Bug#1003826: marked as done (buster-pu: package libjackson-json-java/1.9.13-2~deb10u1)

Debian Bug Tracking System Sat, 26 Mar 2022 05:15:43 -0700

Your message dated Sat, 26 Mar 2022 12:02:22 +0000
with message-id 
<540de30a27d37c3ff416b94b1adf7ff2a2cab257.ca...@adam-barratt.org.uk>
and subject line Closing requests for updates in 10.12
has caused the Debian Bug report #1003826,
regarding buster-pu: package libjackson-json-java/1.9.13-2~deb10u1
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1003826: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003826
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian....@packages.debian.org
Usertags: pu

  * Add upstream fixes.
    - Serializing types for deeply nested Maps.
    - Set Secure Processing flag on DocumentBuilderFactory.
    - Set setExpandEntityReferences(false). (Fixes: CVE-2019-10172)
    - WriteRawValue surrogate pair fix.
    - Fix deserialization.
    - All known security fixes. (Fixes: CVE-2017-15095 and CVE-2017-7525)
  * Update Standards-Version to 4.5.0

Except for Standards-Version and the dh compat bump reverted
in this backport, the bullseye package was the buster package
with several bugfixes applied (including fixes for 3 CVEs).

diff -Nru libjackson-json-java-1.9.13/debian/changelog 
libjackson-json-java-1.9.13/debian/changelog
--- libjackson-json-java-1.9.13/debian/changelog        2018-12-31 
00:28:06.000000000 +0200
+++ libjackson-json-java-1.9.13/debian/changelog        2022-01-16 
14:04:02.000000000 +0200
@@ -1,3 +1,27 @@
+libjackson-json-java (1.9.13-2~deb10u1) buster; urgency=medium
+
+  * Non-maintainer upload.
+  * Rebuild for buster.
+    - Revert the debhelper compat bump.
+
+ -- Adrian Bunk <b...@debian.org>  Sun, 16 Jan 2022 14:04:02 +0200
+
+libjackson-json-java (1.9.13-2) unstable; urgency=medium
+
+  * Team upload.
+  * Add upstream fixes.
+    - Serializing types for deeply nested Maps.
+    - Set Secure Processing flag on DocumentBuilderFactory.
+    - Set setExpandEntityReferences(false). (Fixes: CVE-2019-10172)
+    - WriteRawValue surrogate pair fix.
+    - Fix deserialization.
+    - All known security fixes. (Fixes: CVE-2017-15095 and CVE-2017-7525)
+  * Update Standards-Version to 4.5.0
+  * Use debhelper-compat.
+    - Update compat level to 13.
+
+ -- Sudip Mukherjee <sudipm.mukher...@gmail.com>  Sat, 19 Sep 2020 20:20:21 
+0100
+
 libjackson-json-java (1.9.13-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru libjackson-json-java-1.9.13/debian/control 
libjackson-json-java-1.9.13/debian/control
--- libjackson-json-java-1.9.13/debian/control  2018-12-31 00:15:15.000000000 
+0200
+++ libjackson-json-java-1.9.13/debian/control  2022-01-16 14:04:02.000000000 
+0200
@@ -18,7 +18,7 @@
  libjoda-time-java,
  maven-repo-helper (>= 1.5~),
  libnet-luminis-build-plugin-java (>= 0.2.0-3)
-Standards-Version: 4.3.0
+Standards-Version: 4.5.0
 Vcs-Git: https://salsa.debian.org/java-team/libjackson-json-java.git
 Vcs-Browser: https://salsa.debian.org/java-team/libjackson-json-java
 Homepage: https://github.com/FasterXML/jackson
diff -Nru libjackson-json-java-1.9.13/debian/patches/0001-fixed-234.patch 
libjackson-json-java-1.9.13/debian/patches/0001-fixed-234.patch
--- libjackson-json-java-1.9.13/debian/patches/0001-fixed-234.patch     
1970-01-01 02:00:00.000000000 +0200
+++ libjackson-json-java-1.9.13/debian/patches/0001-fixed-234.patch     
2020-09-18 19:10:06.000000000 +0300
@@ -0,0 +1,113 @@
+From 8404cf0b1fb700e5a179abd71137f3057846b80f Mon Sep 17 00:00:00 2001
+From: cowtowncoder <cowtowncoder@cc757fca-8a48-0410-80b4-e22f7f27f4c6>
+Date: Tue, 13 Aug 2013 04:26:38 +0000
+Subject: [PATCH] fixed #234
+
+---
+
+upstream link: 
https://github.com/FasterXML/jackson-1/commit/8404cf0b1fb700e5a179abd71137f3057846b80f
+
+diff --git 
a/src/mapper/java/org/codehaus/jackson/map/ser/std/MapSerializer.java 
b/src/mapper/java/org/codehaus/jackson/map/ser/std/MapSerializer.java
+index c2c447cb..041da2f4 100644
+--- a/src/mapper/java/org/codehaus/jackson/map/ser/std/MapSerializer.java
++++ b/src/mapper/java/org/codehaus/jackson/map/ser/std/MapSerializer.java
+@@ -344,7 +344,11 @@ public class MapSerializer
+                 if (cc == prevValueClass) {
+                     currSerializer = prevValueSerializer;
+                 } else {
+-                    currSerializer = provider.findValueSerializer(cc, 
_property);
++                    if (_valueType.hasGenericTypes()) {
++                        currSerializer = 
provider.findValueSerializer(provider.constructSpecializedType(_valueType, cc), 
_property);
++                    } else {
++                        currSerializer = provider.findValueSerializer(cc, 
_property);
++                    }
+                     prevValueSerializer = currSerializer;
+                     prevValueClass = cc;
+                 }
+@@ -417,6 +421,5 @@ public class MapSerializer
+         }
+         return result.serializer;
+     }
+-
+ }
+ 
+diff --git 
a/src/test/org/codehaus/jackson/map/jsontype/TestDefaultForMaps.java 
b/src/test/org/codehaus/jackson/map/jsontype/TestDefaultForMaps.java
+index 15be85e4..97741a35 100644
+--- a/src/test/org/codehaus/jackson/map/jsontype/TestDefaultForMaps.java
++++ b/src/test/org/codehaus/jackson/map/jsontype/TestDefaultForMaps.java
+@@ -39,6 +39,33 @@ public class TestDefaultForMaps
+         public Map<MapKey,List<Object>> map;
+     }
+ 
++    // // For #234
++    
++    static class ItemList {
++        public String value;
++        public List<ItemList> childItems = new LinkedList<ItemList>();
++
++        public void addChildItem(ItemList l) { childItems.add(l); }
++    }
++
++    static class ItemMap
++    {
++        public String value;
++
++        public Map<String, List<ItemMap>> childItems = new HashMap<String, 
List<ItemMap>>();
++
++        public void addChildItem(String key, ItemMap childItem) {
++          List<ItemMap> items;
++          if (childItems.containsKey(key)) {
++              items = childItems.get(key);
++          } else {
++              items = new ArrayList<ItemMap>();
++          }
++          items.add(childItem);
++          childItems.put(key, items);
++        }
++    }
++
+     /*
+     /**********************************************************
+     /* Unit tests
+@@ -94,4 +121,38 @@ public class TestDefaultForMaps
+         return TypeNameIdResolver.construct(mapper.getDeserializationConfig(),
+                 TypeFactory.defaultInstance().constructType(Object.class), 
subtypes, forSerialization, !forSerialization);
+     }
++
++    // // For #234:
++    
++    public void testList() throws Exception
++    {
++        final ObjectMapper mapper = new ObjectMapper();
++        
mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.OBJECT_AND_NON_CONCRETE, 
JsonTypeInfo.As.PROPERTY);
++        ItemList child = new ItemList();
++        child.value = "I am child";
++
++        ItemList parent = new ItemList();
++        parent.value = "I am parent";
++        parent.addChildItem(child);
++        String json = 
mapper.writerWithDefaultPrettyPrinter().writeValueAsString(parent);
++
++        Object o = mapper.readValue(json, ItemList.class);
++        assertNotNull(o);
++    }
++
++    public void testMap() throws Exception
++    {
++        final ObjectMapper mapper = new ObjectMapper();
++        
mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.OBJECT_AND_NON_CONCRETE, 
JsonTypeInfo.As.PROPERTY);
++        ItemMap child = new ItemMap();
++        child.value = "I am child";
++
++        ItemMap parent = new ItemMap();
++        parent.value = "I am parent";
++        parent.addChildItem("child", child);
++
++        String json = 
mapper.writerWithDefaultPrettyPrinter().writeValueAsString(parent);
++        Object o = mapper.readValue(json, ItemMap.class);
++        assertNotNull(o);
++    }
+ }
+-- 
+2.20.1
+
diff -Nru 
libjackson-json-java-1.9.13/debian/patches/0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch
 
libjackson-json-java-1.9.13/debian/patches/0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch
--- 
libjackson-json-java-1.9.13/debian/patches/0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch
  1970-01-01 02:00:00.000000000 +0200
+++ 
libjackson-json-java-1.9.13/debian/patches/0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch
  2020-09-18 21:20:41.000000000 +0300
@@ -0,0 +1,54 @@
+From 54c6bc36aa57741ea669ad110ce28acaa1600864 Mon Sep 17 00:00:00 2001
+From: PJ Fanning <pj.fann...@workday.com>
+Date: Fri, 1 Jul 2016 01:49:46 +0100
+Subject: [PATCH] Set Secure Processing flag on DocumentBuilderFactory
+
+---
+
+unstream link: 
https://github.com/FasterXML/jackson-1/commit/54c6bc36aa57741ea669ad110ce28acaa1600864
+
+ .../java/org/codehaus/jackson/map/ext/DOMDeserializer.java | 7 +++++++
+ .../codehaus/jackson/xc/DomElementJsonDeserializer.java    | 1 +
+ 2 files changed, 8 insertions(+)
+
+diff --git a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java 
b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
+index 50e6016c..3a486b9e 100644
+--- a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
++++ b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
+@@ -2,7 +2,9 @@ package org.codehaus.jackson.map.ext;
+ 
+ import java.io.StringReader;
+ 
++import javax.xml.XMLConstants;
+ import javax.xml.parsers.DocumentBuilderFactory;
++import javax.xml.parsers.ParserConfigurationException;
+ 
+ import org.codehaus.jackson.map.DeserializationContext;
+ import org.codehaus.jackson.map.deser.std.FromStringDeserializer;
+@@ -22,6 +24,11 @@ public abstract class DOMDeserializer<T> extends 
FromStringDeserializer<T>
+         _parserFactory = DocumentBuilderFactory.newInstance();
+         // yup, only cave men do XML without recognizing namespaces...
+         _parserFactory.setNamespaceAware(true);
++        try {
++            _parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, 
true);
++        } catch(ParserConfigurationException pce) {
++            System.err.println("[DOMDeserializer] Problem setting 
SECURE_PROCESSING_FEATURE: " + pce.toString());
++        }
+     }
+ 
+     protected DOMDeserializer(Class<T> cls) { super(cls); }
+diff --git 
a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java 
b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
+index cf9c073d..ccd631aa 100644
+--- a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
++++ b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
+@@ -30,6 +30,7 @@ public class DomElementJsonDeserializer
+         try {
+             DocumentBuilderFactory bf = DocumentBuilderFactory.newInstance();
+             bf.setNamespaceAware(true);
++            bf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, 
true);
+             builder = bf.newDocumentBuilder();
+         } catch (ParserConfigurationException e) {
+             throw new RuntimeException();
+-- 
+2.20.1
+
diff -Nru 
libjackson-json-java-1.9.13/debian/patches/0003-setExpandEntityReferences-false.patch
 
libjackson-json-java-1.9.13/debian/patches/0003-setExpandEntityReferences-false.patch
--- 
libjackson-json-java-1.9.13/debian/patches/0003-setExpandEntityReferences-false.patch
       1970-01-01 02:00:00.000000000 +0200
+++ 
libjackson-json-java-1.9.13/debian/patches/0003-setExpandEntityReferences-false.patch
       2020-09-18 21:20:41.000000000 +0300
@@ -0,0 +1,45 @@
+From 2361ec46b5fbf940bafe8247e421e64f9cb7f7b1 Mon Sep 17 00:00:00 2001
+From: PJ Fanning <pj.fann...@workday.com>
+Date: Fri, 1 Jul 2016 22:57:06 +0100
+Subject: [PATCH] setExpandEntityReferences(false)
+
+---
+
+upstream link: 
https://github.com/FasterXML/jackson-1/commit/2361ec46b5fbf940bafe8247e421e64f9cb7f7b1
+
+ .../java/org/codehaus/jackson/map/ext/DOMDeserializer.java     | 1 +
+ .../org/codehaus/jackson/xc/DomElementJsonDeserializer.java    | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java 
b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
+index 3a486b9e..97f76af9 100644
+--- a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
++++ b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
+@@ -24,6 +24,7 @@ public abstract class DOMDeserializer<T> extends 
FromStringDeserializer<T>
+         _parserFactory = DocumentBuilderFactory.newInstance();
+         // yup, only cave men do XML without recognizing namespaces...
+         _parserFactory.setNamespaceAware(true);
++        _parserFactory.setExpandEntityReferences(false);
+         try {
+             _parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, 
true);
+         } catch(ParserConfigurationException pce) {
+diff --git 
a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java 
b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
+index ccd631aa..8b1de578 100644
+--- a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
++++ b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
+@@ -30,10 +30,11 @@ public class DomElementJsonDeserializer
+         try {
+             DocumentBuilderFactory bf = DocumentBuilderFactory.newInstance();
+             bf.setNamespaceAware(true);
++            bf.setExpandEntityReferences(false);
+             bf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, 
true);
+             builder = bf.newDocumentBuilder();
+         } catch (ParserConfigurationException e) {
+-            throw new RuntimeException();
++            throw new RuntimeException("Problem creating DocumentBuilder: " + 
e.toString());
+         }
+     }
+ 
+-- 
+2.20.1
+
diff -Nru 
libjackson-json-java-1.9.13/debian/patches/0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch
 
libjackson-json-java-1.9.13/debian/patches/0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch
--- 
libjackson-json-java-1.9.13/debian/patches/0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch
    1970-01-01 02:00:00.000000000 +0200
+++ 
libjackson-json-java-1.9.13/debian/patches/0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch
    2020-09-18 21:20:41.000000000 +0300
@@ -0,0 +1,90 @@
+From 298849da99b27d86fe581781086fb39809cd83bf Mon Sep 17 00:00:00 2001
+From: Marcin Szczepanski <mszczepan...@atlassian.com>
+Date: Mon, 11 Jul 2016 10:33:52 +1000
+Subject: [PATCH] Backport writeRawValue surrogate pair fix from 2.x
+
+This is a backport of a Jackson 2.x fix:
+https://github.com/FasterXML/jackson-core/commit/5e14c461c04f71fc3f35a5ac2e75ed2df0d7c462
+---
+
+upstream link: 
https://github.com/FasterXML/jackson-1/commit/298849da99b27d86fe581781086fb39809cd83bf
+
+ .../codehaus/jackson/impl/Utf8Generator.java  |  6 ++---
+ .../jackson/impl/TestUtf8Generator.java       | 24 +++++++++++++++++++
+ 2 files changed, 27 insertions(+), 3 deletions(-)
+
+diff --git a/src/java/org/codehaus/jackson/impl/Utf8Generator.java 
b/src/java/org/codehaus/jackson/impl/Utf8Generator.java
+index ccc25cd3..8ac6bd00 100644
+--- a/src/java/org/codehaus/jackson/impl/Utf8Generator.java
++++ b/src/java/org/codehaus/jackson/impl/Utf8Generator.java
+@@ -754,7 +754,7 @@ public class Utf8Generator
+                 _outputBuffer[_outputTail++] = (byte) (0xc0 | (ch >> 6));
+                 _outputBuffer[_outputTail++] = (byte) (0x80 | (ch & 0x3f));
+             } else {
+-                _outputRawMultiByteChar(ch, cbuf, offset, len);
++                offset = _outputRawMultiByteChar(ch, cbuf, offset, len);
+             }
+         }
+     }
+@@ -812,7 +812,7 @@ public class Utf8Generator
+                 bbuf[_outputTail++] = (byte) (0xc0 | (ch >> 6));
+                 bbuf[_outputTail++] = (byte) (0x80 | (ch & 0x3f));
+             } else {
+-                _outputRawMultiByteChar(ch, cbuf, offset, len);
++                offset = _outputRawMultiByteChar(ch, cbuf, offset, len);
+             }
+         }
+     }
+@@ -1643,7 +1643,7 @@ public class Utf8Generator
+         if (ch >= SURR1_FIRST) {
+             if (ch <= SURR2_LAST) { // yes, outside of BMP
+                 // Do we have second part?
+-                if (inputOffset >= inputLen) { // nope... have to note down
++                if (inputOffset >= inputLen || cbuf == null) { // nope... 
have to note down
+                     _reportError("Split surrogate on writeRaw() input (last 
character)");
+                 }
+                 _outputSurrogates(ch, cbuf[inputOffset]);
+diff --git a/src/test/org/codehaus/jackson/impl/TestUtf8Generator.java 
b/src/test/org/codehaus/jackson/impl/TestUtf8Generator.java
+index c4e12c3a..48461376 100644
+--- a/src/test/org/codehaus/jackson/impl/TestUtf8Generator.java
++++ b/src/test/org/codehaus/jackson/impl/TestUtf8Generator.java
+@@ -2,7 +2,10 @@ package org.codehaus.jackson.impl;
+ 
+ import java.io.ByteArrayOutputStream;
+ 
++import org.codehaus.jackson.JsonFactory;
+ import org.codehaus.jackson.JsonGenerator;
++import org.codehaus.jackson.JsonParser;
++import org.codehaus.jackson.JsonToken;
+ import org.codehaus.jackson.io.IOContext;
+ import org.codehaus.jackson.util.BufferRecycler;
+ 
+@@ -25,4 +28,25 @@ public class TestUtf8Generator
+         gen.writeString(str);
+         gen.flush();
+     }
++
++    public void testSurrogatesWithRaw() throws Exception
++    {
++        final String VALUE = quote("\uD83C\uDF89");
++        ByteArrayOutputStream bytes = new ByteArrayOutputStream();
++        IOContext ioc = new IOContext(new BufferRecycler(), bytes, true);
++        JsonGenerator jgen = new Utf8Generator(ioc, 0, null, bytes);
++        jgen.writeRawValue(VALUE);
++        jgen.close();
++
++        final byte[] JSON = bytes.toByteArray();
++
++        JsonParser jp = new JsonFactory().createJsonParser(JSON);
++        assertToken(JsonToken.VALUE_STRING, jp.nextToken());
++        String str = jp.getText();
++        assertEquals(2, str.length());
++        assertEquals((char) 0xD83C, str.charAt(0));
++        assertEquals((char) 0xDF89, str.charAt(1));
++        System.out.println(str);
++        jp.close();
++    }
+ }
+-- 
+2.20.1
+
diff -Nru 
libjackson-json-java-1.9.13/debian/patches/0005-fix-deserialization.patch 
libjackson-json-java-1.9.13/debian/patches/0005-fix-deserialization.patch
--- libjackson-json-java-1.9.13/debian/patches/0005-fix-deserialization.patch   
1970-01-01 02:00:00.000000000 +0200
+++ libjackson-json-java-1.9.13/debian/patches/0005-fix-deserialization.patch   
2020-09-18 21:20:41.000000000 +0300
@@ -0,0 +1,86 @@
+From b4c841aea501341fb1d7e62fa4f25a57ed990134 Mon Sep 17 00:00:00 2001
+From: Pawel Niegowski <pniegow...@atlassian.com>
+Date: Fri, 21 Apr 2017 14:47:42 +0200
+Subject: [PATCH] fix deserialization
+
+---
+
+Upstream link: 
https://github.com/FasterXML/jackson-1/commit/b4c841aea501341fb1d7e62fa4f25a57ed990134
+
+ .../map/deser/BeanDeserializerFactory.java    | 48 +++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+
+diff --git 
a/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java 
b/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java
+index 620c9dce..b8c0c180 100644
+--- 
a/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java
++++ 
b/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java
+@@ -31,6 +31,37 @@ public class BeanDeserializerFactory
+      */
+     private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { 
Throwable.class };
+ 
++    /**
++     * Set of well-known "nasty classes", deserialization of which is 
considered dangerous
++     * and should (and is) prevented by default.
++     *
++     * @since 1.9.13-atlassian-2
++     */
++    protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
++
++    static
++    {
++        Set<String> s = new HashSet<String>();
++        // Courtesy of [https://github.com/kantega/notsoserial]:
++        // (and wrt [databind#1599]
++        s.add("org.apache.commons.collections.functors.InvokerTransformer");
++        
s.add("org.apache.commons.collections.functors.InstantiateTransformer");
++        s.add("org.apache.commons.collections4.functors.InvokerTransformer");
++        
s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
++        s.add("org.codehaus.groovy.runtime.ConvertedClosure");
++        s.add("org.codehaus.groovy.runtime.MethodClosure");
++        s.add("org.springframework.beans.factory.ObjectFactory");
++        s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
++        DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
++    }
++
++    /**
++     * Set of class names of types that are never to be deserialized.
++     *
++     * @since 1.9.13-atlassian-2
++     */
++    protected Set<String> _cfgIllegalClassNames = 
DEFAULT_NO_DESER_CLASS_NAMES;
++
+     /*
+     /**********************************************************
+     /* Config class implementation
+@@ -632,6 +663,7 @@ public class BeanDeserializerFactory
+         if (!isPotentialBeanType(type.getRawClass())) {
+             return null;
+         }
++        checkIllegalTypes(type);
+         // Use generic bean introspection to build deserializer
+         return buildBeanDeserializer(config, type, beanDesc, property);
+     }
+@@ -1473,4 +1505,20 @@ public class BeanDeserializerFactory
+         }
+         return status;
+     }
++
++    /**
++     * @since 2.8.9
++     */
++    protected void checkIllegalTypes(JavaType type)
++            throws JsonMappingException
++    {
++        // There are certain nasty classes that could cause problems, mostly
++        // via default typing -- catch them here.
++        String full = type.getRawClass().getName();
++
++        if (_cfgIllegalClassNames.contains(full))
++        {
++            throw new JsonMappingException("Illegal type (" + full + ") to 
deserialize: prevented for security reasons");
++        }
++    }
+ }
+-- 
+2.20.1
+
diff -Nru 
libjackson-json-java-1.9.13/debian/patches/0006-Backport-all-known-security-fixes-from-2.x-that-were.patch
 
libjackson-json-java-1.9.13/debian/patches/0006-Backport-all-known-security-fixes-from-2.x-that-were.patch
--- 
libjackson-json-java-1.9.13/debian/patches/0006-Backport-all-known-security-fixes-from-2.x-that-were.patch
  1970-01-01 02:00:00.000000000 +0200
+++ 
libjackson-json-java-1.9.13/debian/patches/0006-Backport-all-known-security-fixes-from-2.x-that-were.patch
  2020-09-18 21:20:41.000000000 +0300
@@ -0,0 +1,239 @@
+From 9ac68db819bce7b9546bc4bf1c44f82ca910fa31 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.salora...@iki.fi>
+Date: Wed, 20 Dec 2017 16:50:14 -0800
+Subject: [PATCH] Backport all known security fixes from 2.x that were missing, 
related to public CVEs.
+
+---
+
+upstream link: 
https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31
+
+diff --git a/src/java/org/codehaus/jackson/type/JavaType.java 
b/src/java/org/codehaus/jackson/type/JavaType.java
+index 3b216491..871bca4b 100644
+--- a/src/java/org/codehaus/jackson/type/JavaType.java
++++ b/src/java/org/codehaus/jackson/type/JavaType.java
+@@ -479,6 +479,11 @@ public abstract class JavaType
+     /**********************************************************
+      */
+ 
++    // since 1.9.14: needed by one of the patches
++    public final boolean isTypeOrSubTypeOf(Class<?> clz) {
++        return (_class == clz) || clz.isAssignableFrom(_class);
++    }
++
+     protected void _assertSubclass(Class<?> subclass, Class<?> superClass)
+     {
+         if (!_class.isAssignableFrom(subclass)) {
+diff --git 
a/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java 
b/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java
+index b8c0c180..ffeadb12 100644
+--- 
a/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java
++++ 
b/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java
+@@ -9,6 +9,7 @@ import org.codehaus.jackson.map.deser.impl.CreatorProperty;
+ import org.codehaus.jackson.map.deser.std.StdKeyDeserializers;
+ import org.codehaus.jackson.map.deser.std.ThrowableDeserializer;
+ import org.codehaus.jackson.map.introspect.*;
++import org.codehaus.jackson.map.jsontype.impl.SubTypeValidator;
+ import org.codehaus.jackson.map.type.*;
+ import org.codehaus.jackson.map.util.ArrayBuilders;
+ import org.codehaus.jackson.map.util.ClassUtil;
+@@ -31,37 +32,6 @@ public class BeanDeserializerFactory
+      */
+     private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { 
Throwable.class };
+ 
+-    /**
+-     * Set of well-known "nasty classes", deserialization of which is 
considered dangerous
+-     * and should (and is) prevented by default.
+-     *
+-     * @since 1.9.13-atlassian-2
+-     */
+-    protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
+-
+-    static
+-    {
+-        Set<String> s = new HashSet<String>();
+-        // Courtesy of [https://github.com/kantega/notsoserial]:
+-        // (and wrt [databind#1599]
+-        s.add("org.apache.commons.collections.functors.InvokerTransformer");
+-        
s.add("org.apache.commons.collections.functors.InstantiateTransformer");
+-        s.add("org.apache.commons.collections4.functors.InvokerTransformer");
+-        
s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
+-        s.add("org.codehaus.groovy.runtime.ConvertedClosure");
+-        s.add("org.codehaus.groovy.runtime.MethodClosure");
+-        s.add("org.springframework.beans.factory.ObjectFactory");
+-        s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+-        DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+-    }
+-
+-    /**
+-     * Set of class names of types that are never to be deserialized.
+-     *
+-     * @since 1.9.13-atlassian-2
+-     */
+-    protected Set<String> _cfgIllegalClassNames = 
DEFAULT_NO_DESER_CLASS_NAMES;
+-
+     /*
+     /**********************************************************
+     /* Config class implementation
+@@ -265,6 +235,12 @@ public class BeanDeserializerFactory
+      */
+     protected final Config _factoryConfig;
+ 
++    /**
++     *
++     * @since 1.9.14
++     */
++    protected SubTypeValidator _subtypeValidator = 
SubTypeValidator.instance();
++
+     @Deprecated
+     public BeanDeserializerFactory() {
+         this(null);
+@@ -1507,18 +1483,13 @@ public class BeanDeserializerFactory
+     }
+ 
+     /**
+-     * @since 2.8.9
++     * @since 1.9.14
+      */
+-    protected void checkIllegalTypes(JavaType type)
+-            throws JsonMappingException
++    protected void checkIllegalTypes(JavaType type) throws 
JsonMappingException
+     {
+         // There are certain nasty classes that could cause problems, mostly
+         // via default typing -- catch them here.
+-        String full = type.getRawClass().getName();
+-
+-        if (_cfgIllegalClassNames.contains(full))
+-        {
+-            throw new JsonMappingException("Illegal type (" + full + ") to 
deserialize: prevented for security reasons");
+-        }
++        _subtypeValidator.validateSubType(type);
++        //throw new JsonMappingException("Illegal type (" + full + ") to 
deserialize: prevented for security reasons");
+     }
+ }
+diff --git 
a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/ClassNameIdResolver.java
 
b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/ClassNameIdResolver.java
+index c9fd65e1..c9a00011 100644
+--- 
a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/ClassNameIdResolver.java
++++ 
b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/ClassNameIdResolver.java
+@@ -46,8 +46,16 @@ public class ClassNameIdResolver
+          *    to do translation when necessary
+          */
+         if (id.indexOf('<') > 0) {
+-            JavaType t = TypeFactory.fromCanonical(id);
+             // note: may want to try combining with specialization (esp for 
EnumMap)
++            // 17-Aug-2017, tatu: As per [databind#1735] need to ensure 
assignment
++            //    compatibility -- needed later anyway, and not doing so may 
open
++            //    security issues.
++            JavaType t = _typeFactory.constructFromCanonical(id);
++            if (!t.isTypeOrSubTypeOf(_baseType.getRawClass())) {
++                // Probably cleaner to have a method in `TypeFactory` but 
can't add in patch
++                throw new IllegalArgumentException(String.format(
++                        "Class %s not subtype of %s", 
t.getRawClass().getName(), _baseType));
++            }
+             return t;
+         }
+         try {
+diff --git 
a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java 
b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
+new file mode 100644
+index 00000000..865c20e7
+--- /dev/null
++++ 
b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
+@@ -0,0 +1,97 @@
++package org.codehaus.jackson.map.jsontype.impl;
++
++import java.util.Collections;
++import java.util.HashSet;
++import java.util.Set;
++
++import org.codehaus.jackson.map.JsonMappingException;
++import org.codehaus.jackson.type.JavaType;
++
++/**
++ * Helper class used to encapsulate rules that determine subtypes that
++ * are invalid to use, even with default typing, mostly due to security
++ * concerns.
++ * Used by <code>BeanDeserializerFactory</code>
++ *
++ * @since 1.9.14
++ */
++public class SubTypeValidator
++{
++    protected final static String PREFIX_STRING = "org.springframework.";
++    /**
++     * Set of well-known "nasty classes", deserialization of which is 
considered dangerous
++     * and should (and is) prevented by default.
++     */
++    protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
++    static {
++        Set<String> s = new HashSet<String>();
++        // Courtesy of [https://github.com/kantega/notsoserial]:
++        // (and wrt [databind#1599])
++        s.add("org.apache.commons.collections.functors.InvokerTransformer");
++        
s.add("org.apache.commons.collections.functors.InstantiateTransformer");
++        s.add("org.apache.commons.collections4.functors.InvokerTransformer");
++        
s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
++        s.add("org.codehaus.groovy.runtime.ConvertedClosure");
++        s.add("org.codehaus.groovy.runtime.MethodClosure");
++        s.add("org.springframework.beans.factory.ObjectFactory");
++        s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
++        s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
++        // [databind#1680]: may or may not be problem, take no chance
++        s.add("com.sun.rowset.JdbcRowSetImpl");
++        // [databind#1737]; JDK provided
++        s.add("java.util.logging.FileHandler");
++        s.add("java.rmi.server.UnicastRemoteObject");
++        // [databind#1737]; 3rd party
++//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
 // deprecated by [databind#1855]
++        
s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
++        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
++        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++        // [databind#1855]: more 3rd party
++        s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
++        s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
++        DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
++    }
++
++    /**
++     * Set of class names of types that are never to be deserialized.
++     */
++    protected Set<String> _cfgIllegalClassNames = 
DEFAULT_NO_DESER_CLASS_NAMES;
++
++    private final static SubTypeValidator instance = new SubTypeValidator();
++
++    protected SubTypeValidator() { }
++
++    public static SubTypeValidator instance() { return instance; }
++
++    public void validateSubType(JavaType type) throws JsonMappingException
++    {
++        // There are certain nasty classes that could cause problems, mostly
++        // via default typing -- catch them here.
++        final Class<?> raw = type.getRawClass();
++        String full = raw.getName();
++
++        main_check:
++        do {
++            if (_cfgIllegalClassNames.contains(full)) {
++                break;
++            }
++
++            // 18-Dec-2017, tatu: As per [databind#1855], need bit more 
sophisticated handling
++            //    for some Spring framework types
++            if (full.startsWith(PREFIX_STRING)) {
++                for (Class<?> cls = raw; cls != Object.class; cls = 
cls.getSuperclass()) {
++                    String name = cls.getSimpleName();
++                    // looking for "AbstractBeanFactoryPointcutAdvisor" but 
no point to allow any is there?
++                    if ("AbstractPointcutAdvisor".equals(name)
++                            // ditto  for "FileSystemXmlApplicationContext": 
block all ApplicationContexts
++                            || "AbstractApplicationContext".equals(name)) {
++                        break main_check;
++                    }
++                }
++            }
++            return;
++        } while (false);
++
++        throw new JsonMappingException("Illegal type (" + full + ") to 
deserialize: prevented for security reasons");
++    }
++}
+-- 
+2.20.1
+
diff -Nru libjackson-json-java-1.9.13/debian/patches/series 
libjackson-json-java-1.9.13/debian/patches/series
--- libjackson-json-java-1.9.13/debian/patches/series   2018-12-31 
00:15:15.000000000 +0200
+++ libjackson-json-java-1.9.13/debian/patches/series   2020-09-18 
19:10:06.000000000 +0300
@@ -1 +1,7 @@
 java9.patch
+0001-fixed-234.patch
+0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch
+0003-setExpandEntityReferences-false.patch
+0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch
+0005-fix-deserialization.patch
+0006-Backport-all-known-security-fixes-from-2.x-that-were.patch

--- End Message ---

--- Begin Message ---

Package: release.debian.org
Version: 10.12

Hi,

The updates referenced in these requests were included in oldstable as
part of today's 10.12 point release.

Regards,

Adam

--- End Message ---

Bug#1003826: marked as done (buster-pu: package libjackson-json-java/1.9.13-2~deb10u1)

Reply via email to