Markus Koschany · Markus Koschany · Markus Koschany · a3a6b050 · a3a6b050 · a3a6b050
--- a/debian/changelog
+++ b/debian/changelog
+jackson-databind (2.8.6-1+deb9u4) stretch-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2018-7489: allows unauthenticated remote code execution because of
+    an incomplete fix for the CVE-2017-7525 deserialization flaw. This is
+    exploitable by sending maliciously crafted JSON input to the readValue
+    method of the ObjectMapper, bypassing a blacklist that is ineffective if
+    the c3p0 libraries are available in the classpath. (Closes: #891614)
+
+ -- Markus Koschany <apo@debian.org>  Tue, 01 May 2018 19:12:38 +0200
+
+jackson-databind (2.8.6-1+deb9u3) stretch-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2017-17485 and CVE-2018-5968:
+    Bybass of deserialization blackist to disallow unauthenticated remote code
+    execution. These CVE exist due to an incomplete fix for CVE-2017-7525.
+    (Closes: #888316, #888318)
+
+ -- Markus Koschany <apo@debian.org>  Sat, 27 Jan 2018 19:12:39 +0100
+
+jackson-databind (2.8.6-1+deb9u2) stretch-security; urgency=high
+
+  * Team upload
+  * CVE-2017-15095: incomplete fixes for CVE-2017-7525
+
+ -- Sebastien Delafond <seb@debian.org>  Thu, 16 Nov 2017 08:55:34 +0100
+
 jackson-databind (2.8.6-1+deb9u1) stretch-security; urgency=high

  * Team upload.

--- a/debian/patches/CVE-2017-15095_1.patch
+++ b/debian/patches/CVE-2017-15095_1.patch
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Wed, 26 Apr 2017 20:22:25 -0700
+Subject: Minor improvement wrt #1599 (also cover vanilla xalan impl)
+Origin: https://github.com/FasterXML/jackson-databind//commit/3bfbb835e530055c1941ddf87fde0b08d08dcd38
+Bug: https://github.com/FasterXML/jackson-databind/issues/1599
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15095
+
+---
+ .../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java    | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index cbbb90c2b..586513ddd 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -57,6 +57,7 @@ public class BeanDeserializerFactory
+         s.add("org.codehaus.groovy.runtime.MethodClosure");
+         s.add("org.springframework.beans.factory.ObjectFactory");
+         s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+        s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.15.0.rc2
+
--- a/debian/patches/CVE-2017-15095_2.patch
+++ b/debian/patches/CVE-2017-15095_2.patch
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Fri, 30 Jun 2017 09:30:13 -0700
+Subject: Fix #1680
+Origin: https://github.com/FasterXML/jackson-databind//commit/e8f043d1aac9b82eee907e0f0c3abbdea723a935
+Bug: https://github.com/FasterXML/jackson-databind/issues/1680
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15095
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 586513ddd..f2244e0c3 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -58,6 +58,8 @@ public class BeanDeserializerFactory
+         s.add("org.springframework.beans.factory.ObjectFactory");
+         s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+         s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
+        // [databind#1680]: may or may not be problem, take no chance
+        s.add("com.sun.rowset.JdbcRowSetImpl");
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.15.0.rc2
+
--- a/debian/patches/CVE-2017-15095_3.patch
+++ b/debian/patches/CVE-2017-15095_3.patch
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Thu, 17 Aug 2017 15:12:47 -0700
+Subject: Fix #1737
+Origin: https://github.com/FasterXML/jackson-databind//commit/ddfddfba6414adbecaff99684ef66eebd3a92e92
+Bug: https://github.com/FasterXML/jackson-databind/issues/1737
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15095
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 9850cf75c..9301c666a 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -49,7 +49,7 @@ public class BeanDeserializerFactory
+     static {
+         Set<String> s = new HashSet<>();
+         // Courtesy of [https://github.com/kantega/notsoserial]:
+-        // (and wrt [databind#1599]
+        // (and wrt [databind#1599])
+         s.add("org.apache.commons.collections.functors.InvokerTransformer");
+         s.add("org.apache.commons.collections.functors.InstantiateTransformer");
+         s.add("org.apache.commons.collections4.functors.InvokerTransformer");
+@@ -61,6 +61,15 @@ public class BeanDeserializerFactory
+         s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
+         // [databind#1680]: may or may not be problem, take no chance
+         s.add("com.sun.rowset.JdbcRowSetImpl");
+        // [databind#1737]; JDK provided
+        s.add("java.util.logging.FileHandler");
+        s.add("java.rmi.server.UnicastRemoteObject");
+        // [databind#1737]; 3rd party
+        s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
+        s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+diff --git a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
+index 1906eadb6..8721b9b6a 100644
+--- a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
+++ b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
+@@ -1,5 +1,6 @@
+ package com.fasterxml.jackson.databind.interop;
+ 
+import com.fasterxml.jackson.annotation.JsonTypeInfo;
+ import com.fasterxml.jackson.databind.*;
+ 
+ /**
+@@ -12,12 +13,29 @@ public class IllegalTypesCheckTest extends BaseMapTest
+         public int id;
+         public Object obj;
+     }
+
+    static class PolyWrapper {
+        @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS,
+                include = JsonTypeInfo.As.WRAPPER_ARRAY)
+        public Object v;
+    }
+     
+-    public void testIssue1599() throws Exception
+    /*
+    /**********************************************************
+    /* Unit tests
+    /**********************************************************
+     */
+
+    private final ObjectMapper MAPPER = objectMapper();
+    
+    // // // Tests for [databind#1599]
+
+    public void testXalanTypes1599() throws Exception
+     {
+        final String clsName = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl";
+         final String JSON = aposToQuotes(
+  "{'id': 124,\n"
+-+" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n"
++" 'obj':[ '"+clsName+"',\n"
+ +"  {\n"
+ +"    'transletBytecodes' : [ 'AAIAZQ==' ],\n"
+ +"    'transletName' : 'a.b',\n"
+@@ -32,9 +50,75 @@ public class IllegalTypesCheckTest extends BaseMapTest
+             mapper.readValue(JSON, Bean1599.class);
+             fail("Should not pass");
+         } catch (JsonMappingException e) {
+-            verifyException(e, "Illegal type");
+-            verifyException(e, "to deserialize");
+-            verifyException(e, "prevented for security reasons");
+            _verifySecurityException(e, clsName);
+        }
+    }
+
+    // // // Tests for [databind#1737]
+
+    public void testJDKTypes1737() throws Exception
+    {
+        _testTypes1737(java.util.logging.FileHandler.class);
+        _testTypes1737(java.rmi.server.UnicastRemoteObject.class);
+    }
+
+    // 17-Aug-2017, tatu: Ideally would test handling of 3rd party types, too,
+    //    but would require adding dependencies. This may be practical when
+    //    checking done by module, but for now let's not do that for databind.
+
+    /*
+    public void testSpringTypes1737() throws Exception
+    {
+        _testTypes1737("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
+        _testTypes1737("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+    }
+
+    public void testC3P0Types1737() throws Exception
+    {
+        _testTypes1737("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+        _testTypes1737("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+    }
+    */
+
+    private void _testTypes1737(Class<?> nasty) throws Exception {
+        _testTypes1737(nasty.getName());
+    }
+
+    private void _testTypes1737(String clsName) throws Exception
+    {
+        // While usually exploited via default typing let's not require
+        // it here; mechanism still the same
+        String json = aposToQuotes(
+                "{'v':['"+clsName+"','/tmp/foobar.txt']}"
+                );
+        try {
+            MAPPER.readValue(json, PolyWrapper.class);
+            fail("Should not pass");
+        } catch (JsonMappingException e) {
+            _verifySecurityException(e, clsName);
+        }
+    }
+
+    protected void _verifySecurityException(Throwable t, String clsName) throws Exception
+    {
+        // 17-Aug-2017, tatu: Expected type more granular in 2.9 (over 2.8)
+        _verifyException(t, JsonMappingException.class,
+            "Illegal type",
+            "to deserialize",
+            "prevented for security reasons");
+        verifyException(t, clsName);
+    }
+
+    protected void _verifyException(Throwable t, Class<?> expExcType,
+            String... patterns) throws Exception
+    {
+        Class<?> actExc = t.getClass();
+        if (!expExcType.isAssignableFrom(actExc)) {
+            fail("Expected Exception of type '"+expExcType.getName()+"', got '"
+                    +actExc.getName()+"', message: "+t.getMessage());
+        }
+        for (String pattern : patterns) {
+            verifyException(t, pattern);
+         }
+     }
+ }
+-- 
+2.15.0.rc2
+
--- a/debian/patches/CVE-2017-17485.patch
+++ b/debian/patches/CVE-2017-17485.patch
+From: Markus Koschany <apo@debian.org>
+Date: Sat, 27 Jan 2018 19:06:47 +0100
+Subject: CVE-2017-17485
+
+Bug-Debian: https://bugs.debian.org/888318
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1855
+Origin: https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d
+Origin: https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf
+Origin: https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd
+---
+ .../databind/deser/BeanDeserializerFactory.java    | 38 ++++++++++++++++++----
+ 1 file changed, 32 insertions(+), 6 deletions(-)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 10ada70..b90c9c0 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -32,6 +32,8 @@ public class BeanDeserializerFactory
+ {
+     private static final long serialVersionUID = 1;
+ 
+    protected final static String PREFIX_STRING = "org.springframework.";
+
+     /**
+      * Signature of <b>Throwable.initCause</b> method.
+      */
+@@ -69,6 +71,9 @@ public class BeanDeserializerFactory
+         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+         s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+         s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+        // [databind#1855]: more 3rd party
+        s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
+        s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+         // [databind#1899]: more 3rd party
+         s.add("org.hibernate.jmx.StatisticsService");
+         s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
+@@ -898,12 +903,33 @@ public class BeanDeserializerFactory
+     {
+         // There are certain nasty classes that could cause problems, mostly
+         // via default typing -- catch them here.
+-        String full = type.getRawClass().getName();
+        final Class<?> raw = type.getRawClass();
+        String full = raw.getName();
+ 
+-        if (_cfgIllegalClassNames.contains(full)) {
+-            ctxt.reportBadTypeDefinition(beanDesc,
+-                    "Illegal type (%s) to deserialize: prevented for security reasons", full);
+-        }
+-    }
+        main_check:
+        do {
+            if (_cfgIllegalClassNames.contains(full)) {
+                break;
+            }
+
+            // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
+            //    for some Spring framework types
+            if (full.startsWith(PREFIX_STRING)) {
+                for (Class<?> cls = raw; cls != Object.class; cls = cls.getSuperclass()) {
+                    String name = cls.getSimpleName();
+                    // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
+                    if ("AbstractPointcutAdvisor".equals(name)
+                            // ditto  for "FileSystemXmlApplicationContext": block all ApplicationContexts
+                            || "AbstractApplicationContext".equals(name)) {
+                        break main_check;
+                    }
+                }
+            }
+            return;
+        } while (false);
+
+        throw JsonMappingException.from(ctxt,
+                String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
+     }
+ 
+ }
--- a/debian/patches/CVE-2018-5968.patch
+++ b/debian/patches/CVE-2018-5968.patch
+From: Markus Koschany <apo@debian.org>
+Date: Sat, 27 Jan 2018 19:00:33 +0100
+Subject: CVE-2018-5968
+
+Bug-Debian: https://bugs.debian.org/888316
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1899
+Origin: https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05
+---
+ .../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java  | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 86b5c08..10ada70 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -69,6 +69,9 @@ public class BeanDeserializerFactory
+         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+         s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+         s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+        // [databind#1899]: more 3rd party
+        s.add("org.hibernate.jmx.StatisticsService");
+        s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
+ 
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
--- a/debian/patches/CVE-2018-7489.patch
+++ b/debian/patches/CVE-2018-7489.patch
+From: Markus Koschany <apo@debian.org>
+Date: Tue, 1 May 2018 19:09:01 +0200
+Subject: CVE-2018-7489
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891614
+Origin: https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2
+---
+ .../jackson/databind/deser/BeanDeserializerFactory.java  | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index b90c9c0..fe5e93f 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -34,6 +34,8 @@ public class BeanDeserializerFactory
+ 
+     protected final static String PREFIX_STRING = "org.springframework.";
+ 
+    protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0.";
+
+     /**
+      * Signature of <b>Throwable.initCause</b> method.
+      */
+@@ -69,8 +71,8 @@ public class BeanDeserializerFactory
+         // [databind#1737]; 3rd party
+         s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
+         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+-        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+-        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+//        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
+//        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
+         // [databind#1855]: more 3rd party
+         s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
+         s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+@@ -924,6 +926,16 @@ public class BeanDeserializerFactory
+                         break main_check;
+                     }
+                 }
+            } else if (full.startsWith(PREFIX_C3P0)) {
+                // [databind#1737]; more 3rd party
+                // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+                // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+                // [databind#1931]; more 3rd party
+                // com.mchange.v2.c3p0.ComboPooledDataSource
+                // com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource
+                if (full.endsWith("DataSource")) {
+                    break main_check;
+                }
+             }
+             return;
+         } while (false);
--- a/debian/patches/series
+++ b/debian/patches/series
 CVE-2017-7525.patch
+CVE-2017-15095_1.patch
+CVE-2017-15095_2.patch
+CVE-2017-15095_3.patch
+CVE-2018-5968.patch
+CVE-2017-17485.patch
+CVE-2018-7489.patch