!6 [sync] PR-4: fix CVE-2016-0750 CVE-2017-15089

From: @openeuler-sync-bot Reviewed-by: @wang_yue111,@wangchong1995924 Signed-off-by: @wangchong1995924
2021-03-05 16:35:02 +08:00 · 2021-03-05 16:35:02 +08:00 · f8cfe5580f
commit f8cfe5580f
parent a3463373cb f4489b85a0
4 changed files with 2607 additions and 1 deletions
--- a/CVE-2016-0750.patch
+++ b/CVE-2016-0750.patch
--- a/CVE-2017-15089-1.patch
+++ b/CVE-2017-15089-1.patch
@ -0,0 +1,259 @@
+From 8f1f8a20376a5f30d187db78c218e1cd97202b38 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Galder=20Zamarren=CC=83o?= <galder@zamarreno.com>
+Date: Wed, 13 Dec 2017 11:34:14 +0100
+Subject: [PATCH] ISPN-8624 White list unmarshalling for GenericJBossMarshaller
+
+---
+ .../client/hotrod/RemoteCacheManager.java     |  7 +++-
+ .../hotrod/marshall/MarshallerUtil.java       | 16 +-------
+ .../marshall/WhiteListMarshallingTest.java    | 39 +++++++++++++++++++
+ .../org/infinispan/commons/logging/Log.java   |  5 +++
+ .../commons/marshall/MarshallUtil.java        | 30 ++++++++++++++
+ .../jboss/GenericJBossMarshaller.java         | 32 +++++++++++++++
+ 6 files changed, 114 insertions(+), 15 deletions(-)
+ create mode 100644 client/hotrod-client/src/test/java/org/infinispan/client/hotrod/marshall/WhiteListMarshallingTest.java
+
+diff --git a/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/RemoteCacheManager.java b/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/RemoteCacheManager.java
+index f266c7e4447..235a62fc284 100644
+--- a/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/RemoteCacheManager.java
+++ b/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/RemoteCacheManager.java
+@@ -33,6 +33,7 @@
+ import org.infinispan.commons.api.BasicCacheContainer;
+ import org.infinispan.commons.executors.ExecutorFactory;
+ import org.infinispan.commons.marshall.Marshaller;
+import org.infinispan.commons.marshall.jboss.GenericJBossMarshaller;
+ import org.infinispan.commons.util.FileLookupFactory;
+ import org.infinispan.commons.util.TypedProperties;
+ import org.infinispan.commons.util.Util;
+@@ -562,7 +563,11 @@ public void start() {
+       if (marshaller == null) {
+          marshaller = configuration.marshaller();
+          if (marshaller == null) {
+-            marshaller = Util.getInstance(configuration.marshallerClass());
+            Class<? extends Marshaller> clazz = configuration.marshallerClass();
+            if (clazz == GenericJBossMarshaller.class && !configuration.serialWhitelist().isEmpty())
+               marshaller = new GenericJBossMarshaller(configuration.serialWhitelist());
+            else
+               marshaller = Util.getInstance(clazz);
+          }
+       }
+ 
+diff --git a/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/marshall/MarshallerUtil.java b/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/marshall/MarshallerUtil.java
+index 876fa6de338..990a1082132 100644
+--- a/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/marshall/MarshallerUtil.java
+++ b/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/marshall/MarshallerUtil.java
+@@ -5,6 +5,7 @@
+ import org.infinispan.client.hotrod.logging.Log;
+ import org.infinispan.client.hotrod.logging.LogFactory;
+ import org.infinispan.commons.CacheException;
+import org.infinispan.commons.marshall.MarshallUtil;
+ import org.infinispan.commons.marshall.Marshaller;
+ import org.infinispan.commons.util.Util;
+ 
+@@ -15,8 +16,6 @@
+ import java.io.ObjectStreamClass;
+ import java.io.ObjectStreamConstants;
+ import java.util.List;
+-import java.util.regex.Matcher;
+-import java.util.regex.Pattern;
+ 
+ /**
+  * @author Galder Zamarreño
+@@ -100,18 +99,7 @@ public CheckedInputStream(InputStream in, List<String> whitelist) throws IOExcep
+       @Override
+       protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
+          //Enforce SerialKiller's whitelist
+-         boolean safeClass = false;
+-         for (String whiteRegExp : whitelist) {
+-            Pattern whitePattern = Pattern.compile(whiteRegExp);
+-            Matcher whiteMatcher = whitePattern.matcher(desc.getName());
+-            if (whiteMatcher.find()) {
+-               safeClass = true;
+-
+-               if (log.isTraceEnabled())
+-                  log.tracef("Whitelist match: '%s'", desc.getName());
+-            }
+-         }
+-
+         boolean safeClass = MarshallUtil.isSafeClass(desc.getName(), whitelist);
+          if (!safeClass)
+             throw log.classNotInWhitelist(desc.getName());
+ 
+diff --git a/client/hotrod-client/src/test/java/org/infinispan/client/hotrod/marshall/WhiteListMarshallingTest.java b/client/hotrod-client/src/test/java/org/infinispan/client/hotrod/marshall/WhiteListMarshallingTest.java
+new file mode 100644
+index 00000000000..2a83b083645
+--- /dev/null
+++ b/client/hotrod-client/src/test/java/org/infinispan/client/hotrod/marshall/WhiteListMarshallingTest.java
+@@ -0,0 +1,39 @@
+package org.infinispan.client.hotrod.marshall;
+
+import org.infinispan.client.hotrod.RemoteCacheManager;
+import org.infinispan.client.hotrod.configuration.ConfigurationBuilder;
+import org.infinispan.client.hotrod.exceptions.HotRodClientException;
+import org.infinispan.client.hotrod.test.InternalRemoteCacheManager;
+import org.infinispan.client.hotrod.test.SingleHotRodServerTest;
+import org.infinispan.test.data.Person;
+import org.testng.annotations.Test;
+
+import java.io.Serializable;
+
+@Test(testName = "client.hotrod.marshall.WhiteListMarshallingTest", groups = {"functional", "smoke"} )
+public class WhiteListMarshallingTest extends SingleHotRodServerTest {
+
+   @Override
+   protected RemoteCacheManager getRemoteCacheManager() {
+      ConfigurationBuilder builder = new ConfigurationBuilder();
+      builder.addJavaSerialWhiteList(".*Person.*");
+      builder.addServer().host("127.0.0.1").port(hotrodServer.getPort());
+      return new InternalRemoteCacheManager(builder.build());
+   }
+
+   @Test(expectedExceptions = HotRodClientException.class,
+      expectedExceptionsMessageRegExp = ".*ISPN004034:.*")
+   public void testUnsafeClassNotAllowed() {
+      remoteCacheManager.getCache().put("unsafe", new UnsafeClass());
+      remoteCacheManager.getCache().get("unsafe");
+   }
+
+   public void testSafeClassAllowed() {
+      remoteCacheManager.getCache().put("safe", new Person());
+      remoteCacheManager.getCache().get("safe");
+   }
+
+   private static final class UnsafeClass implements Serializable {
+   }
+
+}
+diff --git a/commons/src/main/java/org/infinispan/commons/logging/Log.java b/commons/src/main/java/org/infinispan/commons/logging/Log.java
+index 1054f40cba6..34d7345777d 100644
+--- a/commons/src/main/java/org/infinispan/commons/logging/Log.java
+++ b/commons/src/main/java/org/infinispan/commons/logging/Log.java
+@@ -4,6 +4,7 @@
+ import static org.jboss.logging.Logger.Level.WARN;
+ 
+ import org.infinispan.commons.CacheConfigurationException;
+import org.infinispan.commons.CacheException;
+ import org.jboss.logging.BasicLogger;
+ import org.jboss.logging.annotations.Cause;
+ import org.jboss.logging.annotations.LogMessage;
+@@ -107,5 +108,9 @@
+ 
+    @Message(value = "Cannot find resource '%s'", id = 918)
+    IOException cannotFindResource(String fileName);
+
+   @Message(value = "Class '%s' blocked by deserialization white list. Adjust the client configuration serialization white list regular expression to include this class.", id = 28023)
+   CacheException classNotInWhitelist(String className);
+
+ }
+ 
+diff --git a/commons/src/main/java/org/infinispan/commons/marshall/MarshallUtil.java b/commons/src/main/java/org/infinispan/commons/marshall/MarshallUtil.java
+index f8b39af35aa..fa2f2ed3804 100644
+--- a/commons/src/main/java/org/infinispan/commons/marshall/MarshallUtil.java
+++ b/commons/src/main/java/org/infinispan/commons/marshall/MarshallUtil.java
+@@ -1,15 +1,20 @@
+ package org.infinispan.commons.marshall;
+ 
+ import net.jcip.annotations.Immutable;
+import org.infinispan.commons.logging.Log;
+import org.infinispan.commons.logging.LogFactory;
+ import org.infinispan.commons.util.Util;
+ 
+ import java.io.IOException;
+ import java.io.ObjectInput;
+ import java.io.ObjectOutput;
+ import java.util.Collection;
+import java.util.List;
+ import java.util.Map;
+ import java.util.Objects;
+ import java.util.UUID;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+ 
+ /**
+  * MarshallUtil.
+@@ -22,6 +27,8 @@
+ 
+    private static final byte NULL_VALUE = -1;
+ 
+   private static final Log log = LogFactory.getLog(MarshallUtil.class);
+
+    /**
+     * Marshall the {@code map} to the {@code ObjectOutput}.
+     * <p>
+@@ -365,6 +372,29 @@ public static int unmarshallInt(ObjectInput in) throws IOException {
+       }
+    }
+ 
+   /**
+    * Checks whether class name is matched by the class name white list regular expressions provided.
+    *
+    * @param className class to verify
+    * @param whitelist list of regular expressions to match class name against
+    * @return true if the class matched at least one of the regular expressions,
+    *         false otherwise
+    */
+   public static boolean isSafeClass(String className, List<String> whitelist) {
+      for (String whiteRegExp : whitelist) {
+         Pattern whitePattern = Pattern.compile(whiteRegExp);
+         Matcher whiteMatcher = whitePattern.matcher(className);
+         if (whiteMatcher.find()) {
+            if (log.isTraceEnabled())
+               log.tracef("Whitelist match: '%s'", className);
+
+            return true;
+         }
+      }
+
+      return false;
+   }
+
+    public interface ArrayBuilder<E> {
+       E[] build(int size);
+    }
+diff --git a/commons/src/main/java/org/infinispan/commons/marshall/jboss/GenericJBossMarshaller.java b/commons/src/main/java/org/infinispan/commons/marshall/jboss/GenericJBossMarshaller.java
+index d623a408cdf..eada3cda0a6 100644
+--- a/commons/src/main/java/org/infinispan/commons/marshall/jboss/GenericJBossMarshaller.java
+++ b/commons/src/main/java/org/infinispan/commons/marshall/jboss/GenericJBossMarshaller.java
+@@ -1,5 +1,11 @@
+ package org.infinispan.commons.marshall.jboss;
+ 
+import org.infinispan.commons.marshall.MarshallUtil;
+import org.jboss.marshalling.Unmarshaller;
+
+import java.io.IOException;
+import java.util.List;
+
+ /**
+  * A marshaller that makes use of <a href="http://www.jboss.org/jbossmarshalling">JBoss Marshalling</a>
+  * to serialize and deserialize objects. This marshaller is oriented at external,
+@@ -23,4 +29,30 @@ public GenericJBossMarshaller(ClassLoader classLoader) {
+             new DefaultContextClassResolver(classLoader != null ? classLoader : this.getClass().getClassLoader()));
+    }
+ 
+   public GenericJBossMarshaller(List<String> whitelist) {
+      super();
+      baseCfg.setClassResolver(
+         new CheckedClassResolver(whitelist, this.getClass().getClassLoader()));
+   }
+
+   private static final class CheckedClassResolver extends DefaultContextClassResolver {
+
+      private final List<String> whitelist;
+
+      CheckedClassResolver(List<String> whitelist, ClassLoader defaultClassLoader) {
+         super(defaultClassLoader);
+         this.whitelist = whitelist;
+      }
+
+      @Override
+      public Class<?> resolveClass(Unmarshaller unmarshaller, String name, long serialVersionUID) throws IOException, ClassNotFoundException {
+         boolean safeClass = MarshallUtil.isSafeClass(name, whitelist);
+         if (!safeClass)
+            throw log.classNotInWhitelist(name);
+
+         return super.resolveClass(unmarshaller, name, serialVersionUID);
+      }
+
+   }
+
+ }
--- a/CVE-2017-15089-2.patch
+++ b/CVE-2017-15089-2.patch
@ -0,0 +1,25 @@
+From 57ddebc99ed35a4531ce4d8821090faed24e7eaf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Galder=20Zamarren=CC=83o?= <galder@zamarreno.com>
+Date: Wed, 13 Dec 2017 11:44:14 +0100
+Subject: [PATCH] ISPN-8624 Custom marshaller implementors should verify class
+ names
+
+* Add documentation entry to make sure any custom marshaller
+  implementations implement white class name verification.
+---
+ .../infinispan/it/compatibility/CompatibilityCacheFactory.java  | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/integrationtests/compatibility-mode-it/src/test/java/org/infinispan/it/compatibility/CompatibilityCacheFactory.java b/integrationtests/compatibility-mode-it/src/test/java/org/infinispan/it/compatibility/CompatibilityCacheFactory.java
+index a648816d053..c0b5351b761 100644
+--- a/integrationtests/compatibility-mode-it/src/test/java/org/infinispan/it/compatibility/CompatibilityCacheFactory.java
+++ b/integrationtests/compatibility-mode-it/src/test/java/org/infinispan/it/compatibility/CompatibilityCacheFactory.java
+@@ -163,7 +163,7 @@ private void createHotRodCache(HotRodServer server) {
+       hotrod = server;
+       hotrodClient = new RemoteCacheManager(new ConfigurationBuilder()
+             .addServers("localhost:" + hotrod.getPort())
+-            .addJavaSerialWhiteList(".*Person.*")
+            .addJavaSerialWhiteList(".*Person.*", ".*CustomEvent.*")
+             .marshaller(marshaller)
+             .build());
+       hotrodCache = cacheName.isEmpty()
--- a/infinispan.spec
+++ b/infinispan.spec
@ -1,6 +1,6 @@
 Name:          infinispan
 Version:       8.2.4
-Release:       7
+Release:       8
 Summary:       Data grid platform
 License:       ASL 2.0 and LGPLv2+ and Public Domain
 URL:           http://infinispan.org/
@ -9,6 +9,9 @@ Source0:       https://github.com/infinispan/infinispan/archive/8.2.4.Final/infi
 # Port to lucene 6.x
 Patch0:        lucene-6.patch
 Patch1:        implement-abstract-functions-extended-from-class-Directory.patch
+Patch2:        CVE-2016-0750.patch
+Patch3:        CVE-2017-15089-1.patch
+Patch4:        CVE-2017-15089-2.patch

 BuildRequires: maven-local mvn(com.clearspring.analytics:stream) mvn(com.mchange:c3p0)
 BuildRequires: mvn(commons-logging:commons-logging) mvn(commons-pool:commons-pool)
@ -218,5 +221,8 @@ done
 %license LICENSE.txt

 %changelog
+* Thu Mar 4 2021 zhanghua<zhanghua40@huawei.com> - 8.2.4-8
+- fix CVE-2016-0750 CVE-2017-15089
+
 * Tue Mar 10 2020 xuxijian<xuxijian@huawei.com> - 8.2.4-7
 - Package init