From 850f25c02d4a8da1e8ea3a5f0a40293dea907e05 Mon Sep 17 00:00:00 2001 From: starlet-dx <15929766099@163.com> Date: Tue, 10 May 2022 10:42:44 +0800 Subject: [PATCH] Fix CVE-2022-25647 (cherry picked from commit 3e1fb03cf078bcc3e070cfa10f2262330837c91b) --- CVE-2022-25647.patch | 209 +++++++++++++++++++++++++++++++++++++++++++ google-gson.spec | 7 +- 2 files changed, 215 insertions(+), 1 deletion(-) create mode 100644 CVE-2022-25647.patch diff --git a/CVE-2022-25647.patch b/CVE-2022-25647.patch new file mode 100644 index 0000000..21591d6 --- /dev/null +++ b/CVE-2022-25647.patch @@ -0,0 +1,209 @@ +From e6fae590cf2a758c47cd5a17f9bf3780ce62c986 Mon Sep 17 00:00:00 2001 +From: Marcono1234 +Date: Wed, 13 Oct 2021 19:14:57 +0200 +Subject: [PATCH] Prevent Java deserialization of internal classes (#1991) + +Adversaries might be able to forge data which can be abused for DoS attacks. +These classes are already writing a replacement JDK object during serialization for a long time, so this change should not cause any issues. + +--- + .../gson/internal/LazilyParsedNumber.java | 8 +++++++ + .../gson/internal/LinkedHashTreeMap.java | 8 +++++++ + .../google/gson/internal/LinkedTreeMap.java | 8 +++++++ + .../gson/internal/LazilyParsedNumberTest.java | 18 ++++++++++++++++ + .../gson/internal/LinkedHashTreeMapTest.java | 21 +++++++++++++++++++ + .../gson/internal/LinkedTreeMapTest.java | 20 ++++++++++++++++++ + 6 files changed, 83 insertions(+) + +diff --git a/gson/src/main/java/com/google/gson/internal/LazilyParsedNumber.java b/gson/src/main/java/com/google/gson/internal/LazilyParsedNumber.java +index 3669af7..6138dff 100644 +--- a/gson/src/main/java/com/google/gson/internal/LazilyParsedNumber.java ++++ b/gson/src/main/java/com/google/gson/internal/LazilyParsedNumber.java +@@ -15,6 +15,9 @@ + */ + package com.google.gson.internal; + ++import java.io.IOException; ++import java.io.InvalidObjectException; ++import java.io.ObjectInputStream; + import java.io.ObjectStreamException; + import java.math.BigDecimal; + +@@ -77,6 +80,11 @@ public final class LazilyParsedNumber extends Number { + return new BigDecimal(value); + } + ++ private void readObject(ObjectInputStream in) throws IOException { ++ // Don't permit directly deserializing this class; writeReplace() should have written a replacement ++ throw new InvalidObjectException("Deserialization is unsupported"); ++ } ++ + @Override + public int hashCode() { + return value.hashCode(); +diff --git a/gson/src/main/java/com/google/gson/internal/LinkedHashTreeMap.java b/gson/src/main/java/com/google/gson/internal/LinkedHashTreeMap.java +index b2707c5..0cade0d 100644 +--- a/gson/src/main/java/com/google/gson/internal/LinkedHashTreeMap.java ++++ b/gson/src/main/java/com/google/gson/internal/LinkedHashTreeMap.java +@@ -17,6 +17,9 @@ + + package com.google.gson.internal; + ++import java.io.IOException; ++import java.io.InvalidObjectException; ++import java.io.ObjectInputStream; + import java.io.ObjectStreamException; + import java.io.Serializable; + import java.util.AbstractMap; +@@ -861,4 +864,9 @@ public final class LinkedHashTreeMap extends AbstractMap implements + private Object writeReplace() throws ObjectStreamException { + return new LinkedHashMap(this); + } ++ ++ private void readObject(ObjectInputStream in) throws IOException { ++ // Don't permit directly deserializing this class; writeReplace() should have written a replacement ++ throw new InvalidObjectException("Deserialization is unsupported"); ++ } + } +diff --git a/gson/src/main/java/com/google/gson/internal/LinkedTreeMap.java b/gson/src/main/java/com/google/gson/internal/LinkedTreeMap.java +index 8046274..aaa8ce0 100644 +--- a/gson/src/main/java/com/google/gson/internal/LinkedTreeMap.java ++++ b/gson/src/main/java/com/google/gson/internal/LinkedTreeMap.java +@@ -17,6 +17,9 @@ + + package com.google.gson.internal; + ++import java.io.IOException; ++import java.io.InvalidObjectException; ++import java.io.ObjectInputStream; + import java.io.ObjectStreamException; + import java.io.Serializable; + import java.util.AbstractMap; +@@ -627,4 +630,9 @@ public final class LinkedTreeMap extends AbstractMap implements Seri + private Object writeReplace() throws ObjectStreamException { + return new LinkedHashMap(this); + } ++ ++ private void readObject(ObjectInputStream in) throws IOException { ++ // Don't permit directly deserializing this class; writeReplace() should have written a replacement ++ throw new InvalidObjectException("Deserialization is unsupported"); ++ } + } +diff --git a/gson/src/test/java/com/google/gson/internal/LazilyParsedNumberTest.java b/gson/src/test/java/com/google/gson/internal/LazilyParsedNumberTest.java +index f108fa0..75e77bb 100644 +--- a/gson/src/test/java/com/google/gson/internal/LazilyParsedNumberTest.java ++++ b/gson/src/test/java/com/google/gson/internal/LazilyParsedNumberTest.java +@@ -15,6 +15,13 @@ + */ + package com.google.gson.internal; + ++import java.io.ByteArrayInputStream; ++import java.io.ByteArrayOutputStream; ++import java.io.IOException; ++import java.io.ObjectInputStream; ++import java.io.ObjectOutputStream; ++import java.math.BigDecimal; ++ + import junit.framework.TestCase; + + public class LazilyParsedNumberTest extends TestCase { +@@ -29,4 +36,15 @@ public class LazilyParsedNumberTest extends TestCase { + LazilyParsedNumber n1Another = new LazilyParsedNumber("1"); + assertTrue(n1.equals(n1Another)); + } ++ ++ public void testJavaSerialization() throws IOException, ClassNotFoundException { ++ ByteArrayOutputStream out = new ByteArrayOutputStream(); ++ ObjectOutputStream objOut = new ObjectOutputStream(out); ++ objOut.writeObject(new LazilyParsedNumber("123")); ++ objOut.close(); ++ ++ ObjectInputStream objIn = new ObjectInputStream(new ByteArrayInputStream(out.toByteArray())); ++ Number deserialized = (Number) objIn.readObject(); ++ assertEquals(new BigDecimal("123"), deserialized); ++ } + } +diff --git a/gson/src/test/java/com/google/gson/internal/LinkedHashTreeMapTest.java b/gson/src/test/java/com/google/gson/internal/LinkedHashTreeMapTest.java +index 2aeeeb7..77fe518 100644 +--- a/gson/src/test/java/com/google/gson/internal/LinkedHashTreeMapTest.java ++++ b/gson/src/test/java/com/google/gson/internal/LinkedHashTreeMapTest.java +@@ -20,8 +20,15 @@ import com.google.gson.common.MoreAsserts; + import com.google.gson.internal.LinkedHashTreeMap.AvlBuilder; + import com.google.gson.internal.LinkedHashTreeMap.AvlIterator; + import com.google.gson.internal.LinkedHashTreeMap.Node; ++ ++import java.io.ByteArrayInputStream; ++import java.io.ByteArrayOutputStream; ++import java.io.IOException; ++import java.io.ObjectInputStream; ++import java.io.ObjectOutputStream; + import java.util.ArrayList; + import java.util.Arrays; ++import java.util.Collections; + import java.util.Iterator; + import java.util.Map; + import java.util.Random; +@@ -224,6 +231,20 @@ public final class LinkedHashTreeMapTest extends TestCase { + } + } + ++ public void testJavaSerialization() throws IOException, ClassNotFoundException { ++ ByteArrayOutputStream out = new ByteArrayOutputStream(); ++ ObjectOutputStream objOut = new ObjectOutputStream(out); ++ Map map = new LinkedHashTreeMap(); ++ map.put("a", 1); ++ objOut.writeObject(map); ++ objOut.close(); ++ ++ ObjectInputStream objIn = new ObjectInputStream(new ByteArrayInputStream(out.toByteArray())); ++ @SuppressWarnings("unchecked") ++ Map deserialized = (Map) objIn.readObject(); ++ assertEquals(Collections.singletonMap("a", 1), deserialized); ++ } ++ + private static final Node head = new Node(); + + private Node node(String value) { +diff --git a/gson/src/test/java/com/google/gson/internal/LinkedTreeMapTest.java b/gson/src/test/java/com/google/gson/internal/LinkedTreeMapTest.java +index 580d25a..d9a1191 100644 +--- a/gson/src/test/java/com/google/gson/internal/LinkedTreeMapTest.java ++++ b/gson/src/test/java/com/google/gson/internal/LinkedTreeMapTest.java +@@ -16,8 +16,14 @@ + + package com.google.gson.internal; + ++import java.io.ByteArrayInputStream; ++import java.io.ByteArrayOutputStream; ++import java.io.IOException; ++import java.io.ObjectInputStream; ++import java.io.ObjectOutputStream; + import java.util.ArrayList; + import java.util.Arrays; ++import java.util.Collections; + import java.util.Iterator; + import java.util.Map; + import java.util.Random; +@@ -140,6 +146,20 @@ public final class LinkedTreeMapTest extends TestCase { + MoreAsserts.assertEqualsAndHashCode(map1, map2); + } + ++ public void testJavaSerialization() throws IOException, ClassNotFoundException { ++ ByteArrayOutputStream out = new ByteArrayOutputStream(); ++ ObjectOutputStream objOut = new ObjectOutputStream(out); ++ Map map = new LinkedTreeMap(); ++ map.put("a", 1); ++ objOut.writeObject(map); ++ objOut.close(); ++ ++ ObjectInputStream objIn = new ObjectInputStream(new ByteArrayInputStream(out.toByteArray())); ++ @SuppressWarnings("unchecked") ++ Map deserialized = (Map) objIn.readObject(); ++ assertEquals(Collections.singletonMap("a", 1), deserialized); ++ } ++ + private void assertIterationOrder(Iterable actual, T... expected) { + ArrayList actualList = new ArrayList(); + for (T t : actual) { +-- +2.30.0 + diff --git a/google-gson.spec b/google-gson.spec index 41d5bbd..59bcff0 100644 --- a/google-gson.spec +++ b/google-gson.spec @@ -1,10 +1,12 @@ Name: google-gson Version: 2.8.2 -Release: 3 +Release: 4 Summary: A Java library that can be used to convert Java Objects into their JSON representation License: ASL 2.0 URL: https://github.com/google/gson Source0: https://github.com/google/gson/archive/gson-parent-%{version}.tar.gz +#https://github.com/google/gson/pull/1991/commits +Patch0: CVE-2022-25647.patch BuildArch: noarch BuildRequires: maven-local, mvn(junit:junit), mvn(org.apache.felix:maven-bundle-plugin), mvn(org.sonatype.oss:oss-parent:pom:) @@ -61,5 +63,8 @@ Gson considers both of these as very important design goals. %{_javadocdir}/%{name}/* %changelog +* Tue May 10 2022 yaoxin - 2.8.2-4 +- Fix CVE-2022-25647 + * Sat Dec 7 2019 openEuler Buildteam - 2.8.2-3 - Package init