[libcommons-collections3-java] 01/01: Disabled the deserialization of the functors classes

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Tue Nov 24 22:07:40 UTC 2015


This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to annotated tag debian/3.2.1-5+deb7u1
in repository libcommons-collections3-java.

commit e9794c0b830487bc6069168ea0fd4f43f5ddd8b5
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Tue Nov 24 12:18:47 2015 +0100

    Disabled the deserialization of the functors classes
---
 debian/changelog                                   |  10 ++
 debian/gbp.conf                                    |   2 +
 .../patches/disable-functors-deserialization.patch | 159 +++++++++++++++++++++
 debian/patches/series                              |   1 +
 4 files changed, 172 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index ea302b5..8a18818 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+libcommons-collections3-java (3.2.1-5+deb7u1) wheezy-security; urgency=medium
+
+  * Backported a modification from commons-collections 3.2.2 disabling
+    the deserialization of the functors classes unless the system property
+    org.apache.commons.collections.enableUnsafeSerialization is set to true.
+    This fixes a vulnerability in unsafe applications deserializing objects
+    from untrusted sources without sanitizing the input data.
+
+ -- Emmanuel Bourg <ebourg at apache.org>  Tue, 24 Nov 2015 12:18:15 +0100
+
 libcommons-collections3-java (3.2.1-5) unstable; urgency=low
 
   * Team upload.
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..191c3a5
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = wheezy
diff --git a/debian/patches/disable-functors-deserialization.patch b/debian/patches/disable-functors-deserialization.patch
new file mode 100644
index 0000000..2ca581d
--- /dev/null
+++ b/debian/patches/disable-functors-deserialization.patch
@@ -0,0 +1,159 @@
+Description: Disable the deserialization of the functors classes unless
+ the system property org.apache.commons.collections.enableUnsafeSerialization
+ is set to true.
+ .
+ This fixes a vulnerability in unsafe applications deserializing objects
+ from untrusted sources without sanitizing the input data.
+ .
+ https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
+Origin: backport, http://svn.apache.org/r1713845
+Bug: https://issues.apache.org/jira/browse/COLLECTIONS-580
+--- a/src/java/org/apache/commons/collections/functors/CloneTransformer.java
++++ b/src/java/org/apache/commons/collections/functors/CloneTransformer.java
+@@ -68,4 +68,8 @@
+         return PrototypeFactory.getInstance(input).create();
+     }
+ 
++    private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException {
++        FunctorUtils.checkUnsafeSerialization(CloneTransformer.class);
++        is.defaultReadObject();
++    }
+ }
+--- a/src/java/org/apache/commons/collections/functors/ForClosure.java
++++ b/src/java/org/apache/commons/collections/functors/ForClosure.java
+@@ -102,4 +102,8 @@
+         return iCount;
+     }
+ 
++    private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException {
++        FunctorUtils.checkUnsafeSerialization(ForClosure.class);
++        is.defaultReadObject();
++    }
+ }
+--- a/src/java/org/apache/commons/collections/functors/FunctorUtils.java
++++ b/src/java/org/apache/commons/collections/functors/FunctorUtils.java
+@@ -16,6 +16,8 @@
+  */
+ package org.apache.commons.collections.functors;
+ 
++import java.security.AccessController;
++import java.security.PrivilegedAction;
+ import java.util.Collection;
+ import java.util.Iterator;
+ 
+@@ -34,6 +36,10 @@
+  */
+ class FunctorUtils {
+     
++    /** System property key to enable unsafe serialization */
++    final static String UNSAFE_SERIALIZABLE_PROPERTY
++        = "org.apache.commons.collections.enableUnsafeSerialization";
++
+     /**
+      * Restricted constructor.
+      */
+@@ -152,4 +158,32 @@
+         }
+     }
+ 
++    /**
++     * Package-private helper method to check if serialization support is
++     * enabled for unsafe classes.
++     *
++     * @param clazz  the clazz to check for serialization support
++     * @throws UnsupportedOperationException if unsafe serialization is disabled
++     */
++    static void checkUnsafeSerialization(Class clazz) {
++        String unsafeSerializableProperty;
++        
++        try {
++            unsafeSerializableProperty = 
++                (String) AccessController.doPrivileged(new PrivilegedAction() {
++                    public Object run() {
++                        return System.getProperty(UNSAFE_SERIALIZABLE_PROPERTY);
++                    }
++                });
++        } catch (SecurityException ex) {
++            unsafeSerializableProperty = null;
++        }
++
++        if (!"true".equalsIgnoreCase(unsafeSerializableProperty)) {
++            throw new UnsupportedOperationException(
++                    "Serialization support for " + clazz.getName() + " is disabled for security reasons. " +
++                    "To enable it set system property '" + UNSAFE_SERIALIZABLE_PROPERTY + "' to 'true', " +
++                    "but you must ensure that your application does not de-serialize objects from untrusted sources.");
++        }
++    }
+ }
+--- a/src/java/org/apache/commons/collections/functors/InstantiateFactory.java
++++ b/src/java/org/apache/commons/collections/functors/InstantiateFactory.java
+@@ -136,5 +136,9 @@
+             throw new FunctorException("InstantiateFactory: Constructor threw an exception", ex);
+         }
+     }
+-    
++
++    private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException {
++        FunctorUtils.checkUnsafeSerialization(InstantiateFactory.class);
++        is.defaultReadObject();
++    }
+ }
+--- a/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java
++++ b/src/java/org/apache/commons/collections/functors/InstantiateTransformer.java
+@@ -116,4 +116,8 @@
+         }
+     }
+ 
++    private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException {
++        FunctorUtils.checkUnsafeSerialization(InstantiateTransformer.class);
++        is.defaultReadObject();
++    }
+ }
+--- a/src/java/org/apache/commons/collections/functors/InvokerTransformer.java
++++ b/src/java/org/apache/commons/collections/functors/InvokerTransformer.java
+@@ -134,4 +134,8 @@
+         }
+     }
+ 
++    private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException {
++        FunctorUtils.checkUnsafeSerialization(InvokerTransformer.class);
++        is.defaultReadObject();
++    }
+ }
+--- a/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
++++ b/src/java/org/apache/commons/collections/functors/PrototypeFactory.java
+@@ -144,6 +144,11 @@
+                 throw new FunctorException("PrototypeCloneFactory: Clone method threw an exception", ex);
+             }
+         }
++
++        private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
++            FunctorUtils.checkUnsafeSerialization(PrototypeCloneFactory.class);
++            is.defaultReadObject();
++        }
+     }
+ 
+     // PrototypeSerializationFactory
+@@ -204,6 +209,11 @@
+                 }
+             }
+         }
++
++        private void readObject(ObjectInputStream is) throws ClassNotFoundException, IOException {
++            FunctorUtils.checkUnsafeSerialization(PrototypeSerializationFactory.class);
++            is.defaultReadObject();
++        }
+     }
+ 
+ }
+--- a/src/java/org/apache/commons/collections/functors/WhileClosure.java
++++ b/src/java/org/apache/commons/collections/functors/WhileClosure.java
+@@ -120,4 +120,8 @@
+         return iDoLoop;
+     }
+ 
++    private void readObject(java.io.ObjectInputStream is) throws ClassNotFoundException, java.io.IOException {
++        FunctorUtils.checkUnsafeSerialization(WhileClosure.class);
++        is.defaultReadObject();
++    }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index b58dfff..a486294 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 OSGI_Manifest.diff
 disable_links.diff
+disable-functors-deserialization.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libcommons-collections3-java.git



More information about the pkg-java-commits mailing list