Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)
Am 01.04.2017 um 08:20 schrieb Fabrice Dagorn: > The POC is a simple Eclipse java project. > > UnsafeReceiver will open a ServerSocketReceiver on port and wait > forever. > > Injector will then open a client Socket to the ServerSocketReceiver and > serialize a Calculator instance through the wire. > > Calculator implements ILoggingEvent to prevent ClassCastException on > deserialization but Logback won't check more and getLoggerName() is called. > > In this case, the gnome calculator is executed. Thank you for the reproducer. I believe the issue is fixed now and I am going to upload the new revision soon. Regards, Markus signature.asc Description: OpenPGP digital signature
Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)
The POC is a simple Eclipse java project. UnsafeReceiver will open a ServerSocketReceiver on port and wait forever. Injector will then open a client Socket to the ServerSocketReceiver and serialize a Calculator instance through the wire. Calculator implements ILoggingEvent to prevent ClassCastException on deserialization but Logback won't check more and getLoggerName() is called. In this case, the gnome calculator is executed. Regards, Fabrice Le 31/03/2017 à 14:10, Markus Koschany a écrit : You could also attach the POC to this bug report. The vulnerability is publicly known by now anyway. Markus poc_logback.tar.gz Description: GNU Zip compressed data
Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)
Am 31.03.2017 um 08:10 schrieb Fabrice Dagorn: > Hi, > I have made a quick and dirty POC for this issue. > This results in a remote code execution in the JVM that exposes a > ServerSocketReceiver. > > Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x. > > The POC is available on demand. > > Regards, > Fabrice Dagorn Hi, Yes, please send the POC to a...@debian.org and describe the scenario how you trigger this issue. Upstream still has not responded to my inquiry. If I don't hear from then until the beginning of next week I will backport the other commits on a best effort basis. Regards, Markus signature.asc Description: OpenPGP digital signature
Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)
You could also attach the POC to this bug report. The vulnerability is publicly known by now anyway. Markus signature.asc Description: OpenPGP digital signature
Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)
Hi, I have made a quick and dirty POC for this issue. This results in a remote code execution in the JVM that exposes a ServerSocketReceiver. Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x. The POC is available on demand. Regards, Fabrice Dagorn
Processed: Re: Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)
Processing control commands: > reopen -1 Bug #857343 {Done: Markus Koschany} [liblogback-java] logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components Bug #858914 {Done: Markus Koschany } [liblogback-java] CVE-2017-5929: serialization vulnerability in SocketServer and ServerSocketReceiver 'reopen' may be inappropriate when a bug has been closed with a version; all fixed versions will be cleared, and you may need to re-add them. Bug reopened No longer marked as fixed in versions logback/1:1.1.9-2. No longer marked as fixed in versions logback/1:1.1.9-2. -- 857343: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857343 858914: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=858914 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)
Control: reopen -1 Am 29.03.2017 um 08:11 schrieb Fabrice Dagorn: > Thank you for your upload. > > But i think that the issue is not completely solved, upstream made it in > several commits (https://github.com/qos-ch/logback/commits/v_1.2.0). > > The comment is not meaningful but this one is related to the > vulnerability : > https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9 Hi, I am not sure because they have also included a lot of cosmetic changes but there might be even more relevant commits hence I have asked for a clarification from upstream. [1] I keep this bug report open until we know more about it. Regards, Markus [1] http://mailman.qos.ch/pipermail/logback-user/2017-March/004875.html signature.asc Description: OpenPGP digital signature
Bug#857343: closed by Markus Koschany <a...@debian.org> (Bug#857343: fixed in logback 1:1.1.9-2)
Thank you for your upload. But i think that the issue is not completely solved, upstream made it in several commits (https://github.com/qos-ch/logback/commits/v_1.2.0). The comment is not meaningful but this one is related to the vulnerability : https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9 Fabrice Dagorn Le 28/03/2017 à 18:09, Debian Bug Tracking System a écrit : This is an automatic notification regarding your Bug report which was filed against the liblogback-java package: #857343: logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components It has been closed by Markus Koschany. Their explanation is attached below along with your original report. If this explanation is unsatisfactory and you have not received a better one in a separate message then please contact Markus Koschany by replying to this email.