Bug#888316: jackson-databind: CVE-2018-5968
Markus Koschany
apo at debian.org
Sat Jan 27 20:49:49 UTC 2018
Hi folks,
Am 25.01.2018 um 15:23 schrieb Salvatore Bonaccorso:
> Hi Markus,
>
> On Thu, Jan 25, 2018 at 02:40:10PM +0100, Markus Koschany wrote:
>> Hi,
>>
>> On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso
>> <carnil at debian.org> wrote:
>>> Source: jackson-databind
>>> Version: 2.9.1-1
>>> Severity: grave
>>> Tags: patch security upstream
>>> Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899
>>> Control: found -1 2.8.6-1+deb9u2
>>> Control: found -1 2.4.2-2+deb8u2
>>>
>>> Hi,
>>>
>>> the following vulnerability was published for jackson-databind.
>>
>> [...]
>>
>> Thanks for reporting. I had a look at jackson-databind in Stretch. We
>> just need to apply the patch to BeanDeserializerFactory.java again. As
>> for Sid upgrading to the latest upstream release 2.9.4 should also
>> resolve this. I'm working on it now.
>
> Perfect, thank you! We (Moritz) have added it to the dsa-needed list
> for jessie and stretch, so once you have the update can you contact
> the security team alias, one of us will then ack the upload.
I have prepared security updates of jackson-databind for Stretch and
Jessie and would appreciate another look at the patches.
The fix for CVE-2018-5968 is straightforward. The blacklist is simply
extended.
However upstream decided to refactor the code for CVE-2017-17485 and I
decided to apply the changes to BeanDeserializerFactory.java again
instead of using the new helper class SubTypeValidator. Here is my
thought process how to create the patch based on the solution in
upstream bug 1855 [1]
1. Extend the blacklist. [2]
2. Instead of creating a new method validateSubType, I copied the fix
into checkIllegalTypes in BeanDeserializerFactory again.[3] The behavior
remains the same. This code catches some specific cases for the spring
framework.
3. I also applied the regression fix in [4] (also mentioned in bug 1855)
4. I believe that [5] only applies to the refactored code and since we
don't use that it is irrelevant for us.
Regards,
Markus
[1] https://github.com/FasterXML/jackson-databind/issues/1855
[2]
https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d
[3]
https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf
[4]
https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd
[5]
https://github.com/FasterXML/jackson-databind/commit/978798382ceb72229e5036aa1442943933d6d171
-------------- next part --------------
diff -Nru jackson-databind-2.4.2/debian/changelog jackson-databind-2.4.2/debian/changelog
--- jackson-databind-2.4.2/debian/changelog 2017-11-16 09:13:27.000000000 +0100
+++ jackson-databind-2.4.2/debian/changelog 2018-01-27 19:37:47.000000000 +0100
@@ -1,3 +1,13 @@
+jackson-databind (2.4.2-2+deb8u3) jessie-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2017-17485 and CVE-2018-5968:
+ Bybass of deserialization blackist to disallow unauthenticated remote code
+ execution. These CVE exist due to an incomplete fix for CVE-2017-7525.
+ (Closes: #888316, #888318)
+
+ -- Markus Koschany <apo at debian.org> Sat, 27 Jan 2018 19:37:47 +0100
+
jackson-databind (2.4.2-2+deb8u2) jessie-security; urgency=high
* Team upload
diff -Nru jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch
--- jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch 1970-01-01 01:00:00.000000000 +0100
+++ jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch 2018-01-27 19:37:47.000000000 +0100
@@ -0,0 +1,75 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 27 Jan 2018 20:16:02 +0100
+Subject: CVE-2017-17485
+
+Bug-Debian: https://bugs.debian.org/888318
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1855
+Origin: https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d
+Origin: https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf
+Origin: https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd
+---
+ .../databind/deser/BeanDeserializerFactory.java | 37 +++++++++++++++++++---
+ 1 file changed, 32 insertions(+), 5 deletions(-)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index c536b46..9b56b08 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -38,6 +38,8 @@ public class BeanDeserializerFactory
+ {
+ private static final long serialVersionUID = 1;
+
++ protected final static String PREFIX_STRING = "org.springframework.";
++
+ /**
+ * Signature of <b>Throwable.initCause</b> method.
+ */
+@@ -75,6 +77,9 @@ public class BeanDeserializerFactory
+ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++ // [databind#1855]: more 3rd party
++ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
++ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+ // [databind#1899]: more 3rd party
+ s.add("org.hibernate.jmx.StatisticsService");
+ s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
+@@ -932,11 +937,33 @@ public class BeanDeserializerFactory
+ {
+ // There are certain nasty classes that could cause problems, mostly
+ // via default typing -- catch them here.
+- String full = type.getRawClass().getName();
+
+- if (_cfgIllegalClassNames.contains(full)) {
+- throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons");
+- }
+- }
++ final Class<?> raw = type.getRawClass();
++ String full = raw.getName();
++
++ main_check:
++ do {
++ if (_cfgIllegalClassNames.contains(full)) {
++ break;
++ }
++
++ // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
++ // for some Spring framework types
++ if (full.startsWith(PREFIX_STRING)) {
++ for (Class<?> cls = raw; cls != Object.class; cls = cls.getSuperclass()) {
++ String name = cls.getSimpleName();
++ // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
++ if ("AbstractPointcutAdvisor".equals(name)
++ // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts
++ || "AbstractApplicationContext".equals(name)) {
++ break main_check;
++ }
++ }
++ }
++ return;
++ } while (false);
++
++ throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons");
++ }
+
+ }
diff -Nru jackson-databind-2.4.2/debian/patches/CVE-2018-5968.patch jackson-databind-2.4.2/debian/patches/CVE-2018-5968.patch
--- jackson-databind-2.4.2/debian/patches/CVE-2018-5968.patch 1970-01-01 01:00:00.000000000 +0100
+++ jackson-databind-2.4.2/debian/patches/CVE-2018-5968.patch 2018-01-27 19:37:47.000000000 +0100
@@ -0,0 +1,25 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 27 Jan 2018 19:00:33 +0100
+Subject: CVE-2018-5968
+
+Bug-Debian: https://bugs.debian.org/888316
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1899
+Origin: https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05
+---
+ .../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 86b5c08..10ada70 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -69,6 +69,9 @@ public class BeanDeserializerFactory
+ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++ // [databind#1899]: more 3rd party
++ s.add("org.hibernate.jmx.StatisticsService");
++ s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
+
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
diff -Nru jackson-databind-2.4.2/debian/patches/series jackson-databind-2.4.2/debian/patches/series
--- jackson-databind-2.4.2/debian/patches/series 2017-11-16 09:13:27.000000000 +0100
+++ jackson-databind-2.4.2/debian/patches/series 2018-01-27 19:37:47.000000000 +0100
@@ -3,3 +3,5 @@
CVE-2017-15095_1.patch
CVE-2017-15095_2.patch
CVE-2017-15095_3.patch
+CVE-2018-5968.patch
+CVE-2017-17485.patch
-------------- next part --------------
diff -Nru jackson-databind-2.8.6/debian/changelog jackson-databind-2.8.6/debian/changelog
--- jackson-databind-2.8.6/debian/changelog 2017-11-16 08:55:34.000000000 +0100
+++ jackson-databind-2.8.6/debian/changelog 2018-01-27 19:12:39.000000000 +0100
@@ -1,3 +1,13 @@
+jackson-databind (2.8.6-1+deb9u3) stretch-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2017-17485 and CVE-2018-5968:
+ Bybass of deserialization blackist to disallow unauthenticated remote code
+ execution. These CVE exist due to an incomplete fix for CVE-2017-7525.
+ (Closes: #888316, #888318)
+
+ -- Markus Koschany <apo at debian.org> Sat, 27 Jan 2018 19:12:39 +0100
+
jackson-databind (2.8.6-1+deb9u2) stretch-security; urgency=high
* Team upload
diff -Nru jackson-databind-2.8.6/debian/patches/CVE-2017-17485.patch jackson-databind-2.8.6/debian/patches/CVE-2017-17485.patch
--- jackson-databind-2.8.6/debian/patches/CVE-2017-17485.patch 1970-01-01 01:00:00.000000000 +0100
+++ jackson-databind-2.8.6/debian/patches/CVE-2017-17485.patch 2018-01-27 19:12:39.000000000 +0100
@@ -0,0 +1,76 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 27 Jan 2018 19:06:47 +0100
+Subject: CVE-2017-17485
+
+Bug-Debian: https://bugs.debian.org/888318
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1855
+Origin: https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d
+Origin: https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf
+Origin: https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd
+---
+ .../databind/deser/BeanDeserializerFactory.java | 38 ++++++++++++++++++----
+ 1 file changed, 32 insertions(+), 6 deletions(-)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 10ada70..b90c9c0 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -32,6 +32,8 @@ public class BeanDeserializerFactory
+ {
+ private static final long serialVersionUID = 1;
+
++ protected final static String PREFIX_STRING = "org.springframework.";
++
+ /**
+ * Signature of <b>Throwable.initCause</b> method.
+ */
+@@ -69,6 +71,9 @@ public class BeanDeserializerFactory
+ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++ // [databind#1855]: more 3rd party
++ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
++ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+ // [databind#1899]: more 3rd party
+ s.add("org.hibernate.jmx.StatisticsService");
+ s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
+@@ -898,12 +903,33 @@ public class BeanDeserializerFactory
+ {
+ // There are certain nasty classes that could cause problems, mostly
+ // via default typing -- catch them here.
+- String full = type.getRawClass().getName();
++ final Class<?> raw = type.getRawClass();
++ String full = raw.getName();
+
+- if (_cfgIllegalClassNames.contains(full)) {
+- ctxt.reportBadTypeDefinition(beanDesc,
+- "Illegal type (%s) to deserialize: prevented for security reasons", full);
+- }
+- }
++ main_check:
++ do {
++ if (_cfgIllegalClassNames.contains(full)) {
++ break;
++ }
++
++ // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
++ // for some Spring framework types
++ if (full.startsWith(PREFIX_STRING)) {
++ for (Class<?> cls = raw; cls != Object.class; cls = cls.getSuperclass()) {
++ String name = cls.getSimpleName();
++ // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
++ if ("AbstractPointcutAdvisor".equals(name)
++ // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts
++ || "AbstractApplicationContext".equals(name)) {
++ break main_check;
++ }
++ }
++ }
++ return;
++ } while (false);
++
++ throw JsonMappingException.from(ctxt,
++ String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
++ }
+
+ }
diff -Nru jackson-databind-2.8.6/debian/patches/CVE-2018-5968.patch jackson-databind-2.8.6/debian/patches/CVE-2018-5968.patch
--- jackson-databind-2.8.6/debian/patches/CVE-2018-5968.patch 1970-01-01 01:00:00.000000000 +0100
+++ jackson-databind-2.8.6/debian/patches/CVE-2018-5968.patch 2018-01-27 19:12:39.000000000 +0100
@@ -0,0 +1,25 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 27 Jan 2018 19:00:33 +0100
+Subject: CVE-2018-5968
+
+Bug-Debian: https://bugs.debian.org/888316
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1899
+Origin: https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05
+---
+ .../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 86b5c08..10ada70 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -69,6 +69,9 @@ public class BeanDeserializerFactory
+ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++ // [databind#1899]: more 3rd party
++ s.add("org.hibernate.jmx.StatisticsService");
++ s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
+
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
diff -Nru jackson-databind-2.8.6/debian/patches/series jackson-databind-2.8.6/debian/patches/series
--- jackson-databind-2.8.6/debian/patches/series 2017-11-16 08:55:34.000000000 +0100
+++ jackson-databind-2.8.6/debian/patches/series 2018-01-27 19:12:39.000000000 +0100
@@ -2,3 +2,5 @@
CVE-2017-15095_1.patch
CVE-2017-15095_2.patch
CVE-2017-15095_3.patch
+CVE-2018-5968.patch
+CVE-2017-17485.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20180127/2476e26b/attachment.sig>
More information about the pkg-java-maintainers
mailing list