[pkg-java] r18782 - in trunk/groovy/debian: . patches

Miguel Landaeta nomadium at moszumanska.debian.org
Sat Jul 25 20:27:39 UTC 2015 

Author: nomadium
Date: 2015-07-25 20:27:39 +0000 (Sat, 25 Jul 2015)
New Revision: 18782

Added:
   trunk/groovy/debian/patches/0005-CVE-2015-3253.patch
Modified:
   trunk/groovy/debian/changelog
   trunk/groovy/debian/control
   trunk/groovy/debian/copyright
   trunk/groovy/debian/patches/series
Log:
Fix CVE-2015-3253

Modified: trunk/groovy/debian/changelog
===================================================================
--- trunk/groovy/debian/changelog	2015-07-23 11:55:59 UTC (rev 18781)
+++ trunk/groovy/debian/changelog	2015-07-25 20:27:39 UTC (rev 18782)
@@ -1,3 +1,13 @@
+groovy (1.8.6-5) UNRELEASED; urgency=high
+
+  * Fix remote execution of untrusted code and possible DoS vulnerability.
+    (CVE-2015-3253) (Closes: #793397).
+  * Bump Standards-Version to 3.9.6. No changes were required.
+  * Update copyright file:
+    - Fix lintian warning invalid-short-name-in-dep5-copyright.
+
+ -- Miguel Landaeta <nomadium at debian.org>  Sat, 25 Jul 2015 14:59:34 -0300
+
 groovy (1.8.6-4) unstable; urgency=medium
 
   * Implement alternatives usage to allow co-installation with groovy 2.x.

Modified: trunk/groovy/debian/control
===================================================================
--- trunk/groovy/debian/control	2015-07-23 11:55:59 UTC (rev 18781)
+++ trunk/groovy/debian/control	2015-07-25 20:27:39 UTC (rev 18782)
@@ -9,7 +9,7 @@
  (>= 1.0.3), junit4, libmockobjects-java (>= 0.09), libregexp-java (>=
  1.2), libservlet2.5-java, libxstream-java, libjline-java, antlr,
  tofrodos, ivy, libqdox-java, libjarjar-java (>= 1.4+svn142-4~), libjansi-java
-Standards-Version: 3.9.5
+Standards-Version: 3.9.6
 Homepage: http://groovy.codehaus.org/
 Vcs-Svn: svn://anonscm.debian.org/pkg-java/trunk/groovy
 Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-java/trunk/groovy/

Modified: trunk/groovy/debian/copyright
===================================================================
--- trunk/groovy/debian/copyright	2015-07-23 11:55:59 UTC (rev 18781)
+++ trunk/groovy/debian/copyright	2015-07-25 20:27:39 UTC (rev 18782)
@@ -11,7 +11,7 @@
 
 Files: src/main/org/codehaus/groovy/jsr223/*
 Copyright: 2006 Sun Microsystems, Inc.
-License: BSD
+License: BSD-3-clause
  Redistribution and use in source and binary forms, with or without modification, are 
  permitted provided that the following conditions are met: Redistributions of source code 
  must retain the above copyright notice, this list of conditions and the following disclaimer.

Added: trunk/groovy/debian/patches/0005-CVE-2015-3253.patch
===================================================================
--- trunk/groovy/debian/patches/0005-CVE-2015-3253.patch	                        (rev 0)
+++ trunk/groovy/debian/patches/0005-CVE-2015-3253.patch	2015-07-25 20:27:39 UTC (rev 18782)
@@ -0,0 +1,32 @@
+Description: Fix remote execution of untrusted code when deserializing (CVE-2015-3253)
+Author: Cédric Champeau <cedric.champeau at gmail.com>
+Bug-Debian: https://bugs.debian.org/793397
+Origin: upstream, https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
+Forwarded: no
+Last-Update: 2015-07-25
+
+--- groovy-1.8.6.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java
++++ groovy-1.8.6/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+@@ -30,6 +30,8 @@ import java.util.List;
+  */
+ public class MethodClosure extends Closure {
+ 
++    public static boolean ALLOW_RESOLVE = false;
++
+     private String method;
+     
+     public MethodClosure(Object owner, String method) {
+@@ -52,6 +54,13 @@ public class MethodClosure extends Closu
+         }
+     }
+     
++    private Object readResolve() {
++        if (ALLOW_RESOLVE) {
++            return this;
++        }
++        throw new UnsupportedOperationException();
++    }
++
+     public String getMethod() {
+         return method;
+     }

Modified: trunk/groovy/debian/patches/series
===================================================================
--- trunk/groovy/debian/patches/series	2015-07-23 11:55:59 UTC (rev 18781)
+++ trunk/groovy/debian/patches/series	2015-07-25 20:27:39 UTC (rev 18782)
@@ -2,3 +2,4 @@
 0002-ant-build.diff.patch
 0003-disable-bnd.diff.patch
 0004-java8-compatibility.patch
+0005-CVE-2015-3253.patch

More information about the pkg-java-commits mailing list