializer; + } +- + } + +diff --git a/src/test/org/codehaus/jackson/map/jsontype/TestDefaultForMaps.java b/src/test/org/codehaus/jackson/map/jsontype/TestDefaultForMaps.java +index 15be85e4..97741a35 100644 +--- a/src/test/org/codehaus/jackson/map/jsontype/TestDefaultForMaps.java ++++ b/src/test/org/codehaus/jackson/map/jsontype/TestDefaultForMaps.java +@@ -39,6 +39,33 @@ public class TestDefaultForMaps + public Map<MapKey,List<Object>> map; + } + ++ // // For #234 ++ ++ static class ItemList { ++ public String value; ++ public List<ItemList> childItems = new LinkedList<ItemList>(); ++ ++ public void addChildItem(ItemList l) { childItems.add(l); } ++ } ++ ++ static class ItemMap ++ { ++ public String value; ++ ++ public Map<String, List<ItemMap>> childItems = new HashMap<String, List<ItemMap>>(); ++ ++ public void addChildItem(String key, ItemMap childItem) { ++ List<ItemMap> items; ++ if (childItems.containsKey(key)) { ++ items = childItems.get(key); ++ } else { ++ items = new ArrayList<ItemMap>(); ++ } ++ items.add(childItem); ++ childItems.put(key, items); ++ } ++ } ++ + /* + /********************************************************** + /* Unit tests +@@ -94,4 +121,38 @@ public class TestDefaultForMaps + return TypeNameIdResolver.construct(mapper.getDeserializationConfig(), + TypeFactory.defaultInstance().constructType(Object.class), subtypes, forSerialization, !forSerialization); + } ++ ++ // // For #234: ++ ++ public void testList() throws Exception ++ { ++ final ObjectMapper mapper = new ObjectMapper(); ++ mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.OBJECT_AND_NON_CONCRETE, JsonTypeInfo.As.PROPERTY); ++ ItemList child = new ItemList(); ++ child.value = "I am child"; ++ ++ ItemList parent = new ItemList(); ++ parent.value = "I am parent"; ++ parent.addChildItem(child); ++ String json = mapper.writerWithDefaultPrettyPrinter().writeValueAsString(parent); ++ ++ Object o = mapper.readValue(json, ItemList.class); ++ assertNotNull(o); ++ } ++ ++ public void testMap() throws Exception ++ { ++ final ObjectMapper mapper = new ObjectMapper(); ++ mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.OBJECT_AND_NON_CONCRETE, JsonTypeInfo.As.PROPERTY); ++ ItemMap child = new ItemMap(); ++ child.value = "I am child"; ++ ++ ItemMap parent = new ItemMap(); ++ parent.value = "I am parent"; ++ parent.addChildItem("child", child); ++ ++ String json = mapper.writerWithDefaultPrettyPrinter().writeValueAsString(parent); ++ Object o = mapper.readValue(json, ItemMap.class); ++ assertNotNull(o); ++ } + } +-- +2.20.1 + diff --git a/debian/patches/0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch b/debian/patches/0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch new file mode 100644 index 0000000..16d093d --- /dev/null +++ b/debian/patches/0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch @@ -0,0 +1,54 @@ +From 54c6bc36aa57741ea669ad110ce28acaa1600864 Mon Sep 17 00:00:00 2001 +From: PJ Fanning <pj.fanning@workday.com> +Date: Fri, 1 Jul 2016 01:49:46 +0100 +Subject: [PATCH] Set Secure Processing flag on DocumentBuilderFactory + +--- + +unstream link: https://github.com/FasterXML/jackson-1/commit/54c6bc36aa57741ea669ad110ce28acaa1600864 + + .../java/org/codehaus/jackson/map/ext/DOMDeserializer.java | 7 +++++++ + .../codehaus/jackson/xc/DomElementJsonDeserializer.java | 1 + + 2 files changed, 8 insertions(+) + +diff --git a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java +index 50e6016c..3a486b9e 100644 +--- a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java ++++ b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java +@@ -2,7 +2,9 @@ package org.codehaus.jackson.map.ext; + + import java.io.StringReader; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilderFactory; ++import javax.xml.parsers.ParserConfigurationException; + + import org.codehaus.jackson.map.DeserializationContext; + import org.codehaus.jackson.map.deser.std.FromStringDeserializer; +@@ -22,6 +24,11 @@ public abstract class DOMDeserializer<T> extends FromStringDeserializer<T> + _parserFactory = DocumentBuilderFactory.newInstance(); + // yup, only cave men do XML without recognizing namespaces... + _parserFactory.setNamespaceAware(true); ++ try { ++ _parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); ++ } catch(ParserConfigurationException pce) { ++ System.err.println("[DOMDeserializer] Problem setting SECURE_PROCESSING_FEATURE: " + pce.toString()); ++ } + } + + protected DOMDeserializer(Class<T> cls) { super(cls); } +diff --git a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java +index cf9c073d..ccd631aa 100644 +--- a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java ++++ b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java +@@ -30,6 +30,7 @@ public class DomElementJsonDeserializer + try { + DocumentBuilderFactory bf = DocumentBuilderFactory.newInstance(); + bf.setNamespaceAware(true); ++ bf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); + builder = bf.newDocumentBuilder(); + } catch (ParserConfigurationException e) { + throw new RuntimeException(); +-- +2.20.1 + diff --git a/debian/patches/0003-setExpandEntityReferences-false.patch b/debian/patches/0003-setExpandEntityReferences-false.patch new file mode 100644 index 0000000..b3d1a08 --- /dev/null +++ b/debian/patches/0003-setExpandEntityReferences-false.patch @@ -0,0 +1,45 @@ +From 2361ec46b5fbf940bafe8247e421e64f9cb7f7b1 Mon Sep 17 00:00:00 2001 +From: PJ Fanning <pj.fanning@workday.com> +Date: Fri, 1 Jul 2016 22:57:06 +0100 +Subject: [PATCH] setExpandEntityReferences(false) + +--- + +upstream link: https://github.com/FasterXML/jackson-1/commit/2361ec46b5fbf940bafe8247e421e64f9cb7f7b1 + + .../java/org/codehaus/jackson/map/ext/DOMDeserializer.java | 1 + + .../org/codehaus/jackson/xc/DomElementJsonDeserializer.java | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java +index 3a486b9e..97f76af9 100644 +--- a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java ++++ b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java +@@ -24,6 +24,7 @@ public abstract class DOMDeserializer<T> extends FromStringDeserializer<T> + _parserFactory = DocumentBuilderFactory.newInstance(); + // yup, only cave men do XML without recognizing namespaces... + _parserFactory.setNamespaceAware(true); ++ _parserFactory.setExpandEntityReferences(false); + try { + _parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch(ParserConfigurationException pce) { +diff --git a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java +index ccd631aa..8b1de578 100644 +--- a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java ++++ b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java +@@ -30,10 +30,11 @@ public class DomElementJsonDeserializer + try { + DocumentBuilderFactory bf = DocumentBuilderFactory.newInstance(); + bf.setNamespaceAware(true); ++ bf.setExpandEntityReferences(false); + bf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); + builder = bf.newDocumentBuilder(); + } catch (ParserConfigurationException e) { +- throw new RuntimeException(); ++ throw new RuntimeException("Problem creating DocumentBuilder: " + e.toString()); + } + } + +-- +2.20.1 + diff --git a/debian/patches/0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch b/debian/patches/0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch new file mode 100644 index 0000000..f337683 --- /dev/null +++ b/debian/patches/0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch @@ -0,0 +1,90 @@ +From 298849da99b27d86fe581781086fb39809cd83bf Mon Sep 17 00:00:00 2001 +From: Marcin Szczepanski <mszczepanski@atlassian.com> +Date: Mon, 11 Jul 2016 10:33:52 +1000 +Subject: [PATCH] Backport writeRawValue surrogate pair fix from 2.x + +This is a backport of a Jackson 2.x fix: +https://github.com/FasterXML/jackson-core/commit/5e14c461c04f71fc3f35a5ac2e75ed2df0d7c462 +--- + +upstream link: https://github.com/FasterXML/jackson-1/commit/298849da99b27d86fe581781086fb39809cd83bf + + .../codehaus/jackson/impl/Utf8Generator.java | 6 ++--- + .../jackson/impl/TestUtf8Generator.java | 24 +++++++++++++++++++ + 2 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/src/java/org/codehaus/jackson/impl/Utf8Generator.java b/src/java/org/codehaus/jackson/impl/Utf8Generator.java +index ccc25cd3..8ac6bd00 100644 +--- a/src/java/org/codehaus/jackson/impl/Utf8Generator.java ++++ b/src/java/org/codehaus/jackson/impl/Utf8Generator.java +@@ -754,7 +754,7 @@ public class Utf8Generator + _outputBuffer[_outputTail++] = (byte) (0xc0 | (ch >> 6)); + _outputBuffer[_outputTail++] = (byte) (0x80 | (ch & 0x3f)); + } else { +- _outputRawMultiByteChar(ch, cbuf, offset, len); ++ offset = _outputRawMultiByteChar(ch, cbuf, offset, len); + } + } + } +@@ -812,7 +812,7 @@ public class Utf8Generator + bbuf[_outputTail++] = (byte) (0xc0 | (ch >> 6)); + bbuf[_outputTail++] = (byte) (0x80 | (ch & 0x3f)); + } else { +- _outputRawMultiByteChar(ch, cbuf, offset, len); ++ offset = _outputRawMultiByteChar(ch, cbuf, offset, len); + } + } + } +@@ -1643,7 +1643,7 @@ public class Utf8Generator + if (ch >= SURR1_FIRST) { + if (ch <= SURR2_LAST) { // yes, outside of BMP + // Do we have second part? +- if (inputOffset >= inputLen) { // nope... have to note down ++ if (inputOffset >= inputLen || cbuf == null) { // nope... have to note down + _reportError("Split surrogate on writeRaw() input (last character)"); + } + _outputSurrogates(ch, cbuf[inputOffset]); +diff --git a/src/test/org/codehaus/jackson/impl/TestUtf8Generator.java b/src/test/org/codehaus/jackson/impl/TestUtf8Generator.java +index c4e12c3a..48461376 100644 +--- a/src/test/org/codehaus/jackson/impl/TestUtf8Generator.java ++++ b/src/test/org/codehaus/jackson/impl/TestUtf8Generator.java +@@ -2,7 +2,10 @@ package org.codehaus.jackson.impl; + + import java.io.ByteArrayOutputStream; + ++import org.codehaus.jackson.JsonFactory; + import org.codehaus.jackson.JsonGenerator; ++import org.codehaus.jackson.JsonParser; ++import org.codehaus.jackson.JsonToken; + import org.codehaus.jackson.io.IOContext; + import org.codehaus.jackson.util.BufferRecycler; + +@@ -25,4 +28,25 @@ public class TestUtf8Generator + gen.writeString(str); + gen.flush(); + } ++ ++ public void testSurrogatesWithRaw() throws Exception ++ { ++ final String VALUE = quote("\uD83C\uDF89"); ++ ByteArrayOutputStream bytes = new ByteArrayOutputStream(); ++ IOContext ioc = new IOContext(new BufferRecycler(), bytes, true); ++ JsonGenerator jgen = new Utf8Generator(ioc, 0, null, bytes); ++ jgen.writeRawValue(VALUE); ++ jgen.close(); ++ ++ final byte[] JSON = bytes.toByteArray(); ++ ++ JsonParser jp = new JsonFactory().createJsonParser(JSON); ++ assertToken(JsonToken.VALUE_STRING, jp.nextToken()); ++ String str = jp.getText(); ++ assertEquals(2, str.length()); ++ assertEquals((char) 0xD83C, str.charAt(0)); ++ assertEquals((char) 0xDF89, str.charAt(1)); ++ System.out.println(str); ++ jp.close(); ++ } + } +-- +2.20.1 + diff --git a/debian/patches/0005-fix-deserialization.patch b/debian/patches/0005-fix-deserialization.patch new file mode 100644 index 0000000..4763bc3 --- /dev/null +++ b/debian/patches/0005-fix-deserialization.patch @@ -0,0 +1,86 @@ +From b4c841aea501341fb1d7e62fa4f25a57ed990134 Mon Sep 17 00:00:00 2001 +From: Pawel Niegowski <pniegowski@atlassian.com> +Date: Fri, 21 Apr 2017 14:47:42 +0200 +Subject: [PATCH] fix deserialization + +--- + +Upstream link: https://github.com/FasterXML/jackson-1/commit/b4c841aea501341fb1d7e62fa4f25a57ed990134 + + .../map/deser/BeanDeserializerFactory.java | 48 +++++++++++++++++++ + 1 file changed, 48 insertions(+) + +diff --git a/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java b/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java +index 620c9dce..b8c0c180 100644 +--- a/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java ++++ b/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java +@@ -31,6 +31,37 @@ public class BeanDeserializerFactory + */ + private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { Throwable.class }; + ++ /** ++ * Set of well-known "nasty classes", deserialization of which is considered dangerous ++ * and should (and is) prevented by default. ++ * ++ * @since 1.9.13-atlassian-2 ++ */ ++ protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES; ++ ++ static ++ { ++ Set<String> s = new HashSet<String>(); ++ // Courtesy of [https://github.com/kantega/notsoserial]: ++ // (and wrt [databind#1599] ++ s.add("org.apache.commons.collections.functors.InvokerTransformer"); ++ s.add("org.apache.commons.collections.functors.InstantiateTransformer"); ++ s.add("org.apache.commons.collections4.functors.InvokerTransformer"); ++ s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); ++ s.add("org.codehaus.groovy.runtime.ConvertedClosure"); ++ s.add("org.codehaus.groovy.runtime.MethodClosure"); ++ s.add("org.springframework.beans.factory.ObjectFactory"); ++ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); ++ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); ++ } ++ ++ /** ++ * Set of class names of types that are never to be deserialized. ++ * ++ * @since 1.9.13-atlassian-2 ++ */ ++ protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES; ++ + /* + /********************************************************** + /* Config class implementation +@@ -632,6 +663,7 @@ public class BeanDeserializerFactory + if (!isPotentialBeanType(type.getRawClass())) { + return null; + } ++ checkIllegalTypes(type); + // Use generic bean introspection to build deserializer + return buildBeanDeserializer(config, type, beanDesc, property); + } +@@ -1473,4 +1505,20 @@ public class BeanDeserializerFactory + } + return status; + } ++ ++ /** ++ * @since 2.8.9 ++ */ ++ protected void checkIllegalTypes(JavaType type) ++ throws JsonMappingException ++ { ++ // There are certain nasty classes that could cause problems, mostly ++ // via default typing -- catch them here. ++ String full = type.getRawClass().getName(); ++ ++ if (_cfgIllegalClassNames.contains(full)) ++ { ++ throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons"); ++ } ++ } + } +-- +2.20.1 + diff --git a/debian/patches/0006-Backport-all-known-security-fixes-from-2.x-that-were.patch b/debian/patches/0006-Backport-all-known-security-fixes-from-2.x-that-were.patch new file mode 100644 index 0000000..2f3b6be --- /dev/null +++ b/debian/patches/0006-Backport-all-known-security-fixes-from-2.x-that-were.patch @@ -0,0 +1,239 @@ +From 9ac68db819bce7b9546bc4bf1c44f82ca910fa31 Mon Sep 17 00:00:00 2001 +From: Tatu Saloranta <tatu.saloranta@iki.fi> +Date: Wed, 20 Dec 2017 16:50:14 -0800 +Subject: [PATCH] Backport all known security fixes from 2.x that were missing, related to public CVEs. + +--- + +upstream link: https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31 + +diff --git a/src/java/org/codehaus/jackson/type/JavaType.java b/src/java/org/codehaus/jackson/type/JavaType.java +index 3b216491..871bca4b 100644 +--- a/src/java/org/codehaus/jackson/type/JavaType.java ++++ b/src/java/org/codehaus/jackson/type/JavaType.java +@@ -479,6 +479,11 @@ public abstract class JavaType + /********************************************************** + */ + ++ // since 1.9.14: needed by one of the patches ++ public final boolean isTypeOrSubTypeOf(Class<?> clz) { ++ return (_class == clz) || clz.isAssignableFrom(_class); ++ } ++ + protected void _assertSubclass(Class<?> subclass, Class<?> superClass) + { + if (!_class.isAssignableFrom(subclass)) { +diff --git a/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java b/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java +index b8c0c180..ffeadb12 100644 +--- a/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java ++++ b/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java +@@ -9,6 +9,7 @@ import org.codehaus.jackson.map.deser.impl.CreatorProperty; + import org.codehaus.jackson.map.deser.std.StdKeyDeserializers; + import org.codehaus.jackson.map.deser.std.ThrowableDeserializer; + import org.codehaus.jackson.map.introspect.*; ++import org.codehaus.jackson.map.jsontype.impl.SubTypeValidator; + import org.codehaus.jackson.map.type.*; + import org.codehaus.jackson.map.util.ArrayBuilders; + import org.codehaus.jackson.map.util.ClassUtil; +@@ -31,37 +32,6 @@ public class BeanDeserializerFactory + */ + private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { Throwable.class }; + +- /** +- * Set of well-known "nasty classes", deserialization of which is considered dangerous +- * and should (and is) prevented by default. +- * +- * @since 1.9.13-atlassian-2 +- */ +- protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES; +- +- static +- { +- Set<String> s = new HashSet<String>(); +- // Courtesy of [https://github.com/kantega/notsoserial]: +- // (and wrt [databind#1599] +- s.add("org.apache.commons.collections.functors.InvokerTransformer"); +- s.add("org.apache.commons.collections.functors.InstantiateTransformer"); +- s.add("org.apache.commons.collections4.functors.InvokerTransformer"); +- s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); +- s.add("org.codehaus.groovy.runtime.ConvertedClosure"); +- s.add("org.codehaus.groovy.runtime.MethodClosure"); +- s.add("org.springframework.beans.factory.ObjectFactory"); +- s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); +- DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); +- } +- +- /** +- * Set of class names of types that are never to be deserialized. +- * +- * @since 1.9.13-atlassian-2 +- */ +- protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES; +- + /* + /********************************************************** + /* Config class implementation +@@ -265,6 +235,12 @@ public class BeanDeserializerFactory + */ + protected final Config _factoryConfig; + ++ /** ++ * ++ * @since 1.9.14 ++ */ ++ protected SubTypeValidator _subtypeValidator = SubTypeValidator.instance(); ++ + @Deprecated + public BeanDeserializerFactory() { + this(null); +@@ -1507,18 +1483,13 @@ public class BeanDeserializerFactory + } + + /** +- * @since 2.8.9 ++ * @since 1.9.14 + */ +- protected void checkIllegalTypes(JavaType type) +- throws JsonMappingException ++ protected void checkIllegalTypes(JavaType type) throws JsonMappingException + { + // There are certain nasty classes that could cause problems, mostly + // via default typing -- catch them here. +- String full = type.getRawClass().getName(); +- +- if (_cfgIllegalClassNames.contains(full)) +- { +- throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons"); +- } ++ _subtypeValidator.validateSubType(type); ++ //throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons"); + } + } +diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/ClassNameIdResolver.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/ClassNameIdResolver.java +index c9fd65e1..c9a00011 100644 +--- a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/ClassNameIdResolver.java ++++ b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/ClassNameIdResolver.java +@@ -46,8 +46,16 @@ public class ClassNameIdResolver + * to do translation when necessary + */ + if (id.indexOf('<') > 0) { +- JavaType t = TypeFactory.fromCanonical(id); + // note: may want to try combining with specialization (esp for EnumMap) ++ // 17-Aug-2017, tatu: As per [databind#1735] need to ensure assignment ++ // compatibility -- needed later anyway, and not doing so may open ++ // security issues. ++ JavaType t = _typeFactory.constructFromCanonical(id); ++ if (!t.isTypeOrSubTypeOf(_baseType.getRawClass())) { ++ // Probably cleaner to have a method in `TypeFactory` but can't add in patch ++ throw new IllegalArgumentException(String.format( ++ "Class %s not subtype of %s", t.getRawClass().getName(), _baseType)); ++ } + return t; + } + try { +diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java +new file mode 100644 +index 00000000..865c20e7 +--- /dev/null ++++ b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java +@@ -0,0 +1,97 @@ ++package org.codehaus.jackson.map.jsontype.impl; ++ ++import java.util.Collections; ++import java.util.HashSet; ++import java.util.Set; ++ ++import org.codehaus.jackson.map.JsonMappingException; ++import org.codehaus.jackson.type.JavaType; ++ ++/** ++ * Helper class used to encapsulate rules that determine subtypes that ++ * are invalid to use, even with default typing, mostly due to security ++ * concerns. ++ * Used by <code>BeanDeserializerFactory</code> ++ * ++ * @since 1.9.14 ++ */ ++public class SubTypeValidator ++{ ++ protected final static String PREFIX_STRING = "org.springframework."; ++ /** ++ * Set of well-known "nasty classes", deserialization of which is considered dangerous ++ * and should (and is) prevented by default. ++ */ ++ protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES; ++ static { ++ Set<String> s = new HashSet<String>(); ++ // Courtesy of [https://github.com/kantega/notsoserial]: ++ // (and wrt [databind#1599]) ++ s.add("org.apache.commons.collections.functors.InvokerTransformer"); ++ s.add("org.apache.commons.collections.functors.InstantiateTransformer"); ++ s.add("org.apache.commons.collections4.functors.InvokerTransformer"); ++ s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); ++ s.add("org.codehaus.groovy.runtime.ConvertedClosure"); ++ s.add("org.codehaus.groovy.runtime.MethodClosure"); ++ s.add("org.springframework.beans.factory.ObjectFactory"); ++ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); ++ s.add("org.apache.xalan.xsltc.trax.TemplatesImpl"); ++ // [databind#1680]: may or may not be problem, take no chance ++ s.add("com.sun.rowset.JdbcRowSetImpl"); ++ // [databind#1737]; JDK provided ++ s.add("java.util.logging.FileHandler"); ++ s.add("java.rmi.server.UnicastRemoteObject"); ++ // [databind#1737]; 3rd party ++//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855] ++ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); ++ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); ++ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); ++ // [databind#1855]: more 3rd party ++ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); ++ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); ++ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); ++ } ++ ++ /** ++ * Set of class names of types that are never to be deserialized. ++ */ ++ protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES; ++ ++ private final static SubTypeValidator instance = new SubTypeValidator(); ++ ++ protected SubTypeValidator() { } ++ ++ public static SubTypeValidator instance() { return instance; } ++ ++ public void validateSubType(JavaType type) throws JsonMappingException ++ { ++ // There are certain nasty classes that could cause problems, mostly ++ // via default typing -- catch them here. ++ final Class<?> raw = type.getRawClass(); ++ String full = raw.getName(); ++ ++ main_check: ++ do { ++ if (_cfgIllegalClassNames.contains(full)) { ++ break; ++ } ++ ++ // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling ++ // for some Spring framework types ++ if (full.startsWith(PREFIX_STRING)) { ++ for (Class<?> cls = raw; cls != Object.class; cls = cls.getSuperclass()) { ++ String name = cls.getSimpleName(); ++ // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there? ++ if ("AbstractPointcutAdvisor".equals(name) ++ // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts ++ || "AbstractApplicationContext".equals(name)) { ++ break main_check; ++ } ++ } ++ } ++ return; ++ } while (false); ++ ++ throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons"); ++ } ++} +-- +2.20.1 + diff --git a/debian/patches/series b/debian/patches/series index 4d2c86f..0ff2463 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,7 @@ java9.patch +0001-fixed-234.patch +0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch +0003-setExpandEntityReferences-false.patch +0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch +0005-fix-deserialization.patch +0006-Backport-all-known-security-fixes-from-2.x-that-were.patch |
