debian/changelog

+jackson-databind (2.9.9.3-1) unstable; urgency=medium
+
+  * Team upload.
+  * New upstream version 2.9.9.3.
+    - Fix CVE-2019-14439 and CVE-2019-14379. Thanks to Salvatore Bonaccorso for
+      the report. (Closes: #933393)
+  * Drop all patches. These are all part of the latest upstream release.
+  * Switch to debhelper-compat = 12.
+  * Declare compliance with Debian Policy 4.4.0.
+
+ -- Markus Koschany <apo@debian.org>  Tue, 13 Aug 2019 00:26:52 +0200
+
 jackson-databind (2.9.8-3) unstable; urgency=medium
 
   * Team upload.

debian/compat

-11

debian/control

@@ -5,7 +5,7 @@ Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.or
 Uploaders:
  Wolodja Wentland <debian@babilen5.org>
 Build-Depends:
- debhelper (>= 11),
+ debhelper-compat (= 12),
  default-jdk,
  default-jdk-doc,
  groovy,
@@ -23,7 +23,7 @@ Build-Depends:
  libreplacer-java,
  maven-debian-helper (>= 1.6.5),
  xmlstarlet
-Standards-Version: 4.3.0
+Standards-Version: 4.4.0
 Vcs-Git: https://salsa.debian.org/java-team/jackson-databind.git
 Vcs-Browser: https://salsa.debian.org/java-team/jackson-databind
 Homepage: http://wiki.fasterxml.com/JacksonHome

debian/patches/CVE-2019-12086.patch

-From: Markus Koschany <apo@debian.org>
-Date: Sat, 18 May 2019 20:29:23 +0200
-Subject: CVE-2019-12086
-
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929177
-Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/2326
-Origin: https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024
----
- .../com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-index 30adb94..a17cdf5 100644
---- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-@@ -80,6 +80,9 @@ public class SubTypeValidator
-         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
-         s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
- 
-+        // [databind#2326] (2.9.9): one more 3rd party gadget
-+        s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
-+
-         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
-     }
- 

debian/patches/CVE-2019-12384.patch

-From: Markus Koschany <apo@debian.org>
-Date: Sat, 22 Jun 2019 00:00:02 +0200
-Subject: CVE-2019-12384
-
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750
-Origin: https://github.com/FasterXML/jackson-databind/commit/c9ef4a10d6f6633cf470d6a469514b68fa2be234
----
- .../com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-index a17cdf5..3dbb16e 100644
---- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-@@ -83,6 +83,9 @@ public class SubTypeValidator
-         // [databind#2326] (2.9.9): one more 3rd party gadget
-         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
- 
-+        // [databind#2334] (2.9.9.1): logback-core
-+        s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
-+
-         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
-     }
- 

debian/patches/CVE-2019-12814.patch

-From: Markus Koschany <apo@debian.org>
-Date: Sat, 22 Jun 2019 00:26:32 +0200
-Subject: CVE-2019-12814
-
-Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750
-Origin: https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5
----
- .../fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java  | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-index 3dbb16e..72db61d 100644
---- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-@@ -83,9 +83,13 @@ public class SubTypeValidator
-         // [databind#2326] (2.9.9): one more 3rd party gadget
-         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
- 
--        // [databind#2334] (2.9.9.1): logback-core
-+        // [databind#2334]: logback-core
-         s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
- 
-+        // [databind#2341]: jdom/jdom2
-+        s.add("org.jdom.transform.XSLTransformer");
-+        s.add("org.jdom2.transform.XSLTransformer");
-+
-         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
-     }
- 

debian/patches/base-pom.patch

+From: Markus Koschany <apo@debian.org>
+Date: Tue, 13 Aug 2019 00:39:57 +0200
+Subject: base pom
+
+Quick workaround for the FTBFS with jackson-core 2.9.8. Patch must be dropped
+when we update jackson-core again.
+
+Forwarded: not-needed
+---
+ pom.xml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pom.xml b/pom.xml
+index b031f65..c6660ac 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -5,7 +5,7 @@
+   <parent>
+     <groupId>com.fasterxml.jackson</groupId>
+     <artifactId>jackson-base</artifactId>
+-    <version>2.9.9</version>
++    <version>2.9.8</version>
+   </parent>
+ 
+   <groupId>com.fasterxml.jackson.core</groupId>

debian/patches/series

-CVE-2019-12086.patch
-CVE-2019-12384.patch
-CVE-2019-12814.patch
+base-pom.patch

pom.xml

@@ -5,12 +5,12 @@
   <parent>
     <groupId>com.fasterxml.jackson</groupId>
     <artifactId>jackson-base</artifactId>
-    <version>2.9.8</version>
+    <version>2.9.9</version>
   </parent>
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.9.8</version>
+  <version>2.9.9.3</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>
@@ -21,7 +21,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-databind.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-databind.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-databind</url>
-    <tag>jackson-databind-2.9.8</tag>
+    <tag>jackson-databind-2.9.9.3</tag>
   </scm>
 
   <properties>
@@ -36,7 +36,10 @@
 
     <!-- Can not use default, since group id != Java package name here -->
     <osgi.export>com.fasterxml.jackson.databind.*;version=${project.version}</osgi.export>
-    <!-- but imports should work fine with defaults -->
+    <osgi.import> <!-- fix for databind#2299: using jackson-databind in an OSGi environment under Android --> 
+        org.w3c.dom.bootstrap;resolution:=optional,
+        *
+    </osgi.import>
 
     <!-- Generate PackageVersion.java into this directory. -->
     <packageVersion.dir>com/fasterxml/jackson/databind/cfg</packageVersion.dir>

release-notes/CREDITS-2.x

@@ -504,6 +504,10 @@ Kevin Hogeland (khogeland@github)
   * Reported #1501: `ArrayIndexOutOfBoundsException` on non-static inner class constructor
    (2.7.9)
 
+xiexq (xiexq@knownsec.com)
+  * Reported #2389: Block one more gadget type (CVE-2019-14361)
+   (2.7.9.6)
+
 Artur Jonkisz (ajonkisz@github)
   * Reported #960: `@JsonCreator` not working on a factory with no arguments for ae enum type
    (2.8.0)
@@ -819,7 +823,39 @@ Pavel Nikitin (morj@github)
   * Requested #2181: Don't re-use dynamic serializers for property-updating copy constructors
    (2.9.8)
 
+Thomas Krieger (ThomasKrieger@github)
+  * Reported #1408: Call to `TypeVariable.getBounds()` without synchronization unsafe on
+    some platforms
+   (2.9.9)
+
 René Kschamer (flawi@github)
   * Reported #2197: Illegal reflective access operation warning when using `java.lang.Void`
    as value type
    (2.9.8)
+
+Joffrey Bion (joffrey-bion@github)
+  * Reported #2265: Inconsistent handling of Collections$UnmodifiableList vs 
+    Collections$UnmodifiableRandomAccessList
+   (2.9.9)
+
+Christoph (cfiehe@github.com)
+  * Contributed #2299: Fix for using jackson-databind in an OSGi environment under Android
+   (2.9.9)
+
+Cyril Martin (mcoolive@github.com)
+  * Reported #2303: Deserialize null, when java type is "TypeRef of TypeRef of T",
+    does not provide "Type(Type(null))"
+   (2.9.9)
+
+Daniil Barvitsky (dbarvitsky@github)
+  * Reported #2324: `StringCollectionDeserializer` fails with custom collection
+   (2.9.9)
+
+Edgar Asatryan (nstdio@github)
+  * Reported #2374: `ObjectMapper. getRegisteredModuleIds()` throws NPE if no modules registered
+   (2.9.9.1)
+
+Michael Simons (michael-simons@github)
+  * Reported #2395: `NullPointerException` from `ResolvedRecursiveType` (regression due to
+    fix for #2331)
+   (2.9.9.3)

release-notes/VERSION-2.x

@@ -4,6 +4,46 @@ Project: jackson-databind
 === Releases === 
 ------------------------------------------------------------------------
 
+2.9.9.3 (06-Aug-2019)
+
+#2395: `NullPointerException` from `ResolvedRecursiveType` (regression due to fix for #2331)
+ (reported by Michael S)
+
+2.9.9.2 (27-Jul-2019)
+
+#2331: `JsonMappingException` through nested getter with generic wildcard return type
+#2387: Block yet another deserialization gadget (CVE-2019-14379)
+#2389: Block yet another deserialization gadget (CVE-2019-14439)
+ (reported by xiexq)
+
+2.9.9.1 (03-Jul-2019)
+
+#2334: Block one more gadget type (CVE-2019-12384)
+#2341: Block one more gadget type (CVE-2019-12814)
+#2374: `ObjectMapper. getRegisteredModuleIds()` throws NPE if no modules registered
+ (reported by Edgar A)
+
+2.9.9 (16-May-2019)
+
+#1408: Call to `TypeVariable.getBounds()` without synchronization unsafe on some platforms
+ (reported by Thomas K)
+#2221: `DeserializationProblemHandler.handleUnknownTypeId()` returning `Void.class`,
+  enableDefaultTyping causing NPE
+ (reported by MeyerNils@github)
+#2251: Getter that returns an abstract collection breaks a delegating `@JsonCreator`
+#2265: Inconsistent handling of Collections$UnmodifiableList vs Collections$UnmodifiableRandomAccessList
+ (reported by Joffrey B)
+#2299: Fix for using jackson-databind in an OSGi environment under Android
+ (contributed by Christoph F)
+#2303: Deserialize null, when java type is "TypeRef of TypeRef of T", does not provide "Type(Type(null))"
+ (reported by Cyril M)
+#2324: `StringCollectionDeserializer` fails with custom collection
+ (reported byb Daniil B)
+#2326: Block one more gadget type (CVE-2019-12086)
+<<<<<<< HEAD:release-notes/VERSION-2.x
+- Prevent String coercion of `null` in `WritableObjectId` when calling `JsonGenerator.writeObjectId()`,
+  mostly relevant for formats like YAML that have native Object Ids
+
 2.9.8 (15-Dec-2018)
 
 #1662: `ByteBuffer` serialization is broken if offset is not 0
@@ -314,6 +354,19 @@ Project: jackson-databind
   `MapperFeature.ALLOW_COERCION_OF_SCALARS`
  (requested by magdel@github)
 
+2.8.11.4 (25-Jul-2019)
+
+#2334: Block one more gadget type (CVE-2019-12384)
+#2341: Block one more gadget type (CVE-2019-12814)
+#2387: Block one more gadget type (CVE-2019-14379)
+#2389: Block one more gadget type (CVE-2019-14439)
+ (reported by xiexq)
+
+2.8.11.3 (23-Nov-2018)
+
+#2326: Block one more gadget type (CVE-2019-12086)
+ (contributed by MaximilianTews@github)
+
 2.8.11.2 (08-Jun-2018)
 
 #1941: `TypeFactory.constructFromCanonical()` throws NPE for Unparameterized
@@ -549,10 +602,16 @@ Project: jackson-databind
 #1277: Add caching of resolved generic types for `TypeFactory`
  (requested by Andriy P)
 
-2.7.10 (not yet released)
+2.7.9.5 (23-Nov-2018)
 
-#1628: Don't print to error stream about failure to load JDK 7 types
- (reported by Villane@github)
+#2097: Block more classes from polymorphic deserialization (CVE-2018-14718
+  - CVE-2018-14721)
+ (reported by Guixiong Wu)
+#2109: Canonical string for reference type is built incorrectly
+ (reported by svarzee@github)
+#2186: Block more classes from polymorphic deserialization (CVE-2018-19360,
+  CVE-2018-19361, CVE-2018-19362)
+ (reported by Guixiong Wu)
 
 2.7.9 (04-Feb-2017)
 

src/main/java/com/fasterxml/jackson/databind/ObjectMapper.java

@@ -962,7 +962,8 @@ public class ObjectMapper
      */
     public Set<Object> getRegisteredModuleIds()
     {
-        return Collections.unmodifiableSet(_registeredModuleTypes);
+        return (_registeredModuleTypes == null) ?
+                Collections.emptySet() : Collections.unmodifiableSet(_registeredModuleTypes);
     }
 
     /**

src/main/java/com/fasterxml/jackson/databind/deser/BasicDeserializerFactory.java

@@ -61,7 +61,10 @@ public abstract class BasicDeserializerFactory
     final static HashMap<String, Class<? extends Map>> _mapFallbacks =
         new HashMap<String, Class<? extends Map>>();
     static {
-        _mapFallbacks.put(Map.class.getName(), LinkedHashMap.class);
+        @SuppressWarnings("rawtypes")
+        final Class<? extends Map> DEFAULT_MAP = LinkedHashMap.class;
+        _mapFallbacks.put(Map.class.getName(), DEFAULT_MAP);
+        _mapFallbacks.put(AbstractMap.class.getName(), DEFAULT_MAP);
         _mapFallbacks.put(ConcurrentMap.class.getName(), ConcurrentHashMap.class);
         _mapFallbacks.put(SortedMap.class.getName(), TreeMap.class);
 
@@ -78,12 +81,21 @@ public abstract class BasicDeserializerFactory
     final static HashMap<String, Class<? extends Collection>> _collectionFallbacks =
         new HashMap<String, Class<? extends Collection>>();
     static {
-        _collectionFallbacks.put(Collection.class.getName(), ArrayList.class);
-        _collectionFallbacks.put(List.class.getName(), ArrayList.class);
-        _collectionFallbacks.put(Set.class.getName(), HashSet.class);
+        @SuppressWarnings("rawtypes")
+        final Class<? extends Collection> DEFAULT_LIST = ArrayList.class;
+        @SuppressWarnings("rawtypes")
+        final Class<? extends Collection> DEFAULT_SET = HashSet.class;
+
+        _collectionFallbacks.put(Collection.class.getName(), DEFAULT_LIST);
+        _collectionFallbacks.put(List.class.getName(), DEFAULT_LIST);
+        _collectionFallbacks.put(Set.class.getName(), DEFAULT_SET);
         _collectionFallbacks.put(SortedSet.class.getName(), TreeSet.class);
         _collectionFallbacks.put(Queue.class.getName(), LinkedList.class);
 
+        // 09-Feb-2019, tatu: How did we miss these? Related in [databind#2251] problem
+        _collectionFallbacks.put(AbstractList.class.getName(), DEFAULT_LIST);
+        _collectionFallbacks.put(AbstractSet.class.getName(), DEFAULT_SET);
+
         // then JDK 1.6 types:
         /* 17-May-2013, tatu: [databind#216] Should be fine to use straight Class references EXCEPT
          *   that some god-forsaken platforms (... looking at you, Android) do not

src/main/java/com/fasterxml/jackson/databind/deser/CreatorProperty.java

@@ -131,7 +131,9 @@ public class CreatorProperty
         if (_valueDeserializer == deser) {
             return this;
         }
-        return new CreatorProperty(this, deser, _nullProvider);
+        // 07-May-2019, tatu: As per [databind#2303], must keep VD/NVP in-sync if they were
+        NullValueProvider nvp = (_valueDeserializer == _nullProvider) ? deser : _nullProvider;
+        return new CreatorProperty(this, deser, nvp);
     }
 
     @Override

src/main/java/com/fasterxml/jackson/databind/deser/impl/FieldProperty.java

@@ -89,7 +89,9 @@ public final class FieldProperty
         if (_valueDeserializer == deser) {
             return this;
         }
-        return new FieldProperty(this, deser, _nullProvider);
+        // 07-May-2019, tatu: As per [databind#2303], must keep VD/NVP in-sync if they were
+        NullValueProvider nvp = (_valueDeserializer == _nullProvider) ? deser : _nullProvider;
+        return new FieldProperty(this, deser, nvp);
     }
 
     @Override

src/main/java/com/fasterxml/jackson/databind/deser/impl/JavaUtilCollectionsDeserializers.java

@@ -40,6 +40,11 @@ public abstract class JavaUtilCollectionsDeserializers
 
     private final static Class<?> CLASS_UNMODIFIABLE_SET;
     private final static Class<?> CLASS_UNMODIFIABLE_LIST;
+
+    /* 02-Mar-2019, tatu: for [databind#2265], need to consider possible alternate type...
+     *    which we essentially coerce into the other one
+     */
+    private final static Class<?> CLASS_UNMODIFIABLE_LIST_ALIAS;
     private final static Class<?> CLASS_UNMODIFIABLE_MAP;
 
     static {
@@ -50,6 +55,8 @@ public abstract class JavaUtilCollectionsDeserializers
         List<?> list = Collections.singletonList(Boolean.TRUE);
         CLASS_SINGLETON_LIST = list.getClass();
         CLASS_UNMODIFIABLE_LIST = Collections.unmodifiableList(list).getClass();
+        // for [databind#2265]
+        CLASS_UNMODIFIABLE_LIST_ALIAS = Collections.unmodifiableList(new LinkedList<Object>()).getClass();
         
         Map<?,?> map = Collections.singletonMap("a", "b");
         CLASS_SINGLETON_MAP = map.getClass();
@@ -69,7 +76,8 @@ public abstract class JavaUtilCollectionsDeserializers
             conv = converter(TYPE_SINGLETON_LIST, type, List.class);
         } else if (type.hasRawClass(CLASS_SINGLETON_SET)) {
             conv = converter(TYPE_SINGLETON_SET, type, Set.class);
-        } else if (type.hasRawClass(CLASS_UNMODIFIABLE_LIST)) {
+        // [databind#2265]: we may have another impl type for unmodifiable Lists, check both
+        } else if (type.hasRawClass(CLASS_UNMODIFIABLE_LIST) || type.hasRawClass(CLASS_UNMODIFIABLE_LIST_ALIAS)) {
             conv = converter(TYPE_UNMODIFIABLE_LIST, type, List.class);
         } else if (type.hasRawClass(CLASS_UNMODIFIABLE_SET)) {
             conv = converter(TYPE_UNMODIFIABLE_SET, type, Set.class);

src/main/java/com/fasterxml/jackson/databind/deser/impl/MethodProperty.java

@@ -80,7 +80,9 @@ public final class MethodProperty
         if (_valueDeserializer == deser) {
             return this;
         }
-        return new MethodProperty(this, deser, _nullProvider);
+        // 07-May-2019, tatu: As per [databind#2303], must keep VD/NVP in-sync if they were
+        NullValueProvider nvp = (_valueDeserializer == _nullProvider) ? deser : _nullProvider;
+        return new MethodProperty(this, deser, nvp);
     }
 
     @Override

src/main/java/com/fasterxml/jackson/databind/deser/impl/ObjectIdReferenceProperty.java

@@ -50,7 +50,9 @@ public class ObjectIdReferenceProperty extends SettableBeanProperty
         if (_valueDeserializer == deser) {
             return this;
         }
-        return new ObjectIdReferenceProperty(this, deser, _nullProvider);
+        // 07-May-2019, tatu: As per [databind#2303], must keep VD/NVP in-sync if they were
+        NullValueProvider nvp = (_valueDeserializer == _nullProvider) ? deser : _nullProvider;
+        return new ObjectIdReferenceProperty(this, deser, nvp);
     }
 
     @Override

src/main/java/com/fasterxml/jackson/databind/deser/impl/ObjectIdValueProperty.java

@@ -51,7 +51,9 @@ public final class ObjectIdValueProperty
         if (_valueDeserializer == deser) {
             return this;
         }
-        return new ObjectIdValueProperty(this, deser, _nullProvider);
+        // 07-May-2019, tatu: As per [databind#2303], must keep VD/NVP in-sync if they were
+        NullValueProvider nvp = (_valueDeserializer == _nullProvider) ? deser : _nullProvider;
+        return new ObjectIdValueProperty(this, deser, nvp);
     }
 
     @Override

src/main/java/com/fasterxml/jackson/databind/deser/impl/SetterlessProperty.java

@@ -64,7 +64,9 @@ public final class SetterlessProperty
         if (_valueDeserializer == deser) {
             return this;
         }
-        return new SetterlessProperty(this, deser, _nullProvider);
+        // 07-May-2019, tatu: As per [databind#2303], must keep VD/NVP in-sync if they were
+        NullValueProvider nvp = (_valueDeserializer == _nullProvider) ? deser : _nullProvider;
+        return new SetterlessProperty(this, deser, nvp);
     }
 
     @Override