Your message dated Wed, 29 Sep 2021 18:19:21 +0000
with message-id <[email protected]>
and subject line Bug#995205: fixed in jsap 2.1-5
has caused the Debian Bug report #995205,
regarding jsap: does not correctly initialize the security framework of xstream
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
995205: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=995205
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jsap
Version: 2.1-4
Severity: normal
X-Debbugs-Cc: [email protected]
Dear maintainer,
libxstream-java has been upgraded to version 1.4.18. XStream now uses
a whitelist as the default for its security framework. For instance jsap
will fail when you try to read arguments from a jsap file like
Before
======
# java -cp .:/usr/share/java/xstream.jar
com.martiansoftware.jsap.examples.Manual_HelloWorld_9
Security framework of XStream not explicitly initialized, using predefined
black list on your own risk.
Hi, World!
Now
===
# java -cp .:/usr/share/java/xstream.jar
com.martiansoftware.jsap.examples.Manual_HelloWorld_9
Exception in thread "main"
com.thoughtworks.xstream.security.ForbiddenClassException:
com.martiansoftware.jsap.xml.JSAPConfig
at
com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26)
at
com.thoughtworks.xstream.mapper.SecurityMapper.realClass(SecurityMapper.java:74)
at
com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125)
at
com.thoughtworks.xstream.mapper.CachingMapper.realClass(CachingMapper.java:47)
at
com.thoughtworks.xstream.core.util.HierarchicalStreams.readClassType(HierarchicalStreams.java:29)
at
com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:133)
at
com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1482)
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1462)
at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1333)
at com.martiansoftware.jsap.xml.JSAPConfig.configure(JSAPConfig.java:42)
at com.martiansoftware.jsap.JSAP.<init>(JSAP.java:366)
at
com.martiansoftware.jsap.examples.Manual_HelloWorld_9.main(Manual_HelloWorld_9.java:22)
Please find attached a patch that allows all classes from the
com.martiansoftware.jsap.xml package
Regards,
Markus
-- System Information:
Debian Release: 11.0
APT prefers stable-security
APT policy: (900, 'stable-security'), (900, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru jsap-2.1/debian/changelog jsap-2.1/debian/changelog
--- jsap-2.1/debian/changelog 2021-08-15 14:19:53.000000000 +0200
+++ jsap-2.1/debian/changelog 2021-09-27 22:36:22.000000000 +0200
@@ -1,3 +1,10 @@
+jsap (2.1-4.1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ *
+
+ -- Markus Koschany <[email protected]> Mon, 27 Sep 2021 22:36:22 +0200
+
jsap (2.1-4) unstable; urgency=medium
* Setting Salsa VCS paths
diff -Nru jsap-2.1/debian/patches/series jsap-2.1/debian/patches/series
--- jsap-2.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ jsap-2.1/debian/patches/series 2021-09-27 22:36:22.000000000 +0200
@@ -0,0 +1 @@
+xstream-1.4.18.patch
diff -Nru jsap-2.1/debian/patches/xstream-1.4.18.patch
jsap-2.1/debian/patches/xstream-1.4.18.patch
--- jsap-2.1/debian/patches/xstream-1.4.18.patch 1970-01-01
01:00:00.000000000 +0100
+++ jsap-2.1/debian/patches/xstream-1.4.18.patch 2021-09-27
22:36:22.000000000 +0200
@@ -0,0 +1,20 @@
+From: Markus Koschany <[email protected]>
+Date: Mon, 27 Sep 2021 22:35:30 +0200
+Subject: xstream 1.4.18
+
+---
+ src/java/com/martiansoftware/jsap/xml/JSAPXStream.java | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/java/com/martiansoftware/jsap/xml/JSAPXStream.java
b/src/java/com/martiansoftware/jsap/xml/JSAPXStream.java
+index 5f19a37..2206d63 100644
+--- a/src/java/com/martiansoftware/jsap/xml/JSAPXStream.java
++++ b/src/java/com/martiansoftware/jsap/xml/JSAPXStream.java
+@@ -19,6 +19,7 @@ class JSAPXStream extends XStream {
+
+ public JSAPXStream() {
+ super(new DomDriver());
++ allowTypesByWildcard(new String[]
{JSAPXStream.class.getPackage().getName()+".*" });
+ alias("jsap", JSAPConfig.class);
+ alias("flaggedOption", FlaggedOptionConfig.class);
+ alias("unflaggedOption", UnflaggedOptionConfig.class);
--- End Message ---
--- Begin Message ---
Source: jsap
Source-Version: 2.1-5
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jsap, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated jsap package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 29 Sep 2021 19:44:01 +0200
Source: jsap
Architecture: source
Version: 2.1-5
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 995205
Changes:
jsap (2.1-5) unstable; urgency=medium
.
* Team upload.
* Restore compatibility with xstream 1.4.18. (Closes: #995205)
Checksums-Sha1:
4363a4dc1c972d2a59fcc8c97ab6199d30f7c6f1 2272 jsap_2.1-5.dsc
72ff3ba8d7ff057c0ba7e86ec1601bf741405cf6 4908 jsap_2.1-5.debian.tar.xz
7d271ef88b2d27824d741cb9d3c4004ed1d77a5e 15326 jsap_2.1-5_amd64.buildinfo
Checksums-Sha256:
46f94c13d2e792ae51cd960214387b732f9c7e7a87a91acf75cc21781cfca7a1 2272
jsap_2.1-5.dsc
04b1864e4a15e0eeeca4a0ab7216002d2bd962c6c1cf1a24826d2ab46bdd6312 4908
jsap_2.1-5.debian.tar.xz
4eac8983a344a9701e2fa7bfaf13fafd2119fbbbb6f04a7febc5723b40176257 15326
jsap_2.1-5_amd64.buildinfo
Files:
5fe31306da6260d8611a0a6924af7086 2272 java optional jsap_2.1-5.dsc
b0d0d61db4a18e678289f4399c29989a 4908 java optional jsap_2.1-5.debian.tar.xz
3c62e7c277f4577fd317cc1b4661f420 15326 java optional jsap_2.1-5_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmFUp5BfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk4i8QAIEB48c57vEaEM0wgpy7aXC3BcXBkA1Ng4W5
3ZhscVLRZsC2nQn8Qc3otNQHGT+RY1TLWGUv308PxoSbLpy2BPN4ju/XkNRVA2qL
WyACqyCDOy3BfNX05+jTH0DctZrf+5XkBVik7pjJjhDy+Np4eF34Ys6yHLyMaRg6
oBgqi4wOKGBpxaESW1YX2Et9kLtFiyFkKkzFxLK/f9sw8Kauao/WB977CEXYVh4t
FUfJBKNS124cWVnn4ydQILHAUYCvQIoZtw5kXjgLaczVxa/fnZBKPE7ss0QsTAn/
SAwVzP7GOEz/NK5rYu3pYE/LplphrMDRUz4rZRR2UwBwqnLDCXhT2mUIwD0R11Eg
c/2czmzjutK/aeLRKTg6EYrVguMdniARySRvurBuJiJRI3/qwz6EaKjaik2XkE37
EbqZClmilqftTdHaP5AJRRH0kM+qIRgzw25NxF8vDXJymISObPWkVIEGdvVb5GtM
Xn79FnysMGkl4oF9gIuDsLGKrBMpMbbDJVmQTzFwG6ekTc3zSQTW9xwAXchlGK9e
B6zTJrZlNfWTWS5sVUI+B2WSwtU0wViM9FCjMgAlQoHw46hQiEODwxvMbdBRCp+V
j58Wgm2/csSJh6aW09bLY3P54vFJCCDSBFmCTxsohQzPj9m4Ie6HwAqbp8/PrAYW
oeCLaCXn
=crgI
-----END PGP SIGNATURE-----
--- End Message ---
