Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-CC: Pierre Gruet <p...@debian.org>
(Please provide enough information to help the release team to judge the request efficiently. E.g. by filling in the sections below.) [Reason] CVE-2024-47072: stack overflow [ Impact ] Remote DoS is likely possible [ Tests ] Manual test test does not backport [ Risks ] Code is simple. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] * Team upload * Fix CVE-2024-47072: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream. (Closes: #1087274) [ Other info ] pgt will likely review
diff -Nru libxstream-java-1.4.20/debian/changelog libxstream-java-1.4.20/debian/changelog --- libxstream-java-1.4.20/debian/changelog 2023-01-11 12:15:53.000000000 +0000 +++ libxstream-java-1.4.20/debian/changelog 2024-12-22 10:12:11.000000000 +0000 @@ -1,3 +1,13 @@ +libxstream-java (1.4.20-1+deb12u1) bookworm; urgency=medium + + * Team upload + * Fix CVE-2024-47072: XStream is vulnerable to a + Denial of Service attack due to stack overflow + from a manipulated binary input stream. + (Closes: #1087274) + + -- Bastien Roucari??s <ro...@debian.org> Sun, 22 Dec 2024 10:12:11 +0000 + libxstream-java (1.4.20-1) unstable; urgency=medium * Team upload. diff -Nru libxstream-java-1.4.20/debian/patches/0004-CVE-2024-47072.patch libxstream-java-1.4.20/debian/patches/0004-CVE-2024-47072.patch --- libxstream-java-1.4.20/debian/patches/0004-CVE-2024-47072.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxstream-java-1.4.20/debian/patches/0004-CVE-2024-47072.patch 2024-12-22 10:10:35.000000000 +0000 @@ -0,0 +1,61 @@ +From: joehni <joerg.schai...@gmx.de> +Date: Wed, 18 Sep 2024 20:19:13 +0200 +Subject: CVE-2024-47072 + +This vulnerability may allow a remote attacker to terminate the application +with a stack overflow error resulting in a denial of service only +by manipulating the processed input stream when XStream is configured +to use the BinaryStreamDrive + +origin: backport, https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a +bug: https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q +--- + .../xstream/io/binary/BinaryStreamReader.java | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java +index 2839651..cd870cd 100644 +--- a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java ++++ b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java +@@ -1,6 +1,6 @@ + /* + * Copyright (C) 2006 Joe Walnes. +- * Copyright (C) 2006, 2007, 2011, 2013 XStream Committers. ++ * Copyright (C) 2006, 2007, 2011, 2013, 2024 XStream Committers. + * All rights reserved. + * + * The software in this package is published under the terms of the BSD +@@ -15,6 +15,7 @@ import com.thoughtworks.xstream.converters.ErrorWriter; + import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamReader; + import com.thoughtworks.xstream.io.HierarchicalStreamReader; + import com.thoughtworks.xstream.io.StreamException; ++import com.thoughtworks.xstream.security.InputManipulationException; + + import java.io.DataInputStream; + import java.io.IOException; +@@ -150,15 +151,20 @@ public class BinaryStreamReader implements ExtendedHierarchicalStreamReader { + private Token readToken() { + if (pushback == null) { + try { +- Token token = tokenFormatter.read(in); +- switch (token.getType()) { ++ boolean mapping = false; ++ do { ++ final Token token = tokenFormatter.read(in); ++ switch (token.getType()) { + case Token.TYPE_MAP_ID_TO_VALUE: + idRegistry.put(token.getId(), token.getValue()); +- return readToken(); // Next one please. ++ mapping ^= true; ++ continue; // Next one please. + default: + return token; +- } +- } catch (IOException e) { ++ } ++ } while (mapping); ++ throw new InputManipulationException("Binary stream will never have two mapping tokens in sequence"); ++ } catch (final IOException e) { + throw new StreamException(e); + } + } else { diff -Nru libxstream-java-1.4.20/debian/patches/series libxstream-java-1.4.20/debian/patches/series --- libxstream-java-1.4.20/debian/patches/series 2023-01-11 12:15:53.000000000 +0000 +++ libxstream-java-1.4.20/debian/patches/series 2024-12-22 10:10:35.000000000 +0000 @@ -1,3 +1,4 @@ 01-java7-compatibility.patch 02-disable-beastax-driver.patch no-mxparser.patch +0004-CVE-2024-47072.patch
signature.asc
Description: This is a digitally signed message part.
