[jackson-databind] 01/04: Fix CVE-2017-7525

Fri Oct 20 13:05:25 UTC 2017

This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch stretch
in repository jackson-databind.

commit 02de06a9e13d145aedec7d90bda2e631bf2a6e40
Author: Markus Koschany <apo at debian.org>
Date:   Wed Oct 18 18:27:45 2017 +0200

    Fix CVE-2017-7525
---
 debian/patches/CVE-2017-7525.patch | 95 ++++++++++++++++++++++++++++++++++++++
 debian/patches/series              |  1 +
 2 files changed, 96 insertions(+)

diff --git a/debian/patches/CVE-2017-7525.patch b/debian/patches/CVE-2017-7525.patch
new file mode 100644
index 0000000..d03a725
--- /dev/null
+++ b/debian/patches/CVE-2017-7525.patch
@@ -0,0 +1,95 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 18 Oct 2017 18:27:16 +0200
+Subject: CVE-2017-7525
+
+---
+ .../databind/deser/BeanDeserializerFactory.java    | 23 +++++++++++++
+ .../databind/interop/IllegalTypesCheckTest.java    | 40 ++++++++++++++++++++++
+ 2 files changed, 63 insertions(+)
+ create mode 100644 src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 7815e53..abb0598 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -137,6 +137,8 @@ public class BeanDeserializerFactory
+         if (!isPotentialBeanType(type.getRawClass())) {
+             return null;
+         }
++        // For checks like [databind#1599]
++        checkIllegalTypes(ctxt, type, beanDesc);
+         // Use generic bean introspection to build deserializer
+         return buildBeanDeserializer(ctxt, type, beanDesc);
+     }
+@@ -841,4 +843,25 @@ public class BeanDeserializerFactory
+         ignoredTypes.put(type, status);
+         return status.booleanValue();
+     }
++
++    /**
++     * @since 2.8.9
++     */
++    protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
++            BeanDescription beanDesc)
++        throws JsonMappingException
++    {
++        // There are certain nasty classes that could cause problems, mostly
++        // via default typing -- catch them here.
++        Class<?> raw = type.getRawClass();
++        String name = raw.getSimpleName();
++
++        if ("TemplatesImpl".equals(name)) { // [databind#1599] 
++            if (raw.getName().startsWith("com.sun.org.apache.xalan")) {
++                throw JsonMappingException.from(ctxt,
++                        String.format("Illegal type (%s) to deserialize: prevented for security reasons",
++                                name));
++            }
++        }
++    }
+ }
+diff --git a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
+new file mode 100644
+index 0000000..1906ead
+--- /dev/null
++++ b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
+@@ -0,0 +1,40 @@
++package com.fasterxml.jackson.databind.interop;
++
++import com.fasterxml.jackson.databind.*;
++
++/**
++ * Test case(s) to guard against handling of types that are illegal to handle
++ * due to security constraints.
++ */
++public class IllegalTypesCheckTest extends BaseMapTest
++{
++    static class Bean1599 {
++        public int id;
++        public Object obj;
++    }
++    
++    public void testIssue1599() throws Exception
++    {
++        final String JSON = aposToQuotes(
++ "{'id': 124,\n"
+++" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n"
+++"  {\n"
+++"    'transletBytecodes' : [ 'AAIAZQ==' ],\n"
+++"    'transletName' : 'a.b',\n"
+++"    'outputProperties' : { }\n"
+++"  }\n"
+++" ]\n"
+++"}"
++        );
++        ObjectMapper mapper = new ObjectMapper();
++        mapper.enableDefaultTyping();
++        try {
++            mapper.readValue(JSON, Bean1599.class);
++            fail("Should not pass");
++        } catch (JsonMappingException e) {
++            verifyException(e, "Illegal type");
++            verifyException(e, "to deserialize");
++            verifyException(e, "prevented for security reasons");
++        }
++    }
++}
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..124d01c
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2017-7525.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/jackson-databind.git

