Package: release.debian.org Severity: normal Tags: jessie User: release.debian....@packages.debian.org Usertags: pu
Hello, I would like to upload a security update for Groovy in Jessie. (Debdiff is attached) This is Debian bug #851408 or CVE-2016-6814. The security team has marked this CVE as no-dsa but it would be good to fix CVE-2016-6814 in Jessie too. I will also file a bug report for Groovy2 which is affected by the same issue shortly. Regards, Markus
diff -Nru groovy-1.8.6/debian/changelog groovy-1.8.6/debian/changelog --- groovy-1.8.6/debian/changelog 2015-07-25 23:30:00.000000000 +0200 +++ groovy-1.8.6/debian/changelog 2017-01-30 17:20:04.000000000 +0100 @@ -1,3 +1,17 @@ +groovy (1.8.6-4+deb8u2) jessie; urgency=medium + + * Team upload. + * Fix CVE-2016-6814: + It was found that a flaw in Apache Groovy, a dynamic language for the Java + Virtual Machine, allows remote code execution wherever deserialization + occurs in the application. It is possible for an attacker to craft a + special serialized object that will execute code directly when + deserialized. All applications which rely on serialization and do not + isolate the code which deserializes objects are subject to this + vulnerability. + + -- Markus Koschany <a...@debian.org> Mon, 30 Jan 2017 17:20:04 +0100 + groovy (1.8.6-4+deb8u1) stable; urgency=high * Fix remote execution of untrusted code and possible DoS vulnerability. diff -Nru groovy-1.8.6/debian/patches/CVE-2016-6814.patch groovy-1.8.6/debian/patches/CVE-2016-6814.patch --- groovy-1.8.6/debian/patches/CVE-2016-6814.patch 1970-01-01 01:00:00.000000000 +0100 +++ groovy-1.8.6/debian/patches/CVE-2016-6814.patch 2017-01-30 17:20:04.000000000 +0100 @@ -0,0 +1,37 @@ +From: Markus Koschany <a...@debian.org> +Date: Mon, 30 Jan 2017 17:15:11 +0100 +Subject: CVE-2016-6814 + +Bug-Debian: https://bugs.debian.org/851408 +Origin: http://seclists.org/oss-sec/2017/q1/92 +--- + src/main/org/codehaus/groovy/runtime/MethodClosure.java | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/main/org/codehaus/groovy/runtime/MethodClosure.java b/src/main/org/codehaus/groovy/runtime/MethodClosure.java +index d4f996e..4dfb360 100644 +--- a/src/main/org/codehaus/groovy/runtime/MethodClosure.java ++++ b/src/main/org/codehaus/groovy/runtime/MethodClosure.java +@@ -19,6 +19,7 @@ import groovy.lang.Closure; + import groovy.lang.MetaMethod; + + import java.util.List; ++import java.io.IOException; + + + /** +@@ -61,6 +62,14 @@ public class MethodClosure extends Closure { + throw new UnsupportedOperationException(); + } + ++ private void readObject(java.io.ObjectInputStream stream) throws ++ IOException, ClassNotFoundException { ++ if (ALLOW_RESOLVE) { ++ stream.defaultReadObject(); ++ } ++ throw new UnsupportedOperationException(); ++ } ++ + public String getMethod() { + return method; + } diff -Nru groovy-1.8.6/debian/patches/series groovy-1.8.6/debian/patches/series --- groovy-1.8.6/debian/patches/series 2015-07-25 23:26:18.000000000 +0200 +++ groovy-1.8.6/debian/patches/series 2017-01-30 17:20:04.000000000 +0100 @@ -3,3 +3,4 @@ 0003-disable-bnd.diff.patch 0004-java8-compatibility.patch 0005-CVE-2015-3253.patch +CVE-2016-6814.patch
