packages/logback
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-6378,CVE-2023-6481

Browse Source
This commit is contained in:
wk333 2023-12-12 10:53:45 +08:00
parent 0608c45830
commit 6a0a475cd9
2 changed files with 466 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

456
CVE-2023-6378-and-CVE-2023-6481.patch Normal file
View File

@ -0,0 +1,456 @@
From bb095154be011267b64e37a1d401546e7cc2b7c3 Mon Sep 17 00:00:00 2001
From: Ceki Gulcu <ceki@qos.ch>
Date: Fri, 1 Dec 2023 15:12:22 +0100
Subject: [PATCH] fix CVE-2023-6378
Signed-off-by: Ceki Gulcu <ceki@qos.ch>
---
.../logback/classic/spi/LoggingEventVO.java | 7 ++
.../src/test/input/issue/logback-1754.xml | 30 +++++++
.../issue/logback_1754/LogbackTest.java | 78 +++++++++++++++++++
.../core/net/HardenedObjectInputStream.java | 55 ++++++++++++-
.../ch/qos/logback/core/util/EnvUtil.java | 39 ++++++----
.../net/HardenedObjectInputStreamTest.java | 49 +++++++++++-
.../rolling/ScaffoldingForRollingTests.java | 2 +-
.../ch/qos/logback/core/util/EnvUtilTest.java | 34 ++++++++
8 files changed, 275 insertions(+), 19 deletions(-)
create mode 100644 logback-classic/src/test/input/issue/logback-1754.xml
create mode 100644 logback-classic/src/test/java/ch/qos/logback/classic/issue/logback_1754/LogbackTest.java
create mode 100644 logback-core/src/test/java/ch/qos/logback/core/util/EnvUtilTest.java
diff --git a/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java b/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java
index e21350b2cc..ea2c6ac128 100644
--- a/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java
+++ b/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java
@@ -14,6 +14,7 @@
package ch.qos.logback.classic.spi;
import java.io.IOException;
+import java.io.InvalidObjectException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
@@ -38,6 +39,7 @@ public class LoggingEventVO implements ILoggingEvent, Serializable {
private static final int NULL_ARGUMENT_ARRAY = -1;
private static final String NULL_ARGUMENT_ARRAY_ELEMENT = "NULL_ARGUMENT_ARRAY_ELEMENT";
+ private static final int ARGUMENT_ARRAY_DESERIALIZATION_LIMIT = 128;
private String threadName;
private String loggerName;
@@ -181,6 +183,11 @@ private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundE
level = Level.toLevel(levelInt);
int argArrayLen = in.readInt();
+ // Prevent DOS attacks via large or negative arrays
+ if (argArrayLen < NULL_ARGUMENT_ARRAY || argArrayLen > ARGUMENT_ARRAY_DESERIALIZATION_LIMIT) {
+ throw new InvalidObjectException("Argument array length is invalid: " + argArrayLen);
+ }
+
if (argArrayLen != NULL_ARGUMENT_ARRAY) {
argumentArray = new String[argArrayLen];
for (int i = 0; i < argArrayLen; i++) {
diff --git a/logback-classic/src/test/input/issue/logback-1754.xml b/logback-classic/src/test/input/issue/logback-1754.xml
new file mode 100644
index 0000000000..ab41185a34
--- /dev/null
+++ b/logback-classic/src/test/input/issue/logback-1754.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Logback: the reliable, generic, fast and flexible logging framework.
+ ~ Copyright (C) 1999-2023, QOS.ch. All rights reserved.
+ ~
+ ~ This program and the accompanying materials are dual-licensed under
+ ~ either the terms of the Eclipse Public License v1.0 as published by
+ ~ the Eclipse Foundation
+ ~
+ ~ or (per the licensee's choosing)
+ ~
+ ~ under the terms of the GNU Lesser General Public License version 2.1
+ ~ as published by the Free Software Foundation.
+ -->
+
+<configuration debug="true">
+ <appender name="GENERAL" class="ch.qos.logback.core.rolling.RollingFileAppender">
+ <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+ <fileNamePattern>${logback_1754_targetDirectory}/test-%d{yyyy-MM-dd}.log</fileNamePattern>
+ <maxHistory>120</maxHistory>
+ </rollingPolicy>
+ <encoder>
+ <pattern>%date{HH:mm:ss.SSS} [%level] %logger{0} [%thread] [%class{3}:%line] : %msg%n</pattern>
+ </encoder>
+ <prudent>true</prudent>
+ </appender>
+ <root level="debug">
+ <appender-ref ref="GENERAL" />
+ </root>
+</configuration>
\ No newline at end of file
diff --git a/logback-classic/src/test/java/ch/qos/logback/classic/issue/logback_1754/LogbackTest.java b/logback-classic/src/test/java/ch/qos/logback/classic/issue/logback_1754/LogbackTest.java
new file mode 100644
index 0000000000..3001c00a66
--- /dev/null
+++ b/logback-classic/src/test/java/ch/qos/logback/classic/issue/logback_1754/LogbackTest.java
@@ -0,0 +1,78 @@
+/*
+ * Logback: the reliable, generic, fast and flexible logging framework.
+ * Copyright (C) 1999-2023, QOS.ch. All rights reserved.
+ *
+ * This program and the accompanying materials are dual-licensed under
+ * either the terms of the Eclipse Public License v1.0 as published by
+ * the Eclipse Foundation
+ *
+ * or (per the licensee's choosing)
+ *
+ * under the terms of the GNU Lesser General Public License version 2.1
+ * as published by the Free Software Foundation.
+ */
+
+package ch.qos.logback.classic.issue.logback_1754;
+
+import ch.qos.logback.classic.ClassicConstants;
+import ch.qos.logback.classic.ClassicTestConstants;
+import ch.qos.logback.core.testUtil.RandomUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.concurrent.CountDownLatch;
+
+import static ch.qos.logback.classic.util.ContextInitializer.CONFIG_FILE_PROPERTY;
+
+public class LogbackTest {
+
+ private static final int THREADS = 16;
+
+ private void runTest() {
+
+ int diff = RandomUtil.getPositiveInt();
+ //System.setProperty("logback.statusListenerClass", "sysout");
+ System.setProperty(CONFIG_FILE_PROPERTY, ClassicTestConstants.INPUT_PREFIX+"issue/logback-1754.xml");
+ System.setProperty("logback_1754_targetDirectory", ClassicTestConstants.OUTPUT_DIR_PREFIX+"safeWrite_"+diff);
+
+ CountDownLatch latch = new CountDownLatch(THREADS);
+ List<Thread> threads = new ArrayList<Thread>(THREADS);
+ for (int i = 0; i < THREADS; i++) {
+ LoggerThread thread = new LoggerThread(latch, "message from thread " + i);
+ thread.start();
+ threads.add(thread);
+ }
+ for (Thread thread : threads) {
+ try {
+ thread.join();
+ } catch (InterruptedException e) {
+ Thread.currentThread().interrupt();
+ throw new RuntimeException(e);
+ }
+ }
+ }
+
+ public static void main(String... args) {
+ new LogbackTest().runTest();
+ }
+
+ private static final class LoggerThread extends Thread {
+ private static final Logger LOG = LoggerFactory.getLogger(LoggerThread.class);
+ private final CountDownLatch latch;
+ private final String message;
+
+ LoggerThread(CountDownLatch latch, String message) {
+ setDaemon(false);
+ this.latch = latch;
+ this.message = message;
+ }
+
+ @Override
+ public void run() {
+ latch.countDown();
+ LOG.info(message);
+ }
+ }
+}
diff --git a/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
index d1b7301ea4..0674aaf3ea 100755
--- a/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
+++ b/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java
@@ -1,10 +1,27 @@
+/**
+ * Logback: the reliable, generic, fast and flexible logging framework.
+ * Copyright (C) 1999-2023, QOS.ch. All rights reserved.
+ *
+ * This program and the accompanying materials are dual-licensed under
+ * either the terms of the Eclipse Public License v1.0 as published by
+ * the Eclipse Foundation
+ *
+ * or (per the licensee's choosing)
+ *
+ * under the terms of the GNU Lesser General Public License version 2.1
+ * as published by the Free Software Foundation.
+ */
package ch.qos.logback.core.net;
+import ch.qos.logback.core.util.EnvUtil;
+
import java.io.IOException;
import java.io.InputStream;
import java.io.InvalidClassException;
import java.io.ObjectInputStream;
import java.io.ObjectStreamClass;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.List;
@@ -22,10 +39,12 @@ public class HardenedObjectInputStream extends ObjectInputStream {
final List<String> whitelistedClassNames;
final static String[] JAVA_PACKAGES = new String[] { "java.lang", "java.util" };
+ final private static int DEPTH_LIMIT = 16;
+ final private static int ARRAY_LIMIT = 10000;
public HardenedObjectInputStream(InputStream in, String[] whilelist) throws IOException {
super(in);
-
+ initObjectFilter();
this.whitelistedClassNames = new ArrayList<String>();
if (whilelist != null) {
for (int i = 0; i < whilelist.length; i++) {
@@ -36,11 +55,43 @@ public HardenedObjectInputStream(InputStream in, String[] whilelist) throws IOEx
public HardenedObjectInputStream(InputStream in, List<String> whitelist) throws IOException {
super(in);
-
+ initObjectFilter();
this.whitelistedClassNames = new ArrayList<String>();
this.whitelistedClassNames.addAll(whitelist);
}
+ private void initObjectFilter() {
+
+ // invoke the following code by reflection
+ // this.setObjectInputFilter(ObjectInputFilter.Config.createFilter(
+ // "maxarray=" + ARRAY_LIMIT + ";maxdepth=" + DEPTH_LIMIT + ";"
+ // ));
+ if(EnvUtil.isJDK9OrHigher()) {
+ try {
+ ClassLoader classLoader = this.getClass().getClassLoader();
+
+ Class oifClass = classLoader.loadClass("java.io.ObjectInputFilter");
+ Class oifConfigClass = classLoader.loadClass("java.io.ObjectInputFilter$Config");
+ Method setObjectInputFilterMethod = this.getClass().getMethod("setObjectInputFilter", oifClass);
+
+ Method createFilterMethod = oifConfigClass.getMethod("createFilter", String.class);
+ Object filter = createFilterMethod.invoke(null, "maxarray=" + ARRAY_LIMIT + ";maxdepth=" + DEPTH_LIMIT + ";");
+ setObjectInputFilterMethod.invoke(this, filter);
+ } catch (ClassNotFoundException e) {
+ // this code should be unreachable
+ throw new RuntimeException("Failed to initialize object filter", e);
+ } catch (InvocationTargetException e) {
+ // this code should be unreachable
+ throw new RuntimeException("Failed to initialize object filter", e);
+ } catch (NoSuchMethodException e) {
+ // this code should be unreachable
+ throw new RuntimeException("Failed to initialize object filter", e);
+ } catch (IllegalAccessException e) {
+ // this code should be unreachable
+ throw new RuntimeException("Failed to initialize object filter", e);
+ }
+ }
+ }
@Override
protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException {
diff --git a/logback-core/src/main/java/ch/qos/logback/core/util/EnvUtil.java b/logback-core/src/main/java/ch/qos/logback/core/util/EnvUtil.java
index c200a1c984..f3dcd0cfe3 100644
--- a/logback-core/src/main/java/ch/qos/logback/core/util/EnvUtil.java
+++ b/logback-core/src/main/java/ch/qos/logback/core/util/EnvUtil.java
@@ -1,6 +1,6 @@
/**
* Logback: the reliable, generic, fast and flexible logging framework.
- * Copyright (C) 1999-2015, QOS.ch. All rights reserved.
+ * Copyright (C) 1999-2023, QOS.ch. All rights reserved.
*
* This program and the accompanying materials are dual-licensed under
* either the terms of the Eclipse Public License v1.0 as published by
@@ -22,22 +22,27 @@
public class EnvUtil {
static private boolean isJDK_N_OrHigher(int n) {
- List<String> versionList = new ArrayList<String>();
- // this code should work at least until JDK 10 (assuming n parameter is
- // always 6 or more)
- for (int i = 0; i < 5; i++) {
- versionList.add("1." + (n + i));
- }
-
- String javaVersion = System.getProperty("java.version");
- if (javaVersion == null) {
+ String javaVersionStr = System.getProperty("java.version", "");
+ if (javaVersionStr.isEmpty())
return false;
+
+ int version = getJDKVersion(javaVersionStr);
+ return version > 0 && n <= version;
+ }
+
+ static public int getJDKVersion(String javaVersionStr) {
+ int version = 0;
+
+ for (char ch : javaVersionStr.toCharArray()) {
+ if (Character.isDigit(ch)) {
+ version = (version * 10) + (ch - 48);
+ } else if (version == 1) {
+ version = 0;
+ } else {
+ break;
+ }
}
- for (String v : versionList) {
- if (javaVersion.startsWith(v))
- return true;
- }
- return false;
+ return version;
}
static public boolean isJDK5() {
@@ -52,6 +57,10 @@ static public boolean isJDK7OrHigher() {
return isJDK_N_OrHigher(7);
}
+ static public boolean isJDK9OrHigher() {
+ return isJDK_N_OrHigher(9);
+ }
+
static public boolean isJaninoAvailable() {
ClassLoader classLoader = EnvUtil.class.getClassLoader();
try {
diff --git a/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java b/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java
index ff4ddc599f..36f7f11b59 100755
--- a/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java
+++ b/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java
@@ -1,12 +1,17 @@
package ch.qos.logback.core.net;
import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
+import java.io.InvalidClassException;
import java.io.ObjectOutputStream;
+import java.util.HashSet;
+import java.util.Set;
+import ch.qos.logback.core.util.EnvUtil;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
@@ -54,5 +59,47 @@ private void writeObject(ObjectOutputStream oos, Object o) throws IOException {
oos.flush();
oos.close();
}
-
+
+ @Test
+ public void denialOfService() throws ClassNotFoundException, IOException {
+
+ if(!EnvUtil.isJDK9OrHigher()) {
+ return;
+ }
+
+ ByteArrayInputStream bis = new ByteArrayInputStream(payload());
+ inputStream = new HardenedObjectInputStream(bis, whitelist);
+ try {
+ inputStream.readObject();
+ fail("InvalidClassException expected");
+ } catch(InvalidClassException e) {
+ }
+ finally {
+ inputStream.close();
+ }
+ }
+
+ private byte[] payload() throws IOException {
+ Set root = buildEvilHashset();
+ writeObject(oos, root);
+ return bos.toByteArray();
+ }
+
+ private Set buildEvilHashset() {
+ Set root = new HashSet();
+ Set s1 = root;
+ Set s2 = new HashSet();
+ for (int i = 0; i < 100; i++) {
+ Set t1 = new HashSet();
+ Set t2 = new HashSet();
+ t1.add("foo"); // make it not equal to t2
+ s1.add(t1);
+ s1.add(t2);
+ s2.add(t1);
+ s2.add(t2);
+ s1 = t1;
+ s2 = t2;
+ }
+ return root;
+ }
}
diff --git a/logback-core/src/test/java/ch/qos/logback/core/rolling/ScaffoldingForRollingTests.java b/logback-core/src/test/java/ch/qos/logback/core/rolling/ScaffoldingForRollingTests.java
index 57389be3f7..504b52adc2 100755
--- a/logback-core/src/test/java/ch/qos/logback/core/rolling/ScaffoldingForRollingTests.java
+++ b/logback-core/src/test/java/ch/qos/logback/core/rolling/ScaffoldingForRollingTests.java
@@ -24,10 +24,10 @@
import java.io.File;
import java.io.IOException;
-import java.sql.Date;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Calendar;
+import java.util.Date;
import java.util.Enumeration;
import java.util.List;
import java.util.concurrent.Future;
diff --git a/logback-core/src/test/java/ch/qos/logback/core/util/EnvUtilTest.java b/logback-core/src/test/java/ch/qos/logback/core/util/EnvUtilTest.java
new file mode 100644
index 0000000000..2ee4abd42e
--- /dev/null
+++ b/logback-core/src/test/java/ch/qos/logback/core/util/EnvUtilTest.java
@@ -0,0 +1,34 @@
+/**
+ * Logback: the reliable, generic, fast and flexible logging framework.
+ * Copyright (C) 1999-2023, QOS.ch. All rights reserved.
+ *
+ * This program and the accompanying materials are dual-licensed under
+ * either the terms of the Eclipse Public License v1.0 as published by
+ * the Eclipse Foundation
+ *
+ * or (per the licensee's choosing)
+ *
+ * under the terms of the GNU Lesser General Public License version 2.1
+ * as published by the Free Software Foundation.
+ */
+package ch.qos.logback.core.util;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+
+public class EnvUtilTest {
+
+
+ @Test
+ public void jdkVersion() {
+ assertEquals(4, EnvUtil.getJDKVersion("1.4.xx"));
+ assertEquals(5, EnvUtil.getJDKVersion("1.5"));
+ assertEquals(5, EnvUtil.getJDKVersion("1.5.xx"));
+ assertEquals(5, EnvUtil.getJDKVersion("1.5AA"));
+ assertEquals(9, EnvUtil.getJDKVersion("9EA"));
+ assertEquals(9, EnvUtil.getJDKVersion("9.0.1"));
+ assertEquals(18, EnvUtil.getJDKVersion("18.3+xx"));
+ assertEquals(21, EnvUtil.getJDKVersion("21.0.1"));
+ }
+}

13
logback.spec
View File

@ -1,12 +1,13 @@
Name: logback
Version: 1.2.8
Release: 1
Release: 3
Summary: A Java logging library
License: LGPLv2 or EPL
License: LGPLv2 or EPL-1.0
URL: http://logback.qos.ch/
Source0: https://github.com/qos-ch/logback/archive/v_%{version}.tar.gz
Patch0001: logback-1.2.8-jetty.patch
Patch0001: logback-1.2.8-jetty.patch
Patch0002: CVE-2023-6378-and-CVE-2023-6481.patch
BuildRequires: java-devel >= 1:1.6.0 maven-local mvn(javax.mail:mail)
BuildRequires: mvn(javax.servlet:javax.servlet-api) mvn(junit:junit) mvn(log4j:log4j:1.2.17)
@ -122,6 +123,12 @@ cp -r %{name}-examples/pom.xml %{name}-examples/src %{buildroot}%{_datadir}/%{na
%files help -f .mfiles-javadoc
%changelog
* Tue Dec 12 2023 wangkai <13474090681@163.com> - 1.2.8-3
- Fix CVE-2023-6378,CVE-2023-6481
* Mon Aug 8 2022 Chenyx <chenyixiong3@huawei.com> - 1.2.8-2
- License compliance rectification
* Mon Dec 27 2021 houyingchao <houyingchao@huawei.com> - 1.2.8-1
- Upgrade to 1.2.8
- Fix CVE-2021-42550