Hi,
On Wed, Sep 22, 2021 at 04:29:39PM +0200, Sylvain Beucler wrote:
> On 22/09/2021 15:37, Markus Koschany wrote:
> > so far I have not found any regressions in Debian packages which depend on
> > libxstream-java. I propose to switch to the whitelist in all suites because
> > this is the only reasonable way to secure XStream. I have prepared an update
> > for Stretch. Anton, could you take a look at it because I saw you have
> > claimed
> > libxstream-java?
> >
> > https://people.debian.org/~apo/lts/libxstream-java/libxstream-java.debdiff
>
> I am pretty surprised because I had concluded that all reverse-dependencies
> would break, due to not white-listing any app-specific class:
> https://lists.debian.org/debian-lts/2021/06/msg00040.html
>
> I'll test your package shortly to see if my angle is relevant with this
> patch.
I had a look again. IIUC you mean no Debian non-lib package actually
use xstream at all, or the breakage has negligible impact
(e.g. Jajuk's support for Last.FM scrobbling should become more
network-intensive since the submission cache won't load anymore).
User code that link to our xstream.jar may break though (see below
with an application that uses libjsap-java), so it's a bold move, but
your call.
Cheers!
Sylvain
# java -cp .:/usr/share/java/xstream.jar
com.martiansoftware.jsap.examples.Manual_HelloWorld_9
Security framework of XStream not explicitly initialized, using predefined
black list on your own risk.
Hi, World!
# dpkg -i libxstream-java_1.4.11.1-1+deb9u4_all.deb
# java -cp .:/usr/share/java/xstream.jar
com.martiansoftware.jsap.examples.Manual_HelloWorld_9
Exception in thread "main"
com.thoughtworks.xstream.security.ForbiddenClassException:
com.martiansoftware.jsap.xml.JSAPConfig
at
com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26)
at
com.thoughtworks.xstream.mapper.SecurityMapper.realClass(SecurityMapper.java:74)
at
com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125)
at
com.thoughtworks.xstream.mapper.CachingMapper.realClass(CachingMapper.java:47)
at
com.thoughtworks.xstream.core.util.HierarchicalStreams.readClassType(HierarchicalStreams.java:29)
at
com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:133)
at
com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1482)
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1462)
at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1333)
at com.martiansoftware.jsap.xml.JSAPConfig.configure(JSAPConfig.java:42)
at com.martiansoftware.jsap.JSAP.<init>(JSAP.java:366)
at
com.martiansoftware.jsap.examples.Manual_HelloWorld_9.main(Manual_HelloWorld_9.java:22)
