Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
groovy2 is also affected by CVE-2016-6814. The patch is almost identical to the one used in groovy. Please find attached the debdiff. Markus
diff -Nru groovy2-2.2.2+dfsg/debian/changelog groovy2-2.2.2+dfsg/debian/changelog --- groovy2-2.2.2+dfsg/debian/changelog 2015-07-25 22:20:07.000000000 +0200 +++ groovy2-2.2.2+dfsg/debian/changelog 2017-01-30 17:49:16.000000000 +0100 @@ -1,3 +1,16 @@ +groovy2 (2.2.2+dfsg-3+deb8u2) jessie; urgency=medium + + * Team upload. + * Fix CVE-2016-6814: It was found that a flaw in Apache Groovy, a dynamic + language for the Java Virtual Machine, allows remote code execution + wherever deserialization occurs in the application. It is possible for an + attacker to craft a special serialized object that will execute code + directly when deserialized. All applications which rely on serialization + and do not isolate the code which deserializes objects are subject to this + vulnerability. + + -- Markus Koschany <a...@debian.org> Mon, 30 Jan 2017 17:49:16 +0100 + groovy2 (2.2.2+dfsg-3+deb8u1) stable; urgency=high * Fix remote execution of untrusted code and possible DoS vulnerability. diff -Nru groovy2-2.2.2+dfsg/debian/patches/CVE-2016-6814.patch groovy2-2.2.2+dfsg/debian/patches/CVE-2016-6814.patch --- groovy2-2.2.2+dfsg/debian/patches/CVE-2016-6814.patch 1970-01-01 01:00:00.000000000 +0100 +++ groovy2-2.2.2+dfsg/debian/patches/CVE-2016-6814.patch 2017-01-30 17:49:16.000000000 +0100 @@ -0,0 +1,37 @@ +From: Markus Koschany <a...@debian.org> +Date: Mon, 30 Jan 2017 17:47:46 +0100 +Subject: CVE-2016-6814 + +Bug-Debian: https://bugs.debian.org/851408 +Origin: http://seclists.org/oss-sec/2017/q1/92 +--- + src/main/org/codehaus/groovy/runtime/MethodClosure.java | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/main/org/codehaus/groovy/runtime/MethodClosure.java b/src/main/org/codehaus/groovy/runtime/MethodClosure.java +index 8e4fac8..6fceb3d 100644 +--- a/src/main/org/codehaus/groovy/runtime/MethodClosure.java ++++ b/src/main/org/codehaus/groovy/runtime/MethodClosure.java +@@ -19,6 +19,7 @@ import groovy.lang.Closure; + import groovy.lang.MetaMethod; + + import java.util.List; ++import java.io.IOException; + + + /** +@@ -69,6 +70,14 @@ public class MethodClosure extends Closure { + throw new UnsupportedOperationException(); + } + ++ private void readObject(java.io.ObjectInputStream stream) throws ++ IOException, ClassNotFoundException { ++ if (ALLOW_RESOLVE) { ++ stream.defaultReadObject(); ++ } ++ throw new UnsupportedOperationException(); ++ } ++ + public Object getProperty(String property) { + if ("method".equals(property)) { + return getMethod(); diff -Nru groovy2-2.2.2+dfsg/debian/patches/series groovy2-2.2.2+dfsg/debian/patches/series --- groovy2-2.2.2+dfsg/debian/patches/series 2015-07-25 22:19:23.000000000 +0200 +++ groovy2-2.2.2+dfsg/debian/patches/series 2017-01-30 17:49:16.000000000 +0100 @@ -2,3 +2,4 @@ 02_fix_start_script.diff 03_add_maven_poms.diff 04_CVE-2015-3253.diff +CVE-2016-6814.patch