subject:"Bug#857343\: closed by Markus Koschany <a...@debian.org> \(Bug#857343\: fixed in logback 1\:1.1.9\-2\)"

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-04-04 Thread Markus Koschany

Am 01.04.2017 um 08:20 schrieb Fabrice Dagorn:
> The POC is a simple Eclipse java project.
> 
> UnsafeReceiver will open a ServerSocketReceiver on  port and wait
> forever.
> 
> Injector will then open a client Socket to the ServerSocketReceiver and
> serialize a Calculator instance through the wire.
> 
> Calculator implements ILoggingEvent to prevent ClassCastException on
> deserialization but Logback won't check more and getLoggerName() is called.
> 
> In this case, the gnome calculator is executed.

Thank you for the reproducer. I believe the issue is fixed now and I am
going to upload the new revision soon.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-04-01 Thread Fabrice Dagorn


The POC is a simple Eclipse java project.

UnsafeReceiver will open a ServerSocketReceiver on  port and wait 
forever.


Injector will then open a client Socket to the ServerSocketReceiver and 
serialize a Calculator instance through the wire.


Calculator implements ILoggingEvent to prevent ClassCastException on 
deserialization but Logback won't check more and getLoggerName() is called.


In this case, the gnome calculator is executed.


Regards,

Fabrice


Le 31/03/2017 à 14:10, Markus Koschany a écrit :

You could also attach the POC to this bug report. The vulnerability is
publicly known by now anyway.

Markus





poc_logback.tar.gz
Description: GNU Zip compressed data
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-31 Thread Markus Koschany

You could also attach the POC to this bug report. The vulnerability is
publicly known by now anyway.

Markus



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-31 Thread Markus Koschany

Am 31.03.2017 um 08:10 schrieb Fabrice Dagorn:
> Hi,
> I  have made a quick and dirty POC for this issue.
> This results in a remote code execution in the JVM that exposes a
> ServerSocketReceiver.
> 
> Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x.
> 
> The POC is available on demand.
> 
> Regards,
> Fabrice Dagorn

Hi,

Yes, please send the POC to a...@debian.org and describe the scenario how
you trigger this issue. Upstream still has not responded to my inquiry.
If I don't hear from then until the beginning of next week I will
backport the other commits on a best effort basis.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-31 Thread Fabrice Dagorn


Hi,
I  have made a quick and dirty POC for this issue.
This results in a remote code execution in the JVM that exposes a 
ServerSocketReceiver.


Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x.

The POC is available on demand.

Regards,
Fabrice Dagorn

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Re: Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-29 Thread Debian Bug Tracking System

Processing control commands:

> reopen -1
Bug #857343 {Done: Markus Koschany } [liblogback-java] 
logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer 
and ServerSocketReceiver components
Bug #858914 {Done: Markus Koschany } [liblogback-java] 
CVE-2017-5929: serialization vulnerability in SocketServer and 
ServerSocketReceiver
'reopen' may be inappropriate when a bug has been closed with a version;
all fixed versions will be cleared, and you may need to re-add them.
Bug reopened
No longer marked as fixed in versions logback/1:1.1.9-2.
No longer marked as fixed in versions logback/1:1.1.9-2.

-- 
857343: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857343
858914: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858914
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-29 Thread Markus Koschany

Control: reopen -1

Am 29.03.2017 um 08:11 schrieb Fabrice Dagorn:
> Thank you for your upload.
> 
> But i think that the issue is not completely solved, upstream made it in
> several commits (https://github.com/qos-ch/logback/commits/v_1.2.0).
> 
> The comment is not meaningful but this one is related to the
> vulnerability :
> https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9

Hi,

I am not sure because they have also included a lot of cosmetic changes
but there might be even more relevant commits hence I have asked for a
clarification from upstream. [1]

I keep this bug report open until we know more about it.

Regards,

Markus

[1] http://mailman.qos.ch/pipermail/logback-user/2017-March/004875.html



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

2017-03-29 Thread Fabrice Dagorn


Thank you for your upload.

But i think that the issue is not completely solved, upstream made it in 
several commits (https://github.com/qos-ch/logback/commits/v_1.2.0).


The comment is not meaningful but this one is related to the 
vulnerability : 
https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9


Fabrice Dagorn

Le 28/03/2017 à 18:09, Debian Bug Tracking System a écrit :

This is an automatic notification regarding your Bug report
which was filed against the liblogback-java package:

#857343: logback: CVE-2017-5929: serialization vulnerability affecting the 
SocketServer and ServerSocketReceiver components

It has been closed by Markus Koschany .

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Markus Koschany 
 by
replying to this email.




__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

Processed: Re: Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)

8 matches

Site Navigation

Mail list logo

Footer information