[jackson-databind] 01/04: Fix CVE-2017-7525
Markus Koschany
apo at moszumanska.debian.org
Fri Oct 20 13:05:25 UTC 2017
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch stretch
in repository jackson-databind.
commit 02de06a9e13d145aedec7d90bda2e631bf2a6e40
Author: Markus Koschany <apo at debian.org>
Date: Wed Oct 18 18:27:45 2017 +0200
Fix CVE-2017-7525
---
debian/patches/CVE-2017-7525.patch | 95 ++++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 96 insertions(+)
diff --git a/debian/patches/CVE-2017-7525.patch b/debian/patches/CVE-2017-7525.patch
new file mode 100644
index 0000000..d03a725
--- /dev/null
+++ b/debian/patches/CVE-2017-7525.patch
@@ -0,0 +1,95 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 18 Oct 2017 18:27:16 +0200
+Subject: CVE-2017-7525
+
+---
+ .../databind/deser/BeanDeserializerFactory.java | 23 +++++++++++++
+ .../databind/interop/IllegalTypesCheckTest.java | 40 ++++++++++++++++++++++
+ 2 files changed, 63 insertions(+)
+ create mode 100644 src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 7815e53..abb0598 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -137,6 +137,8 @@ public class BeanDeserializerFactory
+ if (!isPotentialBeanType(type.getRawClass())) {
+ return null;
+ }
++ // For checks like [databind#1599]
++ checkIllegalTypes(ctxt, type, beanDesc);
+ // Use generic bean introspection to build deserializer
+ return buildBeanDeserializer(ctxt, type, beanDesc);
+ }
+@@ -841,4 +843,25 @@ public class BeanDeserializerFactory
+ ignoredTypes.put(type, status);
+ return status.booleanValue();
+ }
++
++ /**
++ * @since 2.8.9
++ */
++ protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
++ BeanDescription beanDesc)
++ throws JsonMappingException
++ {
++ // There are certain nasty classes that could cause problems, mostly
++ // via default typing -- catch them here.
++ Class<?> raw = type.getRawClass();
++ String name = raw.getSimpleName();
++
++ if ("TemplatesImpl".equals(name)) { // [databind#1599]
++ if (raw.getName().startsWith("com.sun.org.apache.xalan")) {
++ throw JsonMappingException.from(ctxt,
++ String.format("Illegal type (%s) to deserialize: prevented for security reasons",
++ name));
++ }
++ }
++ }
+ }
+diff --git a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
+new file mode 100644
+index 0000000..1906ead
+--- /dev/null
++++ b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
+@@ -0,0 +1,40 @@
++package com.fasterxml.jackson.databind.interop;
++
++import com.fasterxml.jackson.databind.*;
++
++/**
++ * Test case(s) to guard against handling of types that are illegal to handle
++ * due to security constraints.
++ */
++public class IllegalTypesCheckTest extends BaseMapTest
++{
++ static class Bean1599 {
++ public int id;
++ public Object obj;
++ }
++
++ public void testIssue1599() throws Exception
++ {
++ final String JSON = aposToQuotes(
++ "{'id': 124,\n"
+++" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n"
+++" {\n"
+++" 'transletBytecodes' : [ 'AAIAZQ==' ],\n"
+++" 'transletName' : 'a.b',\n"
+++" 'outputProperties' : { }\n"
+++" }\n"
+++" ]\n"
+++"}"
++ );
++ ObjectMapper mapper = new ObjectMapper();
++ mapper.enableDefaultTyping();
++ try {
++ mapper.readValue(JSON, Bean1599.class);
++ fail("Should not pass");
++ } catch (JsonMappingException e) {
++ verifyException(e, "Illegal type");
++ verifyException(e, "to deserialize");
++ verifyException(e, "prevented for security reasons");
++ }
++ }
++}
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..124d01c
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2017-7525.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/jackson-databind.git
More information about the pkg-java-commits
mailing list