[pkg-java] r18786 - in branches/groovy/wheezy/debian: . patches

Miguel Landaeta nomadium at moszumanska.debian.org
Sat Jul 25 23:35:46 UTC 2015 

Author: nomadium
Date: 2015-07-25 23:35:43 +0000 (Sat, 25 Jul 2015)
New Revision: 18786

Added:
   branches/groovy/wheezy/debian/patches/0005-CVE-2015-3253.patch
Modified:
   branches/groovy/wheezy/debian/changelog
   branches/groovy/wheezy/debian/patches/series
Log:
Fix CVE-2015-3253

Modified: branches/groovy/wheezy/debian/changelog
===================================================================
--- branches/groovy/wheezy/debian/changelog	2015-07-25 22:55:51 UTC (rev 18785)
+++ branches/groovy/wheezy/debian/changelog	2015-07-25 23:35:43 UTC (rev 18786)
@@ -1,3 +1,10 @@
+groovy (1.8.6-1+deb7u1) oldstable; urgency=high
+
+  * Fix remote execution of untrusted code and possible DoS vulnerability.
+    (CVE-2015-3253) (Closes: #793397).
+
+ -- Miguel Landaeta <nomadium at debian.org>  Sat, 25 Jul 2015 19:59:19 -0300
+
 groovy (1.8.6-1) unstable; urgency=low
 
   * New upstream release.

Added: branches/groovy/wheezy/debian/patches/0005-CVE-2015-3253.patch
===================================================================
--- branches/groovy/wheezy/debian/patches/0005-CVE-2015-3253.patch	                        (rev 0)
+++ branches/groovy/wheezy/debian/patches/0005-CVE-2015-3253.patch	2015-07-25 23:35:43 UTC (rev 18786)
@@ -0,0 +1,32 @@
+Description: Fix remote execution of untrusted code when deserializing (CVE-2015-3253)
+Author: Cédric Champeau <cedric.champeau at gmail.com>
+Bug-Debian: https://bugs.debian.org/793397
+Origin: upstream, https://github.com/apache/incubator-groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
+Forwarded: no
+Last-Update: 2015-07-25
+
+--- groovy-1.8.6.orig/src/main/org/codehaus/groovy/runtime/MethodClosure.java
++++ groovy-1.8.6/src/main/org/codehaus/groovy/runtime/MethodClosure.java
+@@ -30,6 +30,8 @@ import java.util.List;
+  */
+ public class MethodClosure extends Closure {
+ 
++    public static boolean ALLOW_RESOLVE = false;
++
+     private String method;
+     
+     public MethodClosure(Object owner, String method) {
+@@ -52,6 +54,13 @@ public class MethodClosure extends Closu
+         }
+     }
+     
++    private Object readResolve() {
++        if (ALLOW_RESOLVE) {
++            return this;
++        }
++        throw new UnsupportedOperationException();
++    }
++
+     public String getMethod() {
+         return method;
+     }

Modified: branches/groovy/wheezy/debian/patches/series
===================================================================
--- branches/groovy/wheezy/debian/patches/series	2015-07-25 22:55:51 UTC (rev 18785)
+++ branches/groovy/wheezy/debian/patches/series	2015-07-25 23:35:43 UTC (rev 18786)
@@ -1,3 +1,4 @@
 0001-start-scripts.patch
 0002-ant-build.diff.patch
 0003-disable-bnd.diff.patch
+0005-CVE-2015-3253.patch

More information about the pkg-java-commits mailing list