diff -Nru libxstream-java-1.4.11.1/debian/changelog libxstream-java-1.4.11.1/debian/changelog --- libxstream-java-1.4.11.1/debian/changelog 2020-12-31 22:15:35.000000000 +0900 +++ libxstream-java-1.4.11.1/debian/changelog 2021-06-17 22:02:16.000000000 +0900 @@ -1,3 +1,15 @@ +libxstream-java (1.4.11.1-1+deb10u3) buster-security; urgency=high + + * Team upload. + * Fix CVE-2021-29505: + - The vulnerability may allow a remote attacker has sufficient rights + to execute commands of the host only by manipulating the processed + input stream. No user is affected, who followed the recommendation + to setup XStream's security framework with a whitelist limited to + the minimal required types. + + -- Hideki Yamane Thu, 17 Jun 2021 22:02:16 +0900 + libxstream-java (1.4.11.1-1+deb10u2) buster-security; urgency=high * Team upload. diff -Nru libxstream-java-1.4.11.1/debian/patches/0004-Fix-CVE-2021-29505-for-buster.patch libxstream-java-1.4.11.1/debian/patches/0004-Fix-CVE-2021-29505-for-buster.patch --- libxstream-java-1.4.11.1/debian/patches/0004-Fix-CVE-2021-29505-for-buster.patch 1970-01-01 09:00:00.000000000 +0900 +++ libxstream-java-1.4.11.1/debian/patches/0004-Fix-CVE-2021-29505-for-buster.patch 2021-06-17 22:02:16.000000000 +0900 @@ -0,0 +1,36 @@ +From: Hideki Yamane +Date: Thu, 18 Jun 2021 23:27:25 +0900 +Subject: Fix CVE-2021-29505 from upstream commit (Closes:#989491) + +Taken patch from upstream commit +https://github.com/x-stream/xstream/commit/f0c4a8d861b68ffc3119cfbbbd632deee624e227 +and modified it to be applied buster branch (1.4.11.1) + +--- + xstream/src/java/com/thoughtworks/xstream/XStream.java | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +Index: libxstream-java/xstream/src/java/com/thoughtworks/xstream/XStream.java +=================================================================== +--- libxstream-java.orig/xstream/src/java/com/thoughtworks/xstream/XStream.java ++++ libxstream-java/xstream/src/java/com/thoughtworks/xstream/XStream.java +@@ -354,8 +354,10 @@ public class XStream { + + private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper"; + private static final Pattern IGNORE_ALL = Pattern.compile(".*"); ++ private static final Pattern LAZY_ENUMERATORS = Pattern.compile(".*\\.Lazy(?:Search)?Enumeration.*"); + private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator"); + private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*"); ++ private static final Pattern JAVA_RMI = Pattern.compile("(?:java|sun)\\.rmi\\..*"); + private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream"); + + /** +@@ -710,7 +712,7 @@ public class XStream { + java.beans.EventHandler.class, + java.lang.ProcessBuilder.class, + java.lang.Void.class, void.class }); +- denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM}); ++ denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM, LAZY_ENUMERATORS,JAVA_RMI}); + allowTypeHierarchy(Exception.class); + securityInitialized = false; + } diff -Nru libxstream-java-1.4.11.1/debian/patches/series libxstream-java-1.4.11.1/debian/patches/series --- libxstream-java-1.4.11.1/debian/patches/series 2020-12-31 22:15:35.000000000 +0900 +++ libxstream-java-1.4.11.1/debian/patches/series 2021-06-17 22:02:16.000000000 +0900 @@ -2,3 +2,4 @@ CVE-2020-26217.patch CVE-2020-26258.patch CVE-2020-26259.patch +0004-Fix-CVE-2021-29505-for-buster.patch