Hi folks, Am 25.01.2018 um 15:23 schrieb Salvatore Bonaccorso: > Hi Markus, > > On Thu, Jan 25, 2018 at 02:40:10PM +0100, Markus Koschany wrote: >> Hi, >> >> On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso >> <car...@debian.org> wrote: >>> Source: jackson-databind >>> Version: 2.9.1-1 >>> Severity: grave >>> Tags: patch security upstream >>> Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899 >>> Control: found -1 2.8.6-1+deb9u2 >>> Control: found -1 2.4.2-2+deb8u2 >>> >>> Hi, >>> >>> the following vulnerability was published for jackson-databind. >> >> [...] >> >> Thanks for reporting. I had a look at jackson-databind in Stretch. We >> just need to apply the patch to BeanDeserializerFactory.java again. As >> for Sid upgrading to the latest upstream release 2.9.4 should also >> resolve this. I'm working on it now. > > Perfect, thank you! We (Moritz) have added it to the dsa-needed list > for jessie and stretch, so once you have the update can you contact > the security team alias, one of us will then ack the upload.
I have prepared security updates of jackson-databind for Stretch and Jessie and would appreciate another look at the patches. The fix for CVE-2018-5968 is straightforward. The blacklist is simply extended. However upstream decided to refactor the code for CVE-2017-17485 and I decided to apply the changes to BeanDeserializerFactory.java again instead of using the new helper class SubTypeValidator. Here is my thought process how to create the patch based on the solution in upstream bug 1855 [1] 1. Extend the blacklist. [2] 2. Instead of creating a new method validateSubType, I copied the fix into checkIllegalTypes in BeanDeserializerFactory again.[3] The behavior remains the same. This code catches some specific cases for the spring framework. 3. I also applied the regression fix in [4] (also mentioned in bug 1855) 4. I believe that [5] only applies to the refactored code and since we don't use that it is irrelevant for us. Regards, Markus [1] https://github.com/FasterXML/jackson-databind/issues/1855 [2] https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d [3] https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf [4] https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd [5] https://github.com/FasterXML/jackson-databind/commit/978798382ceb72229e5036aa1442943933d6d171
diff -Nru jackson-databind-2.4.2/debian/changelog jackson-databind-2.4.2/debian/changelog --- jackson-databind-2.4.2/debian/changelog 2017-11-16 09:13:27.000000000 +0100 +++ jackson-databind-2.4.2/debian/changelog 2018-01-27 19:37:47.000000000 +0100 @@ -1,3 +1,13 @@ +jackson-databind (2.4.2-2+deb8u3) jessie-security; urgency=high + + * Team upload. + * Fix CVE-2017-17485 and CVE-2018-5968: + Bybass of deserialization blackist to disallow unauthenticated remote code + execution. These CVE exist due to an incomplete fix for CVE-2017-7525. + (Closes: #888316, #888318) + + -- Markus Koschany <a...@debian.org> Sat, 27 Jan 2018 19:37:47 +0100 + jackson-databind (2.4.2-2+deb8u2) jessie-security; urgency=high * Team upload diff -Nru jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch --- jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch 1970-01-01 01:00:00.000000000 +0100 +++ jackson-databind-2.4.2/debian/patches/CVE-2017-17485.patch 2018-01-27 19:37:47.000000000 +0100 @@ -0,0 +1,75 @@ +From: Markus Koschany <a...@debian.org> +Date: Sat, 27 Jan 2018 20:16:02 +0100 +Subject: CVE-2017-17485 + +Bug-Debian: https://bugs.debian.org/888318 +Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1855 +Origin: https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d +Origin: https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf +Origin: https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd +--- + .../databind/deser/BeanDeserializerFactory.java | 37 +++++++++++++++++++--- + 1 file changed, 32 insertions(+), 5 deletions(-) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +index c536b46..9b56b08 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java ++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +@@ -38,6 +38,8 @@ public class BeanDeserializerFactory + { + private static final long serialVersionUID = 1; + ++ protected final static String PREFIX_STRING = "org.springframework."; ++ + /** + * Signature of <b>Throwable.initCause</b> method. + */ +@@ -75,6 +77,9 @@ public class BeanDeserializerFactory + s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); + s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); + s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); ++ // [databind#1855]: more 3rd party ++ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); ++ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); + // [databind#1899]: more 3rd party + s.add("org.hibernate.jmx.StatisticsService"); + s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory"); +@@ -932,11 +937,33 @@ public class BeanDeserializerFactory + { + // There are certain nasty classes that could cause problems, mostly + // via default typing -- catch them here. +- String full = type.getRawClass().getName(); + +- if (_cfgIllegalClassNames.contains(full)) { +- throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons"); +- } +- } ++ final Class<?> raw = type.getRawClass(); ++ String full = raw.getName(); ++ ++ main_check: ++ do { ++ if (_cfgIllegalClassNames.contains(full)) { ++ break; ++ } ++ ++ // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling ++ // for some Spring framework types ++ if (full.startsWith(PREFIX_STRING)) { ++ for (Class<?> cls = raw; cls != Object.class; cls = cls.getSuperclass()) { ++ String name = cls.getSimpleName(); ++ // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there? ++ if ("AbstractPointcutAdvisor".equals(name) ++ // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts ++ || "AbstractApplicationContext".equals(name)) { ++ break main_check; ++ } ++ } ++ } ++ return; ++ } while (false); ++ ++ throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons"); ++ } + + } diff -Nru jackson-databind-2.4.2/debian/patches/CVE-2018-5968.patch jackson-databind-2.4.2/debian/patches/CVE-2018-5968.patch --- jackson-databind-2.4.2/debian/patches/CVE-2018-5968.patch 1970-01-01 01:00:00.000000000 +0100 +++ jackson-databind-2.4.2/debian/patches/CVE-2018-5968.patch 2018-01-27 19:37:47.000000000 +0100 @@ -0,0 +1,25 @@ +From: Markus Koschany <a...@debian.org> +Date: Sat, 27 Jan 2018 19:00:33 +0100 +Subject: CVE-2018-5968 + +Bug-Debian: https://bugs.debian.org/888316 +Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1899 +Origin: https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05 +--- + .../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +index 86b5c08..10ada70 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java ++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +@@ -69,6 +69,9 @@ public class BeanDeserializerFactory + s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); + s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); + s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); ++ // [databind#1899]: more 3rd party ++ s.add("org.hibernate.jmx.StatisticsService"); ++ s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory"); + + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } diff -Nru jackson-databind-2.4.2/debian/patches/series jackson-databind-2.4.2/debian/patches/series --- jackson-databind-2.4.2/debian/patches/series 2017-11-16 09:13:27.000000000 +0100 +++ jackson-databind-2.4.2/debian/patches/series 2018-01-27 19:37:47.000000000 +0100 @@ -3,3 +3,5 @@ CVE-2017-15095_1.patch CVE-2017-15095_2.patch CVE-2017-15095_3.patch +CVE-2018-5968.patch +CVE-2017-17485.patch
diff -Nru jackson-databind-2.8.6/debian/changelog jackson-databind-2.8.6/debian/changelog --- jackson-databind-2.8.6/debian/changelog 2017-11-16 08:55:34.000000000 +0100 +++ jackson-databind-2.8.6/debian/changelog 2018-01-27 19:12:39.000000000 +0100 @@ -1,3 +1,13 @@ +jackson-databind (2.8.6-1+deb9u3) stretch-security; urgency=high + + * Team upload. + * Fix CVE-2017-17485 and CVE-2018-5968: + Bybass of deserialization blackist to disallow unauthenticated remote code + execution. These CVE exist due to an incomplete fix for CVE-2017-7525. + (Closes: #888316, #888318) + + -- Markus Koschany <a...@debian.org> Sat, 27 Jan 2018 19:12:39 +0100 + jackson-databind (2.8.6-1+deb9u2) stretch-security; urgency=high * Team upload diff -Nru jackson-databind-2.8.6/debian/patches/CVE-2017-17485.patch jackson-databind-2.8.6/debian/patches/CVE-2017-17485.patch --- jackson-databind-2.8.6/debian/patches/CVE-2017-17485.patch 1970-01-01 01:00:00.000000000 +0100 +++ jackson-databind-2.8.6/debian/patches/CVE-2017-17485.patch 2018-01-27 19:12:39.000000000 +0100 @@ -0,0 +1,76 @@ +From: Markus Koschany <a...@debian.org> +Date: Sat, 27 Jan 2018 19:06:47 +0100 +Subject: CVE-2017-17485 + +Bug-Debian: https://bugs.debian.org/888318 +Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1855 +Origin: https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d +Origin: https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf +Origin: https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd +--- + .../databind/deser/BeanDeserializerFactory.java | 38 ++++++++++++++++++---- + 1 file changed, 32 insertions(+), 6 deletions(-) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +index 10ada70..b90c9c0 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java ++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +@@ -32,6 +32,8 @@ public class BeanDeserializerFactory + { + private static final long serialVersionUID = 1; + ++ protected final static String PREFIX_STRING = "org.springframework."; ++ + /** + * Signature of <b>Throwable.initCause</b> method. + */ +@@ -69,6 +71,9 @@ public class BeanDeserializerFactory + s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); + s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); + s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); ++ // [databind#1855]: more 3rd party ++ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); ++ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); + // [databind#1899]: more 3rd party + s.add("org.hibernate.jmx.StatisticsService"); + s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory"); +@@ -898,12 +903,33 @@ public class BeanDeserializerFactory + { + // There are certain nasty classes that could cause problems, mostly + // via default typing -- catch them here. +- String full = type.getRawClass().getName(); ++ final Class<?> raw = type.getRawClass(); ++ String full = raw.getName(); + +- if (_cfgIllegalClassNames.contains(full)) { +- ctxt.reportBadTypeDefinition(beanDesc, +- "Illegal type (%s) to deserialize: prevented for security reasons", full); +- } +- } ++ main_check: ++ do { ++ if (_cfgIllegalClassNames.contains(full)) { ++ break; ++ } ++ ++ // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling ++ // for some Spring framework types ++ if (full.startsWith(PREFIX_STRING)) { ++ for (Class<?> cls = raw; cls != Object.class; cls = cls.getSuperclass()) { ++ String name = cls.getSimpleName(); ++ // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there? ++ if ("AbstractPointcutAdvisor".equals(name) ++ // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts ++ || "AbstractApplicationContext".equals(name)) { ++ break main_check; ++ } ++ } ++ } ++ return; ++ } while (false); ++ ++ throw JsonMappingException.from(ctxt, ++ String.format("Illegal type (%s) to deserialize: prevented for security reasons", full)); ++ } + + } diff -Nru jackson-databind-2.8.6/debian/patches/CVE-2018-5968.patch jackson-databind-2.8.6/debian/patches/CVE-2018-5968.patch --- jackson-databind-2.8.6/debian/patches/CVE-2018-5968.patch 1970-01-01 01:00:00.000000000 +0100 +++ jackson-databind-2.8.6/debian/patches/CVE-2018-5968.patch 2018-01-27 19:12:39.000000000 +0100 @@ -0,0 +1,25 @@ +From: Markus Koschany <a...@debian.org> +Date: Sat, 27 Jan 2018 19:00:33 +0100 +Subject: CVE-2018-5968 + +Bug-Debian: https://bugs.debian.org/888316 +Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1899 +Origin: https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05 +--- + .../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +index 86b5c08..10ada70 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java ++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +@@ -69,6 +69,9 @@ public class BeanDeserializerFactory + s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); + s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); + s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); ++ // [databind#1899]: more 3rd party ++ s.add("org.hibernate.jmx.StatisticsService"); ++ s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory"); + + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } diff -Nru jackson-databind-2.8.6/debian/patches/series jackson-databind-2.8.6/debian/patches/series --- jackson-databind-2.8.6/debian/patches/series 2017-11-16 08:55:34.000000000 +0100 +++ jackson-databind-2.8.6/debian/patches/series 2018-01-27 19:12:39.000000000 +0100 @@ -2,3 +2,5 @@ CVE-2017-15095_1.patch CVE-2017-15095_2.patch CVE-2017-15095_3.patch +CVE-2018-5968.patch +CVE-2017-17485.patch
signature.asc
Description: OpenPGP digital signature