[Git][java-team/jackson-databind][buster] 2 commits: Import Debian changes 2.9.8-3+deb10u3
Markus Koschany (@apo)
gitlab at salsa.debian.org
Sun Nov 27 18:56:22 GMT 2022
Markus Koschany pushed to branch buster at Debian Java Maintainers / jackson-databind
Commits:
cf42511a by Utkarsh Gupta at 2022-11-27T19:55:34+01:00
Import Debian changes 2.9.8-3+deb10u3
jackson-databind (2.9.8-3+deb10u3) buster; urgency=medium
..
* Non-maintainer upload by the LTS team.
* Add patch to fix:
- CVE-2020-24616: Block one more gadget type (Anteros-DBCP)
- CVE-2020-24750: Block one more gadget type
(com.pastdev.httpcomponents)
- CVE-2020-25649: setExpandEntityReferences(false) may not
prevent external entity expansion in all
cases
- CVE-2020-35490 and CVE-2020-35491: Block 2 more gadget
types (commons-dbcp2)
- CVE-2020-35728: Block one more gadget type
(org.glassfish.web/javax.servlet.jsp.jstl)
- CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, and
CVE-2020-36182: Block some more DBCP-related potential
gadget classes
- CVE-2020-36183: Block one more gadget type
(org.docx4j.org.apache:xalan-interpretive)
- CVE-2020-36184 and CVE-2020-36185: Block 2 more gadget
types (org.apache.tomcat/tomcat-dbcp)
- CVE-2020-36186 and CVE-2020-36187: Block 2 more gadget
types (tomcat/naming-factory-dbcp)
- CVE-2020-36188 and CVE-2020-36189: Block 2 more gadget
types (newrelic-agent)
- CVE-2021-20190: Block one more gadget type (javax.swing)
- - - - -
c0e0f354 by Markus Koschany at 2022-11-27T19:55:49+01:00
Import Debian changes 2.9.8-3+deb10u4
jackson-databind (2.9.8-3+deb10u4) buster-security; urgency=high
..
* Team upload.
* Fix CVE-2022-42003:
In FasterXML jackson-databind resource exhaustion can
occur because of a lack of a check in primitive value deserializers to
avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS
feature is enabled.
* Fix CVE-2022-42004:
In FasterXML jackson-databind resource exhaustion can occur because of a
lack of a check in BeanDeserializerBase.deserializeFromArray to prevent use of
deeply nested arrays. An application is vulnerable only with certain
customized choices for deserialization.
* Fix CVE-2020-36518:
Java StackOverflow exception and denial of service via a large depth of
nested objects.
- - - - -
9 changed files:
- debian/changelog
- + debian/patches/CVE-2020-24{616,750}.patch
- + debian/patches/CVE-2020-25649
- + debian/patches/CVE-2020-35{490,491,728}.patch
- + debian/patches/CVE-2020-361{79-90}.patch
- + debian/patches/CVE-2020-36518.patch
- + debian/patches/CVE-2022-42003.patch
- + debian/patches/CVE-2022-42004.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,51 @@
+jackson-databind (2.9.8-3+deb10u4) buster-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2022-42003:
+ In FasterXML jackson-databind resource exhaustion can
+ occur because of a lack of a check in primitive value deserializers to
+ avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS
+ feature is enabled.
+ * Fix CVE-2022-42004:
+ In FasterXML jackson-databind resource exhaustion can occur because of a
+ lack of a check in BeanDeserializerBase.deserializeFromArray to prevent use of
+ deeply nested arrays. An application is vulnerable only with certain
+ customized choices for deserialization.
+ * Fix CVE-2020-36518:
+ Java StackOverflow exception and denial of service via a large depth of
+ nested objects.
+
+ -- Markus Koschany <apo at debian.org> Sun, 27 Nov 2022 18:59:12 +0100
+
+jackson-databind (2.9.8-3+deb10u3) buster; urgency=medium
+
+ * Non-maintainer upload by the LTS team.
+ * Add patch to fix:
+ - CVE-2020-24616: Block one more gadget type (Anteros-DBCP)
+ - CVE-2020-24750: Block one more gadget type
+ (com.pastdev.httpcomponents)
+ - CVE-2020-25649: setExpandEntityReferences(false) may not
+ prevent external entity expansion in all
+ cases
+ - CVE-2020-35490 and CVE-2020-35491: Block 2 more gadget
+ types (commons-dbcp2)
+ - CVE-2020-35728: Block one more gadget type
+ (org.glassfish.web/javax.servlet.jsp.jstl)
+ - CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, and
+ CVE-2020-36182: Block some more DBCP-related potential
+ gadget classes
+ - CVE-2020-36183: Block one more gadget type
+ (org.docx4j.org.apache:xalan-interpretive)
+ - CVE-2020-36184 and CVE-2020-36185: Block 2 more gadget
+ types (org.apache.tomcat/tomcat-dbcp)
+ - CVE-2020-36186 and CVE-2020-36187: Block 2 more gadget
+ types (tomcat/naming-factory-dbcp)
+ - CVE-2020-36188 and CVE-2020-36189: Block 2 more gadget
+ types (newrelic-agent)
+ - CVE-2021-20190: Block one more gadget type (javax.swing)
+
+ -- Utkarsh Gupta <utkarsh at debian.org> Sat, 24 Apr 2021 19:56:57 +0530
+
jackson-databind (2.9.8-3+deb10u2) buster; urgency=medium
* Add multiple-CVE-BeanDeserializerFactory.patch and block more classes from
=====================================
debian/patches/CVE-2020-24{616,750}.patch
=====================================
@@ -0,0 +1,37 @@
+From 3d97153944f7de9c19c1b3637b33d3cf1fbbe4d7 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta at iki.fi>
+Date: Mon, 10 Aug 2020 19:39:03 -0700
+Subject: [PATCH] Add a block for #2814
+
+From 6cc9f1a1af323cd156f5668a47e43bab324ae16f Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta at iki.fi>
+Date: Mon, 20 Jul 2020 17:40:57 -0700
+Subject: [PATCH] Work for addressing #2798
+
+Co-Author: Utkarsh Gupta <utkarsh at debian.org>
+
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -137,9 +137,11 @@
+ // [databind#2631]: shaded hikari-config
+ s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");
+
+- // [databind#2634]: ibatis-sqlmap, anteros-core
++ // [databind#2634]: ibatis-sqlmap, anteros-core/-dbcp
+ s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
+ s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
++ // [databind#2814]: anteros-dbcp
++ s.add("br.com.anteros.dbcp.AnterosDBCPDataSource");
+
+ // [databind#2642]: javax.swing (jdk)
+ s.add("javax.swing.JEditorPane");
+@@ -196,6 +198,9 @@
+ // [databind#2764]: org.jsecurity:
+ s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
+
++ // [databind#2798]: com.pastdev.httpcomponents:
++ s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");
++
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
=====================================
debian/patches/CVE-2020-25649
=====================================
@@ -0,0 +1,24 @@
+From 612f971b78c60202e9cd75a299050c8f2d724a59 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta at iki.fi>
+Date: Thu, 9 Jan 2020 19:22:07 -0800
+Subject: [PATCH] Fix #2589
+
+Co-Author: Utkarsh <utkarsh at debian.org>
+
+--- a/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
++++ b/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
+@@ -39,6 +39,14 @@
+ // 14-Jul-2016, tatu: Not sure how or why, but during code coverage runs
+ // (via Cobertura) we get `java.lang.AbstractMethodError` so... ignore that too
+ }
++
++ // [databind#2589] add two more settings just in case
++ try {
++ parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
++ } catch (Throwable t) { } // as per previous one, nothing much to do
++ try {
++ parserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
++ } catch (Throwable t) { } // as per previous one, nothing much to do
+ DEFAULT_PARSER_FACTORY = parserFactory;
+ }
+
=====================================
debian/patches/CVE-2020-35{490,491,728}.patch
=====================================
@@ -0,0 +1,29 @@
+From 41b8bdb5ccc1d8edb71acf1c8234da235a24249d Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta at iki.fi>
+Date: Tue, 15 Dec 2020 17:27:03 -0800
+Subject: [PATCH] Fixed #2986
+
+From 1ca0388c2fb37ac6a06f1c188ae89c41e3e15e84 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta at iki.fi>
+Date: Sat, 26 Dec 2020 14:20:53 -0800
+Subject: [PATCH] Fixed #2999
+
+Co-Author: Utkarsh Gupta <utkarsh at debian.org>
+
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -201,6 +201,14 @@
+ // [databind#2798]: com.pastdev.httpcomponents:
+ s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");
+
++ // [databind#2986]: dbcp2
++ s.add("org.apache.commons.dbcp2.datasources.PerUserPoolDataSource");
++ s.add("org.apache.commons.dbcp2.datasources.SharedPoolDataSource");
++
++ // [databind#2999]: org.glassfish.web/javax.servlet.jsp.jstl (embedded Xalan)
++ // (derivative of #2469)
++ s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool");
++
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
=====================================
debian/patches/CVE-2020-361{79-90}.patch
=====================================
@@ -0,0 +1,82 @@
+Description: Multiple fixes (CVE-2020-36179 to CVE-2020-36190)
+ cherry-picked together from upstream.
+From: Tatu Saloranta <tatu.saloranta at iki.fi>
+Co-Author: Utkarsh Gupta <utkarsh at debian.org>
+
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -118,9 +118,12 @@
+ // [databind#2704]: xalan2
+ s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");
+
+- // [databind#2478]: comons-dbcp, p6spy
++ // [databind#2478]: commons-dbcp 1.x, p6spy
++ // [databind#3004]: commons-dbcp 1.x
++ s.add("org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS");
+ s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
+ s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
++
+ s.add("com.p6spy.engine.spy.P6DataSource");
+
+ // [databind#2498]: log4j-extras (1.2)
+@@ -143,8 +146,9 @@
+ // [databind#2814]: anteros-dbcp
+ s.add("br.com.anteros.dbcp.AnterosDBCPDataSource");
+
+- // [databind#2642]: javax.swing (jdk)
++ // [databind#2642][databind#2854]: javax.swing (jdk)
+ s.add("javax.swing.JEditorPane");
++ s.add("javax.swing.JTextPane");
+
+ // [databind#2648], [databind#2653]: shire-core
+ s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
+@@ -183,8 +187,11 @@
+ // [databind#2682]: commons-jelly
+ s.add("org.apache.commons.jelly.impl.Embedded");
+
+- // [databind#2688]: apache/drill
++ // [databind#2688], [databind#3004]: apache/drill
+ s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
++ s.add("oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS");
++ s.add("oadd.org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
++ s.add("oadd.org.apache.commons.dbcp.datasources.SharedPoolDataSource");
+
+ // [databind#2698]: weblogic w/ oracle/aq-jms
+ // (note: dependency not available via Maven Central, but as part of
+@@ -201,14 +208,35 @@
+ // [databind#2798]: com.pastdev.httpcomponents:
+ s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");
+
+- // [databind#2986]: dbcp2
++ // [databind#2986], [databind#3004]: dbcp2
++ s.add("org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS");
+ s.add("org.apache.commons.dbcp2.datasources.PerUserPoolDataSource");
+ s.add("org.apache.commons.dbcp2.datasources.SharedPoolDataSource");
+
++ // [databind#2996]: newrelic-agent + embedded-logback-core
++ // (derivative of #2334 and #2389)
++ s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource");
++ s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource");
++
++ // [databind#2997]/[databind#3004]: tomcat/naming-factory-dbcp (embedded dbcp 1.x)
++ // (derivative of #2478)
++ s.add("org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS");
++ s.add("org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource");
++ s.add("org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource");
++
++ // [databind#2998]/[databind#3004]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x)
++ // (derivative of #2478)
++ s.add("org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS");
++ s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource");
++ s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource");
++
+ // [databind#2999]: org.glassfish.web/javax.servlet.jsp.jstl (embedded Xalan)
+ // (derivative of #2469)
+ s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool");
+
++ // [databind#3003]: another case of embedded Xalan (derivative of #2469)
++ s.add("org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool");
++
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
=====================================
debian/patches/CVE-2020-36518.patch
=====================================
@@ -0,0 +1,346 @@
+From: Markus Koschany <apo at debian.org>
+Date: Tue, 15 Nov 2022 12:51:57 +0100
+Subject: CVE-2020-36518
+
+Bug-Debian: https://bugs.debian.org/1007109
+Origin: https://github.com/FasterXML/jackson-databind/commit/83b928dab9ba6ef81cf48987fcd12071e1ddb0c9
+Origin: https://github.com/FasterXML/jackson-databind/commit/fcfc4998ec23f0b1f7f8a9521c2b317b6c25892b
+---
+ .../deser/std/UntypedObjectDeserializer.java | 140 +++++++++++----------
+ .../deser/DeepNestingUntypedDeserTest.java | 70 +++++++++++
+ 2 files changed, 147 insertions(+), 63 deletions(-)
+ create mode 100644 src/test/java/com/fasterxml/jackson/databind/deser/DeepNestingUntypedDeserTest.java
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java b/src/main/java/com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java
+index 67be238..41f6dd9 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java
+@@ -220,10 +220,9 @@ public class UntypedObjectDeserializer
+ */
+ @Override
+ public boolean isCachable() {
+- /* 26-Mar-2015, tatu: With respect to [databind#735], there are concerns over
+- * cachability. It seems like we SHOULD be safe here; but just in case there
+- * are problems with false sharing, this may need to be revisited.
+- */
++ // 26-Mar-2015, tatu: With respect to [databind#735], there are concerns over
++ // cachability. It seems like we SHOULD be safe here; but just in case there
++ // are problems with false sharing, this may need to be revisited.
+ return true;
+ }
+
+@@ -266,9 +265,8 @@ public class UntypedObjectDeserializer
+ if (_numberDeserializer != null) {
+ return _numberDeserializer.deserialize(p, ctxt);
+ }
+- /* Caller may want to get all integral values returned as {@link java.math.BigInteger},
+- * or {@link java.lang.Long} for consistency
+- */
++ // Caller may want to get all integral values returned as {@link java.math.BigInteger},
++ // or {@link java.lang.Long} for consistency
+ if (ctxt.hasSomeOfFeatures(F_MASK_INT_COERCIONS)) {
+ return _coerceIntegral(p, ctxt);
+ }
+@@ -599,10 +597,9 @@ public class UntypedObjectDeserializer
+ }
+
+ /*
+- /**********************************************************
+- /* Separate "vanilla" implementation for common case of
+- /* no custom deserializer overrides
+- /**********************************************************
++ /**********************************************************************
++ /* Separate "vanilla" implementation for common case of no deser overrides
++ /**********************************************************************
+ */
+
+ @JacksonStdImpl
+@@ -611,11 +608,13 @@ public class UntypedObjectDeserializer
+ {
+ private static final long serialVersionUID = 1L;
+
++ // Arbitrarily chosen.
++ // Introduced to resolve CVE-2020-36518 and as a temporary hotfix for #2816
++ private static final int MAX_DEPTH = 1000;
++
+ public final static Vanilla std = new Vanilla();
+
+- /**
+- * @since 2.9
+- */
++ // @since 2.9
+ protected final boolean _nonMerging;
+
+ public Vanilla() { this(false); }
+@@ -639,65 +638,77 @@ public class UntypedObjectDeserializer
+ return _nonMerging ? Boolean.FALSE : null;
+ }
+
+- @Override
+- public Object deserialize(JsonParser p, DeserializationContext ctxt) throws IOException
++ @Override
++ public Object deserialize(JsonParser p, DeserializationContext ctxt) throws IOException {
++ return deserialize(p, ctxt, 0);
++ }
++
++ private Object deserialize(JsonParser p, DeserializationContext ctxt, int depth) throws IOException
+ {
+- switch (p.getCurrentTokenId()) {
+- case JsonTokenId.ID_START_OBJECT:
+- {
++ switch (p.currentTokenId()) {
++ case JsonTokenId.ID_START_OBJECT: {
+ JsonToken t = p.nextToken();
+ if (t == JsonToken.END_OBJECT) {
+- return new LinkedHashMap<String,Object>(2);
++ return new LinkedHashMap<String, Object>(2);
+ }
+ }
+- case JsonTokenId.ID_FIELD_NAME:
+- return mapObject(p, ctxt);
+- case JsonTokenId.ID_START_ARRAY:
+- {
++ case JsonTokenId.ID_FIELD_NAME:
++ if (depth > MAX_DEPTH) {
++ throw new JsonParseException(p, "JSON is too deeply nested.");
++ }
++
++ return mapObject(p, ctxt, depth);
++ case JsonTokenId.ID_START_ARRAY: {
+ JsonToken t = p.nextToken();
+ if (t == JsonToken.END_ARRAY) { // and empty one too
+- if (ctxt.isEnabled(DeserializationFeature.USE_JAVA_ARRAY_FOR_JSON_ARRAY)) {
++ if (ctxt.isEnabled(
++ DeserializationFeature.USE_JAVA_ARRAY_FOR_JSON_ARRAY)) {
+ return NO_OBJECTS;
+ }
+ return new ArrayList<Object>(2);
+ }
+ }
+- if (ctxt.isEnabled(DeserializationFeature.USE_JAVA_ARRAY_FOR_JSON_ARRAY)) {
+- return mapArrayToArray(p, ctxt);
+- }
+- return mapArray(p, ctxt);
+- case JsonTokenId.ID_EMBEDDED_OBJECT:
+- return p.getEmbeddedObject();
+- case JsonTokenId.ID_STRING:
+- return p.getText();
+
+- case JsonTokenId.ID_NUMBER_INT:
+- if (ctxt.hasSomeOfFeatures(F_MASK_INT_COERCIONS)) {
+- return _coerceIntegral(p, ctxt);
++ if (depth > MAX_DEPTH) {
++ throw new JsonParseException(p, "JSON is too deeply nested.");
+ }
+- return p.getNumberValue(); // should be optimal, whatever it is
+
+- case JsonTokenId.ID_NUMBER_FLOAT:
+- if (ctxt.isEnabled(DeserializationFeature.USE_BIG_DECIMAL_FOR_FLOATS)) {
+- return p.getDecimalValue();
++ if (ctxt.isEnabled(DeserializationFeature.USE_JAVA_ARRAY_FOR_JSON_ARRAY)) {
++ return mapArrayToArray(p, ctxt, depth);
+ }
+- return p.getNumberValue();
++ return mapArray(p, ctxt, depth);
++ case JsonTokenId.ID_EMBEDDED_OBJECT:
++ return p.getEmbeddedObject();
++ case JsonTokenId.ID_STRING:
++ return p.getText();
++
++ case JsonTokenId.ID_NUMBER_INT:
++ if (ctxt.hasSomeOfFeatures(F_MASK_INT_COERCIONS)) {
++ return _coerceIntegral(p, ctxt);
++ }
++ return p.getNumberValue(); // should be optimal, whatever it is
+
+- case JsonTokenId.ID_TRUE:
+- return Boolean.TRUE;
+- case JsonTokenId.ID_FALSE:
+- return Boolean.FALSE;
++ case JsonTokenId.ID_NUMBER_FLOAT:
++ if (ctxt.isEnabled(DeserializationFeature.USE_BIG_DECIMAL_FOR_FLOATS)) {
++ return p.getDecimalValue();
++ }
++ return p.getNumberValue();
+
+- case JsonTokenId.ID_END_OBJECT:
+- // 28-Oct-2015, tatu: [databind#989] We may also be given END_OBJECT (similar to FIELD_NAME),
+- // if caller has advanced to the first token of Object, but for empty Object
+- return new LinkedHashMap<String,Object>(2);
++ case JsonTokenId.ID_TRUE:
++ return Boolean.TRUE;
++ case JsonTokenId.ID_FALSE:
++ return Boolean.FALSE;
+
+- case JsonTokenId.ID_NULL: // 08-Nov-2016, tatu: yes, occurs
+- return null;
++ case JsonTokenId.ID_END_OBJECT:
++ // 28-Oct-2015, tatu: [databind#989] We may also be given END_OBJECT (similar to FIELD_NAME),
++ // if caller has advanced to the first token of Object, but for empty Object
++ return new LinkedHashMap<String, Object>(2);
+
+- //case JsonTokenId.ID_END_ARRAY: // invalid
+- default:
++ case JsonTokenId.ID_NULL: // 08-Nov-2016, tatu: yes, occurs
++ return null;
++
++ //case JsonTokenId.ID_END_ARRAY: // invalid
++ default:
+ }
+ return ctxt.handleUnexpectedToken(Object.class, p);
+ }
+@@ -806,15 +817,16 @@ public class UntypedObjectDeserializer
+ return deserialize(p, ctxt);
+ }
+
+- protected Object mapArray(JsonParser p, DeserializationContext ctxt) throws IOException
++ protected Object mapArray(JsonParser p, DeserializationContext ctxt, int depth) throws IOException
+ {
+- Object value = deserialize(p, ctxt);
++ ++depth;
++ Object value = deserialize(p, ctxt, depth);
+ if (p.nextToken() == JsonToken.END_ARRAY) {
+ ArrayList<Object> l = new ArrayList<Object>(2);
+ l.add(value);
+ return l;
+ }
+- Object value2 = deserialize(p, ctxt);
++ Object value2 = deserialize(p, ctxt, depth);
+ if (p.nextToken() == JsonToken.END_ARRAY) {
+ ArrayList<Object> l = new ArrayList<Object>(2);
+ l.add(value);
+@@ -828,7 +840,7 @@ public class UntypedObjectDeserializer
+ values[ptr++] = value2;
+ int totalSize = ptr;
+ do {
+- value = deserialize(p, ctxt);
++ value = deserialize(p, ctxt, depth);
+ ++totalSize;
+ if (ptr >= values.length) {
+ values = buffer.appendCompletedChunk(values);
+@@ -845,12 +857,13 @@ public class UntypedObjectDeserializer
+ /**
+ * Method called to map a JSON Array into a Java Object array (Object[]).
+ */
+- protected Object[] mapArrayToArray(JsonParser p, DeserializationContext ctxt) throws IOException {
++ protected Object[] mapArrayToArray(JsonParser p, DeserializationContext ctxt, int depth) throws IOException {
++ ++depth;
+ ObjectBuffer buffer = ctxt.leaseObjectBuffer();
+ Object[] values = buffer.resetAndStart();
+ int ptr = 0;
+ do {
+- Object value = deserialize(p, ctxt);
++ Object value = deserialize(p, ctxt, depth);
+ if (ptr >= values.length) {
+ values = buffer.appendCompletedChunk(values);
+ ptr = 0;
+@@ -863,12 +876,13 @@ public class UntypedObjectDeserializer
+ /**
+ * Method called to map a JSON Object into a Java value.
+ */
+- protected Object mapObject(JsonParser p, DeserializationContext ctxt) throws IOException
++ protected Object mapObject(JsonParser p, DeserializationContext ctxt, int depth) throws IOException
+ {
++ ++depth;
+ // will point to FIELD_NAME at this point, guaranteed
+ String key1 = p.getText();
+ p.nextToken();
+- Object value1 = deserialize(p, ctxt);
++ Object value1 = deserialize(p, ctxt, depth);
+
+ String key2 = p.nextFieldName();
+ if (key2 == null) { // single entry; but we want modifiable
+@@ -877,7 +891,7 @@ public class UntypedObjectDeserializer
+ return result;
+ }
+ p.nextToken();
+- Object value2 = deserialize(p, ctxt);
++ Object value2 = deserialize(p, ctxt, depth);
+
+ String key = p.nextFieldName();
+ if (key == null) {
+@@ -892,7 +906,7 @@ public class UntypedObjectDeserializer
+ result.put(key2, value2);
+ do {
+ p.nextToken();
+- result.put(key, deserialize(p, ctxt));
++ result.put(key, deserialize(p, ctxt, depth));
+ } while ((key = p.nextFieldName()) != null);
+ return result;
+ }
+diff --git a/src/test/java/com/fasterxml/jackson/databind/deser/DeepNestingUntypedDeserTest.java b/src/test/java/com/fasterxml/jackson/databind/deser/DeepNestingUntypedDeserTest.java
+new file mode 100644
+index 0000000..ad0194d
+--- /dev/null
++++ b/src/test/java/com/fasterxml/jackson/databind/deser/DeepNestingUntypedDeserTest.java
+@@ -0,0 +1,70 @@
++package com.fasterxml.jackson.databind.deser;
++
++import com.fasterxml.jackson.core.JsonParseException;
++import com.fasterxml.jackson.databind.BaseMapTest;
++import com.fasterxml.jackson.databind.ObjectMapper;
++import java.util.List;
++import java.util.Map;
++
++public class DeepNestingUntypedDeserTest extends BaseMapTest
++{
++ // 28-Mar-2021, tatu: Currently 3000 fails for untyped/Object,
++ // 4000 for untyped/Array
++ private final static int TOO_DEEP_NESTING = 4000;
++ private final static int NOT_TOO_DEEP = 1000;
++
++ private final ObjectMapper MAPPER = new ObjectMapper();
++
++ public void testTooDeepUntypedWithArray() throws Exception
++ {
++ final String doc = _nestedDoc(TOO_DEEP_NESTING, "[ ", "] ");
++ try {
++ MAPPER.readValue(doc, Object.class);
++ fail("Should have thrown an exception.");
++ } catch (JsonParseException jpe) {
++ assertTrue(jpe.getMessage().startsWith("JSON is too deeply nested."));
++ }
++ }
++
++ public void testUntypedWithArray() throws Exception
++ {
++ final String doc = _nestedDoc(NOT_TOO_DEEP, "[ ", "] ");
++ Object ob = MAPPER.readValue(doc, Object.class);
++ assertTrue(ob instanceof List<?>);
++ }
++
++ public void testTooDeepUntypedWithObject() throws Exception
++ {
++ final String doc = "{"+_nestedDoc(TOO_DEEP_NESTING, "\"x\":{", "} ") + "}";
++ try {
++ MAPPER.readValue(doc, Object.class);
++ fail("Should have thrown an exception.");
++ } catch (JsonParseException jpe) {
++ assertTrue(jpe.getMessage().startsWith("JSON is too deeply nested."));
++ }
++ }
++
++ public void testUntypedWithObject() throws Exception
++ {
++ final String doc = "{"+_nestedDoc(NOT_TOO_DEEP, "\"x\":{", "} ") + "}";
++ Object ob = MAPPER.readValue(doc, Object.class);
++ assertTrue(ob instanceof Map<?, ?>);
++ }
++
++ private String _nestedDoc(int nesting, String open, String close) {
++ StringBuilder sb = new StringBuilder(nesting * (open.length() + close.length()));
++ for (int i = 0; i < nesting; ++i) {
++ sb.append(open);
++ if ((i & 31) == 0) {
++ sb.append("\n");
++ }
++ }
++ for (int i = 0; i < nesting; ++i) {
++ sb.append(close);
++ if ((i & 31) == 0) {
++ sb.append("\n");
++ }
++ }
++ return sb.toString();
++ }
++}
=====================================
debian/patches/CVE-2022-42003.patch
=====================================
@@ -0,0 +1,230 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 14 Nov 2022 22:40:03 +0100
+Subject: CVE-2022-42003
+
+Origin: https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33
+
+---
+ .../databind/deser/std/StdDeserializer.java | 48 ++++++++---
+ .../dos/DeepArrayWrappingForDeser3590Test.java | 93 ++++++++++++++++++++++
+ 2 files changed, 129 insertions(+), 12 deletions(-)
+ create mode 100644 src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3590Test.java
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java b/src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java
+index 9a6f482..cf46afc 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java
+@@ -178,7 +178,9 @@ public abstract class StdDeserializer<T>
+ }
+ // [databind#381]
+ if (t == JsonToken.START_ARRAY && ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
+- p.nextToken();
++ if (p.nextToken() == JsonToken.START_ARRAY) {
++ return (boolean) handleNestedArrayForSingle(p, ctxt);
++ }
+ final boolean parsed = _parseBooleanPrimitive(p, ctxt);
+ _verifyEndArrayForSingle(p, ctxt);
+ return parsed;
+@@ -250,7 +252,9 @@ public abstract class StdDeserializer<T>
+ return 0;
+ case JsonTokenId.ID_START_ARRAY:
+ if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
+- p.nextToken();
++ if (p.nextToken() == JsonToken.START_ARRAY) {
++ return (int) handleNestedArrayForSingle(p, ctxt);
++ }
+ final int parsed = _parseIntPrimitive(p, ctxt);
+ _verifyEndArrayForSingle(p, ctxt);
+ return parsed;
+@@ -310,7 +314,9 @@ public abstract class StdDeserializer<T>
+ return 0L;
+ case JsonTokenId.ID_START_ARRAY:
+ if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
+- p.nextToken();
++ if (p.nextToken() == JsonToken.START_ARRAY) {
++ return (long) handleNestedArrayForSingle(p, ctxt);
++ }
+ final long parsed = _parseLongPrimitive(p, ctxt);
+ _verifyEndArrayForSingle(p, ctxt);
+ return parsed;
+@@ -356,7 +362,9 @@ public abstract class StdDeserializer<T>
+ return 0.0f;
+ case JsonTokenId.ID_START_ARRAY:
+ if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
+- p.nextToken();
++ if (p.nextToken() == JsonToken.START_ARRAY) {
++ return (float) handleNestedArrayForSingle(p, ctxt);
++ }
+ final float parsed = _parseFloatPrimitive(p, ctxt);
+ _verifyEndArrayForSingle(p, ctxt);
+ return parsed;
+@@ -417,7 +425,9 @@ public abstract class StdDeserializer<T>
+ return 0.0;
+ case JsonTokenId.ID_START_ARRAY:
+ if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
+- p.nextToken();
++ if (p.nextToken() == JsonToken.START_ARRAY) {
++ return (double) handleNestedArrayForSingle(p, ctxt);
++ }
+ final double parsed = _parseDoublePrimitive(p, ctxt);
+ _verifyEndArrayForSingle(p, ctxt);
+ return parsed;
+@@ -498,6 +508,9 @@ public abstract class StdDeserializer<T>
+ }
+ }
+ if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
++ if (t == JsonToken.START_ARRAY) {
++ return (java.util.Date) handleNestedArrayForSingle(p, ctxt);
++ }
+ final Date parsed = _parseDate(p, ctxt);
+ _verifyEndArrayForSingle(p, ctxt);
+ return parsed;
+@@ -662,11 +675,11 @@ public abstract class StdDeserializer<T>
+ }
+ }
+ if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
+- final T parsed = deserialize(p, ctxt);
++ final T parsed = _deserializeWrappedValue(p, ctxt);
+ if (p.nextToken() != JsonToken.END_ARRAY) {
+ handleMissingEndArrayForSingle(p, ctxt);
+ }
+- return parsed;
++ return parsed;
+ }
+ } else {
+ t = p.getCurrentToken();
+@@ -689,12 +702,8 @@ public abstract class StdDeserializer<T>
+ // 23-Mar-2017, tatu: Let's specifically block recursive resolution to avoid
+ // either supporting nested arrays, or to cause infinite looping.
+ if (p.hasToken(JsonToken.START_ARRAY)) {
+- String msg = String.format(
+-"Cannot deserialize instance of %s out of %s token: nested Arrays not allowed with %s",
+- ClassUtil.nameOf(_valueClass), JsonToken.START_ARRAY,
+- "DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS");
+ @SuppressWarnings("unchecked")
+- T result = (T) ctxt.handleUnexpectedToken(_valueClass, p.getCurrentToken(), p, msg);
++ T result = (T) handleNestedArrayForSingle(p, ctxt);
+ return result;
+ }
+ return (T) deserialize(p, ctxt);
+@@ -1169,6 +1178,21 @@ handledType().getName());
+ // but for now just fall through
+ }
+
++ /**
++ * Helper method called when detecting a deep(er) nesting of Arrays when trying
++ * to unwrap value for {@code DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS}.
++ *
++ * @since 2.14
++ */
++ protected Object handleNestedArrayForSingle(JsonParser p, DeserializationContext ctxt) throws IOException
++ {
++ String msg = String.format(
++"Cannot deserialize instance of %s out of %s token: nested Arrays not allowed with %s",
++ ClassUtil.nameOf(_valueClass), JsonToken.START_ARRAY,
++ "DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS");
++ return ctxt.handleUnexpectedToken(_valueClass, p.currentToken(), p, msg);
++ }
++
+ protected void _verifyEndArrayForSingle(JsonParser p, DeserializationContext ctxt) throws IOException
+ {
+ JsonToken t = p.nextToken();
+diff --git a/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3590Test.java b/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3590Test.java
+new file mode 100644
+index 0000000..8dfddcc
+--- /dev/null
++++ b/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3590Test.java
+@@ -0,0 +1,93 @@
++package com.fasterxml.jackson.databind.deser.dos;
++
++import java.util.Date;
++
++import com.fasterxml.jackson.databind.*;
++import com.fasterxml.jackson.databind.exc.MismatchedInputException;
++
++public class DeepArrayWrappingForDeser3590Test extends BaseMapTest
++{
++ // 05-Sep-2022, tatu: Before fix, failed with 5000
++ private final static int TOO_DEEP_NESTING = 9999;
++
++ private final static String TOO_DEEP_DOC = _nestedDoc(TOO_DEEP_NESTING, "[ ", "] ", "123");
++
++ public void testArrayWrappingForBoolean() throws Exception
++ {
++ _testArrayWrappingFor(Boolean.class);
++ _testArrayWrappingFor(Boolean.TYPE);
++ }
++
++ public void testArrayWrappingForByte() throws Exception
++ {
++ _testArrayWrappingFor(Byte.class);
++ _testArrayWrappingFor(Byte.TYPE);
++ }
++
++ public void testArrayWrappingForShort() throws Exception
++ {
++ _testArrayWrappingFor(Short.class);
++ _testArrayWrappingFor(Short.TYPE);
++ }
++
++ public void testArrayWrappingForInt() throws Exception
++ {
++ _testArrayWrappingFor(Integer.class);
++ _testArrayWrappingFor(Integer.TYPE);
++ }
++
++ public void testArrayWrappingForLong() throws Exception
++ {
++ _testArrayWrappingFor(Long.class);
++ _testArrayWrappingFor(Long.TYPE);
++ }
++
++ public void testArrayWrappingForFloat() throws Exception
++ {
++ _testArrayWrappingFor(Float.class);
++ _testArrayWrappingFor(Float.TYPE);
++ }
++
++ public void testArrayWrappingForDouble() throws Exception
++ {
++ _testArrayWrappingFor(Double.class);
++ _testArrayWrappingFor(Double.TYPE);
++ }
++
++ public void testArrayWrappingForDate() throws Exception
++ {
++ _testArrayWrappingFor(Date.class);
++ }
++
++ private void _testArrayWrappingFor(Class<?> cls) throws Exception
++ {
++ final ObjectMapper MAPPER = new ObjectMapper();
++ MAPPER.enable(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS);
++ try {
++ MAPPER.readValue(TOO_DEEP_DOC, cls);
++ fail("Should not pass");
++ } catch (MismatchedInputException e) {
++ verifyException(e, "Cannot deserialize");
++ verifyException(e, "nested Arrays not allowed");
++ }
++ }
++
++ private static String _nestedDoc(int nesting, String open, String close, String content) {
++ StringBuilder sb = new StringBuilder(nesting * (open.length() + close.length()));
++ for (int i = 0; i < nesting; ++i) {
++ sb.append(open);
++ if ((i & 31) == 0) {
++ sb.append("\n");
++ }
++ }
++ sb.append("\n").append(content).append("\n");
++ for (int i = 0; i < nesting; ++i) {
++ sb.append(close);
++ if ((i & 31) == 0) {
++ sb.append("\n");
++ }
++ }
++ return sb.toString();
++ }
++
++}
=====================================
debian/patches/CVE-2022-42004.patch
=====================================
@@ -0,0 +1,78 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 14 Nov 2022 22:40:58 +0100
+Subject: CVE-2022-42004
+
+Origin: https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88
+---
+ .../databind/deser/BeanDeserializerBase.java | 6 +--
+ .../dos/DeepArrayWrappingForDeser3582Test.java | 44 ++++++++++++++++++++++
+ 2 files changed, 47 insertions(+), 3 deletions(-)
+ create mode 100644 src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerBase.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerBase.java
+index 6ce41f7..639d8c9 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerBase.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerBase.java
+@@ -1440,9 +1440,9 @@ public abstract class BeanDeserializerBase
+ return bean;
+ }
+ if (ctxt.isEnabled(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS)) {
+- JsonToken t = p.nextToken();
+- if (t == JsonToken.END_ARRAY && ctxt.isEnabled(DeserializationFeature.ACCEPT_EMPTY_ARRAY_AS_NULL_OBJECT)) {
+- return null;
++ if (p.nextToken() == JsonToken.START_ARRAY) {
++ return ctxt.handleUnexpectedToken(handledType(), JsonToken.START_ARRAY, p,
++"Cannot deserialize value of type %s from deeply-nested JSON Array: only single wrapper allowed with DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS");
+ }
+ final Object value = deserialize(p, ctxt);
+ if (p.nextToken() != JsonToken.END_ARRAY) {
+diff --git a/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java b/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java
+new file mode 100644
+index 0000000..2147cf1
+--- /dev/null
++++ b/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java
+@@ -0,0 +1,44 @@
++package com.fasterxml.jackson.databind.deser.dos;
++
++import java.io.IOException;
++import com.fasterxml.jackson.databind.*;
++
++public class DeepArrayWrappingForDeser3582Test extends BaseMapTest
++{
++ // 23-Aug-2022, tatu: Before fix, failed with 5000
++ private final static int TOO_DEEP_NESTING = 9999;
++
++ public void testArrayWrapping() throws Exception
++ {
++ final String doc = _nestedDoc(TOO_DEEP_NESTING, "[ ", "] ", "{}");
++ final ObjectMapper MAPPER = new ObjectMapper();
++ MAPPER.enable(DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS);
++ try {
++ MAPPER.readValue(doc, Point.class);
++ fail("Should not pass");
++ } catch (IOException e) {
++ verifyException(e, "Cannot deserialize");
++ verifyException(e, "nested JSON Array");
++ verifyException(e, "only single");
++ }
++ }
++
++ private String _nestedDoc(int nesting, String open, String close, String content) {
++ StringBuilder sb = new StringBuilder(nesting * (open.length() + close.length()));
++ for (int i = 0; i < nesting; ++i) {
++ sb.append(open);
++ if ((i & 31) == 0) {
++ sb.append("\n");
++ }
++ }
++ sb.append("\n").append(content).append("\n");
++ for (int i = 0; i < nesting; ++i) {
++ sb.append(close);
++ if ((i & 31) == 0) {
++ sb.append("\n");
++ }
++ }
++ return sb.toString();
++ }
++
++}
=====================================
debian/patches/series
=====================================
@@ -3,3 +3,10 @@ CVE-2019-12384.patch
CVE-2019-12814.patch
polymorphic-typing-issues.patch
multiple-CVE-SubTypeValidator.patch
+CVE-2020-24{616,750}.patch
+CVE-2020-25649
+CVE-2020-35{490,491,728}.patch
+CVE-2020-361{79-90}.patch
+CVE-2022-42003.patch
+CVE-2022-42004.patch
+CVE-2020-36518.patch
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/compare/a9d93f398e2abe24e4cd9158744b4d9a01ff733c...c0e0f354edf764683c1cfddd29c764b354a68911
--
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/compare/a9d93f398e2abe24e4cd9158744b4d9a01ff733c...c0e0f354edf764683c1cfddd29c764b354a68911
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20221127/69f49699/attachment.htm>
More information about the pkg-java-commits
mailing list