packages/xstream
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!8 fix CVE-2020-26258 and CVE-2020-26259

Browse Source 
From: @wang_yue111
Reviewed-by: @wangxiao65,@wangchong1995924
Signed-off-by: @wangchong1995924
This commit is contained in:
openeuler-ci-bot 2021-01-12 14:19:44 +08:00 committed by Gitee
commit abef5b9142
3 changed files with 234 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
CVE-2020-26258.patch Normal file
View File

@ -0,0 +1,25 @@
From f391169515d77446e94da4836eb65adfbc8acfa2 Mon Sep 17 00:00:00 2001
Date: Mon, 11 Jan 2021 17:32:52 +0800
Subject: [PATCH] Fix and document CVE-2020-26258.
diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
index 692243e..8a4b104 100644
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
@@ -698,7 +698,11 @@ public class XStream {
}
addPermission(AnyTypePermission.ANY);
- denyTypes(new String[]{"java.beans.EventHandler", "javax.imageio.ImageIO$ContainsFilter"});
+ denyTypes(new String[]{
+ "java.beans.EventHandler", //
+ "java.lang.ProcessBuilder", //
+ "javax.imageio.ImageIO$ContainsFilter", //
+ "jdk.nashorn.internal.objects.NativeString"});
denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
allowTypeHierarchy(Exception.class);
securityInitialized = false;
--
2.23.0

199
CVE-2020-26259.patch Normal file
View File

@ -0,0 +1,199 @@
From aacd07da7e2be020ef2924153838c7b0a05b596f Mon Sep 17 00:00:00 2001
Date: Mon, 11 Jan 2021 18:00:38 +0800
Subject: [PATCH] fix CVE-2020-26259
diff --git a/pom.xml b/pom.xml
index e6fc1a1..15ff064 100644
--- a/pom.xml
+++ b/pom.xml
@@ -546,6 +546,11 @@
<artifactId>jaxb-api</artifactId>
<version>${version.javax.xml.bind.api}</version>
</dependency>
+ <dependency>
+ <groupId>com.sun.xml.ws</groupId>
+ <artifactId>jaxws-rt</artifactId>
+ <version>${version.javax.xml.ws.jaxws.rt}</version>
+ </dependency>
<dependency>
<groupId>org.hibernate</groupId>
@@ -905,6 +910,7 @@
<version.javax.activation>1.1.1</version.javax.activation>
<version.javax.annotation.api>1.3.2</version.javax.annotation.api>
<version.javax.xml.bind.api>2.3.1</version.javax.xml.bind.api>
+ <version.javax.xml.ws.jaxws.rt>2.2</version.javax.xml.ws.jaxws.rt><!-- Java 5 -->
<version.jmock>1.0.1</version.jmock>
<version.joda-time>1.6</version.joda-time>
<version.junit>3.8.1</version.junit>
diff --git a/xstream/pom.xml b/xstream/pom.xml
index 525425a..6543ff7 100644
--- a/xstream/pom.xml
+++ b/xstream/pom.xml
@@ -144,6 +144,54 @@
<artifactId>commons-lang</artifactId>
<scope>test</scope>
</dependency>
+
+ <dependency>
+ <groupId>com.sun.xml.ws</groupId>
+ <artifactId>jaxws-rt</artifactId>
+ <scope>test</scope>
+ <exclusions>
+ <exclusion>
+ <groupId>javax.xml.ws</groupId>
+ <artifactId>jaxws-api</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.sun.istack</groupId>
+ <artifactId>istack-commons-runtime</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.sun.xml.bind</groupId>
+ <artifactId>jaxb-impl</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.sun.xml.messaging.saaj</groupId>
+ <artifactId>saaj-impl</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.sun.xml.stream.buffer</groupId>
+ <artifactId>streambuffer</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.sun.xml.ws</groupId>
+ <artifactId>policy</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>com.sun.org.apache.xml.internal</groupId>
+ <artifactId>resolver</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.glassfish.gmbal</groupId>
+ <artifactId>gmbal-api-only</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.jvnet</groupId>
+ <artifactId>mimepull</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.jvnet.staxex</groupId>
+ <artifactId>stax-ex</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
</dependencies>
<build>
diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
index 8a4b104..57cf804 100644
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
@@ -356,6 +356,7 @@ public class XStream {
private static final Pattern IGNORE_ALL = Pattern.compile(".*");
private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
+ private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
/**
* Constructs a default XStream.
@@ -702,8 +703,8 @@ public class XStream {
"java.beans.EventHandler", //
"java.lang.ProcessBuilder", //
"javax.imageio.ImageIO$ContainsFilter", //
- "jdk.nashorn.internal.objects.NativeString"});
- denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
+ "jdk.nashorn.internal.objects.NativeString" });
+ denyTypesByRegExp(new Pattern[]{LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
allowTypeHierarchy(Exception.class);
securityInitialized = false;
}
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
index 309c146..7604aa5 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -11,6 +11,11 @@
package com.thoughtworks.acceptance;
import java.beans.EventHandler;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
import java.util.Iterator;
import com.thoughtworks.xstream.XStream;
@@ -214,4 +219,68 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
// OK
}
}
+
+ public void testCannotUseJaxwsInputStreamToDeleteFile() {
+ if (JVM.isVersion(5)) {
+ final String xml = ""
+ + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
+ + " <tempFile>target/junit/test.txt</tempFile>\n"
+ + "</is>";
+
+ xstream.aliasType("is", InputStream.class);
+ try {
+ xstream.fromXML(xml);
+ fail("Thrown " + ConversionException.class.getName() + " expected");
+ } catch (final ForbiddenClassException e) {
+ // OK
+ }
+ }
+ }
+
+ public void testExplicitlyUseJaxwsInputStreamToDeleteFile() throws IOException {
+ if (JVM.isVersion(5)) {
+ final File testDir = new File("target/junit");
+ final File testFile = new File(testDir, "test.txt");
+ try {
+ testDir.mkdirs();
+
+ final OutputStream out = new FileOutputStream(testFile);
+ out.write("JUnit".getBytes());
+ out.flush();
+ out.close();
+
+ assertTrue("Test file " + testFile.getPath() + " does not exist.", testFile.exists());
+
+ final String xml = ""
+ + "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
+ + " <tempFile>target/junit/test.txt</tempFile>\n"
+ + "</is>";
+
+ xstream.addPermission(AnyTypePermission.ANY); // clear out defaults
+ xstream.aliasType("is", InputStream.class);
+
+ InputStream is = null;
+ try {
+ is = (InputStream)xstream.fromXML(xml);
+ } catch (final ForbiddenClassException e) {
+ // OK
+ }
+
+ assertTrue("Test file " + testFile.getPath() + " no longer exists.", testFile.exists());
+
+ byte[] data = new byte[10];
+ is.read(data);
+ is.close();
+
+ assertFalse("Test file " + testFile.getPath() + " still exists exist.", testFile.exists());
+ } finally {
+ if (testFile.exists()) {
+ testFile.delete();
+ }
+ if (testDir.exists()) {
+ testDir.delete();
+ }
+ }
+ }
+ }
}
--
2.23.0

11
xstream.spec
View File

@ -1,7 +1,7 @@
%bcond_with jp_minimal
Name: xstream
Version: 1.4.11.1
Release: 2
Release: 3
Summary: Java XML serialization library
License: BSD
URL: http://x-stream.github.io/
@ -9,6 +9,9 @@ BuildArch: noarch
Source0: http://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/%{version}/xstream-distribution-%{version}-src.zip
Patch0: New-predefined-blacklist-avoids-vulnerability.patch
Patch1: CVE-2020-26217-CVE-2017-9805.patch
Patch2: CVE-2020-26258.patch
Patch3: CVE-2020-26259.patch
BuildRequires: maven-local mvn(cglib:cglib) mvn(dom4j:dom4j) mvn(javax.xml.bind:jaxb-api)
BuildRequires: mvn(joda-time:joda-time) mvn(net.sf.kxml:kxml2-min)
BuildRequires: mvn(org.apache.felix:maven-bundle-plugin)
@ -71,6 +74,9 @@ Parent POM for xstream.
%setup -qn xstream-%{version}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
find . -name "*.class" -print -delete
find . -name "*.jar" -print -delete
%pom_disable_module xstream-distribution
@ -128,6 +134,9 @@ rm xstream-benchmark/src/java/com/thoughtworks/xstream/tools/benchmark/products/
%license LICENSE.txt
%changelog
* Mon Jan 11 2021 wangyue<wangyue92@huawei.com>-1.4.11.1-3
- Fix CVE-2020-26258 CVE-2020-26259
* Sat Dec 12 2020 huanghaitao <huanghaitao8@huawei.com> - 1.4.11.1-2
- Fix CVE-2020-26217 CVE-2017-9805