This bug was fixed in the package libxstream-java - 1.4.7-1ubuntu0.1 --------------- libxstream-java (1.4.7-1ubuntu0.1) trusty-security; urgency=medium
* SECURITY UPDATE: handle void type class (LP: #1780844) - d/p/CVE-2017-7957.patch: Prevent deserialization of void. - CVE-2017-7957 -- Dan Streetman <ddstr...@canonical.com> Mon, 09 Jul 2018 15:29:05 -0400 ** Changed in: libxstream-java (Ubuntu Trusty) Status: Confirmed => Fix Released ** Changed in: libxstream-java (Ubuntu Xenial) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1780844 Title: CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void' Status in libxstream-java package in Ubuntu: Fix Released Status in libxstream-java source package in Trusty: Fix Released Status in libxstream-java source package in Xenial: Fix Released Status in libxstream-java source package in Artful: Fix Released Status in libxstream-java source package in Bionic: Fix Released Status in libxstream-java source package in Cosmic: Fix Released Bug description: [impact] XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("<void/>") call. [test case] install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial (or trusty) system. Then create a file named TestCVE.java with this content: import com.thoughtworks.xstream.XStream; public class TestCVE { public static void main(String[] args) { XStream xstream = new XStream(); xstream.fromXML("<void/>"); } } then run this (from the same directory as the file) to compile it, noting to replace the version number if needed (1.4.8 is X version, if on trusty use 1.4.7): $ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java then test it (again correcting version if needed): $ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE failure is a JVM segfault, e.g.: # # A fatal error has been detected by the Java Runtime Environment: # # SIGSEGV (0xb) at pc=0x00007f6546a6f9d2, pid=9279, tid=0x00007f654816c700 success is a normal java exception with backtrace, e.g.: Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance [regression potential] regressions could include failing to parse the stream, or otherwise cause exceptions or segfaults. [other info] http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html https://x-stream.github.io/CVE-2017-7957.html https://github.com/x-stream/xstream/commit/b3570be To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libxstream-java/+bug/1780844/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp