Your message dated Tue, 28 Mar 2017 16:04:57 +0000 with message-id <e1cstc9-000cd5...@fasolo.debian.org> and subject line Bug#857343: fixed in logback 1:1.1.9-2 has caused the Debian Bug report #857343, regarding logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 857343: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857343 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: liblogback-java Version: 1:1.1.2-1 Severity: important Tags: upstream patch Dear Maintainer, logback versions in wheezy, jessie and stretch are vulnerable to a deserialization issue. Logback would try to deserialize data from a socket, but it can't be trusted. Upstream mitigates this issue by adding a whitelist of allowed classes to be deserialized. I've prepared a patch for jessie. Regards -- System Information: Debian Release: 8.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: armhf Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages liblogback-java depends on: ii libslf4j-java 1.7.7-1 liblogback-java recommends no packages. Versions of packages liblogback-java suggests: ii glassfish-javaee 1:2.1.1-b31g+dfsg1-2 ii libjanino-java 2.7.0-2diff -rPu logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java logback/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java --- logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java 1970-01-01 01:00:00.000000000 +0100 +++ logback/logback-access/src/main/java/ch/qos/logback/access/net/HardenedAccessEventInputStream.java 2017-03-04 15:39:00.000000000 +0100 @@ -0,0 +1,16 @@ +package ch.qos.logback.access.net; + +import java.io.IOException; +import java.io.InputStream; + +import ch.qos.logback.access.spi.AccessEvent; +import ch.qos.logback.core.net.HardenedObjectInputStream; + +public class HardenedAccessEventInputStream extends HardenedObjectInputStream { + + public HardenedAccessEventInputStream(InputStream in) throws IOException { + super(in, new String[] {AccessEvent.class.getName(), String[].class.getName()}); + } + +} + diff -rPu logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java logback/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java --- logback.orig/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java 2013-09-07 12:44:46.000000000 +0200 +++ logback/logback-access/src/main/java/ch/qos/logback/access/net/SocketNode.java 2017-03-05 15:09:48.000000000 +0100 @@ -15,7 +15,6 @@ import java.io.BufferedInputStream; import java.io.IOException; -import java.io.ObjectInputStream; import java.net.Socket; import ch.qos.logback.access.spi.AccessContext; @@ -42,16 +41,15 @@ Socket socket; AccessContext context; - ObjectInputStream ois; + HardenedAccessEventInputStream hardenedOIS; public SocketNode(Socket socket, AccessContext context) { this.socket = socket; this.context = context; try { - ois = new ObjectInputStream(new BufferedInputStream(socket - .getInputStream())); + hardenedOIS = new HardenedAccessEventInputStream(new BufferedInputStream(socket.getInputStream())); } catch (Exception e) { - System.out.println("Could not open ObjectInputStream to " + socket + e); + System.out.println("Could not open HardenedObjectInputStream to " + socket + e); } } @@ -61,7 +59,7 @@ try { while (true) { // read an event from the wire - event = (IAccessEvent) ois.readObject(); + event = (IAccessEvent) hardenedOIS.readObject(); //check that the event should be logged if (context.getFilterChainDecision(event) == FilterReply.DENY) { break; @@ -81,7 +79,7 @@ } try { - ois.close(); + hardenedOIS.close(); } catch (Exception e) { System.out.println("Could not close connection." + e); } diff -rPu logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java logback/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java --- logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java 1970-01-01 01:00:00.000000000 +0100 +++ logback/logback-classic/src/main/java/ch/qos/logback/classic/net/HardenedLoggingEventInputStream.java 2017-03-05 15:14:25.000000000 +0100 @@ -0,0 +1,57 @@ +package ch.qos.logback.classic.net.server; + +import java.io.IOException; +import java.io.InputStream; +import java.util.ArrayList; +import java.util.List; + +import org.slf4j.helpers.BasicMarker; + +import ch.qos.logback.classic.Level; +import ch.qos.logback.classic.Logger; +import ch.qos.logback.classic.spi.ClassPackagingData; +import ch.qos.logback.classic.spi.IThrowableProxy; +import ch.qos.logback.classic.spi.LoggerContextVO; +import ch.qos.logback.classic.spi.LoggerRemoteView; +import ch.qos.logback.classic.spi.LoggingEventVO; +import ch.qos.logback.classic.spi.StackTraceElementProxy; +import ch.qos.logback.classic.spi.ThrowableProxy; +import ch.qos.logback.classic.spi.ThrowableProxyVO; +import ch.qos.logback.core.net.HardenedObjectInputStream; + +public class HardenedLoggingEventInputStream extends HardenedObjectInputStream { + + static final String ARRAY_PREFIX = "[L"; + + static public List<String> getWhilelist() { + List<String> whitelist = new ArrayList<String>(); + whitelist.add(LoggingEventVO.class.getName()); + whitelist.add(LoggerContextVO.class.getName()); + whitelist.add(LoggerRemoteView.class.getName()); + whitelist.add(ThrowableProxyVO.class.getName()); + whitelist.add(BasicMarker.class.getName()); + whitelist.add(Level.class.getName()); + whitelist.add(Logger.class.getName()); + whitelist.add(StackTraceElement.class.getName()); + whitelist.add(StackTraceElement[].class.getName()); + whitelist.add(ThrowableProxy.class.getName()); + whitelist.add(ThrowableProxy[].class.getName()); + whitelist.add(IThrowableProxy.class.getName()); + whitelist.add(IThrowableProxy[].class.getName()); + whitelist.add(StackTraceElementProxy.class.getName()); + whitelist.add(StackTraceElementProxy[].class.getName()); + whitelist.add(ClassPackagingData.class.getName()); + + return whitelist; + } + + public HardenedLoggingEventInputStream(InputStream is) throws IOException { + super(is, getWhilelist()); + } + + public HardenedLoggingEventInputStream(InputStream is, List<String> additionalAuthorizedClasses) throws IOException { + this(is); + super.addToWhitelist(additionalAuthorizedClasses); + } +} + diff -rPu logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java logback/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java --- logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java 2013-09-07 12:44:46.000000000 +0200 +++ logback/logback-classic/src/main/java/ch/qos/logback/classic/net/server/RemoteAppenderStreamClient.java 2017-03-07 16:43:38.579569993 +0100 @@ -16,12 +16,12 @@ import java.io.EOFException; import java.io.IOException; import java.io.InputStream; -import java.io.ObjectInputStream; import java.net.Socket; import ch.qos.logback.classic.Logger; import ch.qos.logback.classic.LoggerContext; import ch.qos.logback.classic.spi.ILoggingEvent; +import ch.qos.logback.core.net.HardenedObjectInputStream; import ch.qos.logback.core.util.CloseUtil; /** @@ -86,7 +86,7 @@ */ public void run() { logger.info(this + ": connected"); - ObjectInputStream ois = null; + HardenedObjectInputStream ois = null; try { ois = createObjectInputStream(); while (true) { @@ -124,11 +124,11 @@ } } - private ObjectInputStream createObjectInputStream() throws IOException { + private HardenedObjectInputStream createObjectInputStream() throws IOException { if (inputStream != null) { - return new ObjectInputStream(inputStream); + return new HardenedLoggingEventInputStream(inputStream); } - return new ObjectInputStream(socket.getInputStream()); + return new HardenedLoggingEventInputStream(socket.getInputStream()); } /** diff -rPu logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java logback/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java --- logback.orig/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java 2014-01-28 21:05:23.000000000 +0100 +++ logback/logback-classic/src/main/java/ch/qos/logback/classic/net/SocketNode.java 2017-03-05 15:12:34.000000000 +0100 @@ -15,13 +15,13 @@ import java.io.BufferedInputStream; import java.io.IOException; -import java.io.ObjectInputStream; import java.net.Socket; import java.net.SocketAddress; import ch.qos.logback.classic.Logger; import ch.qos.logback.classic.LoggerContext; +import ch.qos.logback.classic.net.server.HardenedLoggingEventInputStream; import ch.qos.logback.classic.spi.ILoggingEvent; // Contributors: Moses Hohman <mmhoh...@rainbow.uchicago.edu> @@ -44,7 +44,7 @@ Socket socket; LoggerContext context; - ObjectInputStream ois; + HardenedLoggingEventInputStream hardenedLoggingEventInputStream; SocketAddress remoteSocketAddress; Logger logger; @@ -68,8 +68,7 @@ public void run() { try { - ois = new ObjectInputStream(new BufferedInputStream(socket - .getInputStream())); + hardenedLoggingEventInputStream = new HardenedLoggingEventInputStream(new BufferedInputStream(socket.getInputStream())); } catch (Exception e) { logger.error("Could not open ObjectInputStream to " + socket, e); closed = true; @@ -81,7 +80,7 @@ try { while (!closed) { // read an event from the wire - event = (ILoggingEvent) ois.readObject(); + event = (ILoggingEvent) hardenedLoggingEventInputStream.readObject(); // get a logger from the hierarchy. The name of the logger is taken to // be the name contained in the event. remoteLogger = context.getLogger(event.getLoggerName()); @@ -111,13 +110,13 @@ return; } closed = true; - if (ois != null) { + if (hardenedLoggingEventInputStream != null) { try { - ois.close(); + hardenedLoggingEventInputStream.close(); } catch (IOException e) { logger.warn("Could not close connection.", e); } finally { - ois = null; + hardenedLoggingEventInputStream = null; } } } diff -rPu logback.orig/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java logback/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java --- logback.orig/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java 1970-01-01 01:00:00.000000000 +0100 +++ logback/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java 2017-03-07 15:49:29.360186454 +0100 @@ -0,0 +1,64 @@ +package ch.qos.logback.core.net; + +import java.io.IOException; +import java.io.InputStream; +import java.io.InvalidClassException; +import java.io.ObjectInputStream; +import java.io.ObjectStreamClass; +import java.util.ArrayList; +import java.util.List; + +/** + * + * @author Ceki Gülcü + * @since 1.2.0 + */ +public class HardenedObjectInputStream extends ObjectInputStream { + + final List<String> whitelistedClassNames; + final static String[] JAVA_PACKAGES = new String[] { "java.lang", "java.util" }; + + public HardenedObjectInputStream(InputStream in, String[] whilelist) throws IOException { + super(in); + this.whitelistedClassNames = new ArrayList<String>(); + if (whilelist != null) { + for (int i = 0; i < whilelist.length; i++) { + this.whitelistedClassNames.add(whilelist[i]); + } + } + } + + public HardenedObjectInputStream(InputStream in, List<String> whitelist) throws IOException { + super(in); + + this.whitelistedClassNames = new ArrayList<String>(); + this.whitelistedClassNames.addAll(whitelist); + } + + @Override + protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException { + String incomingClassName = anObjectStreamClass.getName(); + if(!isWhitelisted(incomingClassName)) { + throw new InvalidClassException("Unauthorized deserialization attempt", anObjectStreamClass.getName()); + } + + return super.resolveClass(anObjectStreamClass); + } + + private boolean isWhitelisted(String incomingClassName) { + for(int i = 0; i < JAVA_PACKAGES.length; i++) { + if(incomingClassName.startsWith(JAVA_PACKAGES[i])) + return true; + } + for(String whiteListed: whitelistedClassNames) { + if(incomingClassName.equals(whiteListed)) + return true; + } + return false; + } + + protected void addToWhitelist(List<String> additionalAuthorizedClasses) { + whitelistedClassNames.addAll(additionalAuthorizedClasses); + } +} +
--- End Message ---
--- Begin Message ---Source: logback Source-Version: 1:1.1.9-2 We believe that the bug you reported is fixed in the latest version of logback, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 857...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated logback package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 28 Mar 2017 17:22:37 +0200 Source: logback Binary: liblogback-java liblogback-java-doc Architecture: source Version: 1:1.1.9-2 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: liblogback-java - flexible logging library for Java liblogback-java-doc - flexible logging library for Java - documentation Closes: 857343 Changes: logback (1:1.1.9-2) unstable; urgency=medium . * Team upload. * Fix CVE-2017-5929: It was discovered that logback, a flexible logging library for Java, would deserialize data from untrusted sockets. This issue has been resolved by adding a whitelist to use only trusted classes. (Closes: #857343) Thanks to Fabrice Dagorn for the report. Checksums-Sha1: a80b2a96a5fe7440e3cf05ca649ce843f956bd17 2408 logback_1.1.9-2.dsc 54688b6b588ed58d126314e1b23fcdd6d1f2bebd 12144 logback_1.1.9-2.debian.tar.xz 33f35fb43eaf21b32e7f83620cf68df8a4e846c1 15154 logback_1.1.9-2_amd64.buildinfo Checksums-Sha256: 99c01932556306755697497c172bb0cb6a9b100915fae43a41cfb7105289c260 2408 logback_1.1.9-2.dsc 16d7640ef0dc253a799e3e95450aac682a39877556219d983e2fc85809213f4b 12144 logback_1.1.9-2.debian.tar.xz 93d2f80f30285d36e13a1945a201357b1d9b6eb8ade2b58b725eebb0d5a6b30c 15154 logback_1.1.9-2_amd64.buildinfo Files: 99bd1f27c78f1a523f7d2af337b1649b 2408 java optional logback_1.1.9-2.dsc 3a4c6bc37eef5638a43bcc17a2121731 12144 java optional logback_1.1.9-2.debian.tar.xz 201a70196f6fccc0ec32a21dc4497ef2 15154 java optional logback_1.1.9-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAljahzVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HksNUQAJU4NQgXWN8P8lz9Dt4ROdCkwD3EL1ZeF2x+ F70dyZ1Es3wrwjDV/A2wzRUVg3ZMoijfkQqmp4Du+rLcOqbbCPUlifeM1K/hnEAG Op+PGnXFK2PVf5tchgD/weh8BHN93VPUg9OpY0j1FMvzgVqsSUyTDSHLCx6tALUq Xg7NV7SReSqlPSpkXXu8Hfe4Uojn95j7nx/oC/M4KDBDwCJNwZhd0A7KHR0ZkvzF 4EirnHr82kTiIwXzCtur+vW/sq7A907yXmIU+x3JdWzkQtwNPfMAH6NaA2od3cRm 0MkaKFm210z3mMEeuTg/zm8oggh8O3p+1yTuCfDICVeEBBi2HRUI3rzyZ5FQzKEy hoUn1AR5ViAqP96W128iCDBueS+rLJaIA5HuZiMQjvyi3wf0eRq6IgTvQBa5mwTE lXqMRV3kbnX9B6P+iF5rg8r+Q83vPKsG485b2USJPxoj98zLXyLIrPETsCxpGH0N Vnv8a7hKu6Y7ggUwzxPv9oCVjWkPNT/HERXNVRxuCLSKYpJyRE9VV16RSZY2gaI3 Q1DMEGJj2YQerQ8udF12zRu19S+06INxUWRURHUiY6OG1xKUZpTIuV8E0LJiHiad NziqS6MfBNUD6TcNzEJVSWhv0MvT7U1q09mUNN6KeDl8umT9Wpozi/9Y8hw6ONBT TwKnI7Ux =dG7X -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
