[pkg-java] r18784 - in branches/groovy/jessie/debian: . patches

Miguel Landaeta nomadium at moszumanska.debian.org
Sat Jul 25 21:58:54 UTC 2015 

Author: nomadium
Date: 2015-07-25 21:58:53 +0000 (Sat, 25 Jul 2015)
New Revision: 18784

Added:
   branches/groovy/jessie/debian/patches/0005-CVE-2015-3253.patch
Modified:
   branches/groovy/jessie/debian/changelog
   branches/groovy/jessie/debian/patches/series
Log:
Fix CVE-2015-3253

Modified: branches/groovy/jessie/debian/changelog
===================================================================
--- branches/groovy/jessie/debian/changelog	2015-07-25 21:18:57 UTC (rev 18783)
+++ branches/groovy/jessie/debian/changelog	2015-07-25 21:58:53 UTC (rev 18784)
@@ -1,3 +1,10 @@
+groovy (1.8.6-4+deb8u1) stable; urgency=high
+
+  * Fix remote execution of untrusted code and possible DoS vulnerability.
+    (CVE-2015-3253) (Closes: #793397).
+
+ -- Miguel Landaeta <nomadium at debian.org>  Sat, 25 Jul 2015 18:27:24 -0300
+
 groovy (1.8.6-4) unstable; urgency=medium
 
   * Implement alternatives usage to allow co-installation with groovy 2.x.

Added: branches/groovy/jessie/debian/patches/0005-CVE-2015-3253.patch
===================================================================
--- branches/groovy/jessie/debian/patches/0005-CVE-2015-3253.patch	                        (rev 0)
+++ branches/groovy/jessie/debian/patches/0005-CVE-2015-3253.patch	2015-07-25 21:58:53 UTC (rev 18784)
@@ -0,0 +1,32 @@
+Description: Fix remote execution of untrusted code when deserializing (CVE-2015-3253)
+Author: Cédric Champeau <cedric.champeau at gmail.com>
+Bug-Debian: https://bugs.debian.org/793397
+Origin: upstream, https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
+Forwarded: no
+Last-Update: 2015-07-25
+
+--- groovy-1.8.6.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java
++++ groovy-1.8.6/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+@@ -30,6 +30,8 @@ import java.util.List;
+  */
+ public class MethodClosure extends Closure {
+ 
++    public static boolean ALLOW_RESOLVE = false;
++
+     private String method;
+     
+     public MethodClosure(Object owner, String method) {
+@@ -52,6 +54,13 @@ public class MethodClosure extends Closu
+         }
+     }
+     
++    private Object readResolve() {
++        if (ALLOW_RESOLVE) {
++            return this;
++        }
++        throw new UnsupportedOperationException();
++    }
++
+     public String getMethod() {
+         return method;
+     }

Modified: branches/groovy/jessie/debian/patches/series
===================================================================
--- branches/groovy/jessie/debian/patches/series	2015-07-25 21:18:57 UTC (rev 18783)
+++ branches/groovy/jessie/debian/patches/series	2015-07-25 21:58:53 UTC (rev 18784)
@@ -2,3 +2,4 @@
 0002-ant-build.diff.patch
 0003-disable-bnd.diff.patch
 0004-java8-compatibility.patch
+0005-CVE-2015-3253.patch

More information about the pkg-java-commits mailing list