debian/changelog

+jackson-databind (2.4.2-2+deb8u4) jessie-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2018-7489: allows unauthenticated remote code execution because of
+    an incomplete fix for the CVE-2017-7525 deserialization flaw. This is
+    exploitable by sending maliciously crafted JSON input to the readValue
+    method of the ObjectMapper, bypassing a blacklist that is ineffective if
+    the c3p0 libraries are available in the classpath. (Closes: #891614)
+
+ -- Markus Koschany <apo@debian.org>  Tue, 01 May 2018 19:20:38 +0200
+
+jackson-databind (2.4.2-2+deb8u3) jessie-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2017-17485 and CVE-2018-5968:
+    Bybass of deserialization blackist to disallow unauthenticated remote code
+    execution. These CVE exist due to an incomplete fix for CVE-2017-7525.
+    (Closes: #888316, #888318)
+
+ -- Markus Koschany <apo@debian.org>  Sat, 27 Jan 2018 19:37:47 +0100
+
+jackson-databind (2.4.2-2+deb8u2) jessie-security; urgency=high
+
+  * Team upload
+  * CVE-2017-15095: incomplete fixes for CVE-2017-7525
+
+ -- Sebastien Delafond <seb@debian.org>  Thu, 16 Nov 2017 09:13:27 +0100
+
 jackson-databind (2.4.2-2+deb8u1) jessie-security; urgency=high
 
   * Team upload.

debian/gbp.conf

+[buildpackage]
+compression = gz

debian/patches/CVE-2017-15095_1.patch

+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Wed, 26 Apr 2017 20:22:25 -0700
+Subject: Minor improvement wrt #1599 (also cover vanilla xalan impl)
+Origin: https://github.com/FasterXML/jackson-databind//commit/3bfbb835e530055c1941ddf87fde0b08d08dcd38
+Bug: https://github.com/FasterXML/jackson-databind/issues/1599
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15095
+
+---
+ .../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java    | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index cbbb90c2b..586513ddd 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -57,6 +57,7 @@ public class BeanDeserializerFactory
+         s.add("org.codehaus.groovy.runtime.MethodClosure");
+         s.add("org.springframework.beans.factory.ObjectFactory");
+         s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
++        s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.15.0.rc2
+

debian/patches/CVE-2017-15095_2.patch

+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Fri, 30 Jun 2017 09:30:13 -0700
+Subject: Fix #1680
+Origin: https://github.com/FasterXML/jackson-databind//commit/e8f043d1aac9b82eee907e0f0c3abbdea723a935
+Bug: https://github.com/FasterXML/jackson-databind/issues/1680
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15095
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 586513ddd..f2244e0c3 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -58,6 +58,8 @@ public class BeanDeserializerFactory
+         s.add("org.springframework.beans.factory.ObjectFactory");
+         s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+         s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
++        // [databind#1680]: may or may not be problem, take no chance
++        s.add("com.sun.rowset.JdbcRowSetImpl");
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.15.0.rc2
+

debian/patches/CVE-2017-15095_3.patch

+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Thu, 17 Aug 2017 15:12:47 -0700
+Subject: Fix #1737
+Origin: https://github.com/FasterXML/jackson-databind//commit/ddfddfba6414adbecaff99684ef66eebd3a92e92
+Bug: https://github.com/FasterXML/jackson-databind/issues/1737
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15095
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 9850cf75c..9301c666a 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -49,7 +49,7 @@ public class BeanDeserializerFactory
+     static {
+         Set<String> s = new HashSet<>();
+         // Courtesy of [https://github.com/kantega/notsoserial]:
+-        // (and wrt [databind#1599]
++        // (and wrt [databind#1599])
+         s.add("org.apache.commons.collections.functors.InvokerTransformer");
+         s.add("org.apache.commons.collections.functors.InstantiateTransformer");
+         s.add("org.apache.commons.collections4.functors.InvokerTransformer");
+@@ -61,6 +61,15 @@ public class BeanDeserializerFactory
+         s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
+         // [databind#1680]: may or may not be problem, take no chance
+         s.add("com.sun.rowset.JdbcRowSetImpl");
++        // [databind#1737]; JDK provided
++        s.add("java.util.logging.FileHandler");
++        s.add("java.rmi.server.UnicastRemoteObject");
++        // [databind#1737]; 3rd party
++        s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
++        s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
++        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
++        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+diff --git a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
+index 1906eadb6..8721b9b6a 100644
+--- a/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
++++ b/src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
+@@ -1,5 +1,6 @@
+ package com.fasterxml.jackson.databind.interop;
+ 
++import com.fasterxml.jackson.annotation.JsonTypeInfo;
+ import com.fasterxml.jackson.databind.*;
+ 
+ /**
+@@ -12,12 +13,29 @@ public class IllegalTypesCheckTest extends BaseMapTest
+         public int id;
+         public Object obj;
+     }
++
++    static class PolyWrapper {
++        @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS,
++                include = JsonTypeInfo.As.WRAPPER_ARRAY)
++        public Object v;
++    }
+     
+-    public void testIssue1599() throws Exception
++    /*
++    /**********************************************************
++    /* Unit tests
++    /**********************************************************
++     */
++
++    private final ObjectMapper MAPPER = objectMapper();
++    
++    // // // Tests for [databind#1599]
++
++    public void testXalanTypes1599() throws Exception
+     {
++        final String clsName = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl";
+         final String JSON = aposToQuotes(
+  "{'id': 124,\n"
+-+" 'obj':[ 'com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl',\n"
+++" 'obj':[ '"+clsName+"',\n"
+ +"  {\n"
+ +"    'transletBytecodes' : [ 'AAIAZQ==' ],\n"
+ +"    'transletName' : 'a.b',\n"
+@@ -32,9 +50,75 @@ public class IllegalTypesCheckTest extends BaseMapTest
+             mapper.readValue(JSON, Bean1599.class);
+             fail("Should not pass");
+         } catch (JsonMappingException e) {
+-            verifyException(e, "Illegal type");
+-            verifyException(e, "to deserialize");
+-            verifyException(e, "prevented for security reasons");
++            _verifySecurityException(e, clsName);
++        }
++    }
++
++    // // // Tests for [databind#1737]
++
++    public void testJDKTypes1737() throws Exception
++    {
++        _testTypes1737(java.util.logging.FileHandler.class);
++        _testTypes1737(java.rmi.server.UnicastRemoteObject.class);
++    }
++
++    // 17-Aug-2017, tatu: Ideally would test handling of 3rd party types, too,
++    //    but would require adding dependencies. This may be practical when
++    //    checking done by module, but for now let's not do that for databind.
++
++    /*
++    public void testSpringTypes1737() throws Exception
++    {
++        _testTypes1737("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
++        _testTypes1737("org.springframework.beans.factory.config.PropertyPathFactoryBean");
++    }
++
++    public void testC3P0Types1737() throws Exception
++    {
++        _testTypes1737("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
++        _testTypes1737("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++    }
++    */
++
++    private void _testTypes1737(Class<?> nasty) throws Exception {
++        _testTypes1737(nasty.getName());
++    }
++
++    private void _testTypes1737(String clsName) throws Exception
++    {
++        // While usually exploited via default typing let's not require
++        // it here; mechanism still the same
++        String json = aposToQuotes(
++                "{'v':['"+clsName+"','/tmp/foobar.txt']}"
++                );
++        try {
++            MAPPER.readValue(json, PolyWrapper.class);
++            fail("Should not pass");
++        } catch (JsonMappingException e) {
++            _verifySecurityException(e, clsName);
++        }
++    }
++
++    protected void _verifySecurityException(Throwable t, String clsName) throws Exception
++    {
++        // 17-Aug-2017, tatu: Expected type more granular in 2.9 (over 2.8)
++        _verifyException(t, JsonMappingException.class,
++            "Illegal type",
++            "to deserialize",
++            "prevented for security reasons");
++        verifyException(t, clsName);
++    }
++
++    protected void _verifyException(Throwable t, Class<?> expExcType,
++            String... patterns) throws Exception
++    {
++        Class<?> actExc = t.getClass();
++        if (!expExcType.isAssignableFrom(actExc)) {
++            fail("Expected Exception of type '"+expExcType.getName()+"', got '"
++                    +actExc.getName()+"', message: "+t.getMessage());
++        }
++        for (String pattern : patterns) {
++            verifyException(t, pattern);
+         }
+     }
+ }
+-- 
+2.15.0.rc2
+

debian/patches/CVE-2017-17485.patch

+From: Markus Koschany <apo@debian.org>
+Date: Sat, 27 Jan 2018 20:16:02 +0100
+Subject: CVE-2017-17485
+
+Bug-Debian: https://bugs.debian.org/888318
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1855
+Origin: https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d
+Origin: https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf
+Origin: https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd
+---
+ .../databind/deser/BeanDeserializerFactory.java    | 37 +++++++++++++++++++---
+ 1 file changed, 32 insertions(+), 5 deletions(-)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index c536b46..9b56b08 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -38,6 +38,8 @@ public class BeanDeserializerFactory
+ {
+     private static final long serialVersionUID = 1;
+ 
++    protected final static String PREFIX_STRING = "org.springframework.";
++
+     /**
+      * Signature of <b>Throwable.initCause</b> method.
+      */
+@@ -75,6 +77,9 @@ public class BeanDeserializerFactory
+         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+         s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+         s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++        // [databind#1855]: more 3rd party
++        s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
++        s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+         // [databind#1899]: more 3rd party
+         s.add("org.hibernate.jmx.StatisticsService");
+         s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
+@@ -932,11 +937,33 @@ public class BeanDeserializerFactory
+     {
+         // There are certain nasty classes that could cause problems, mostly
+         // via default typing -- catch them here.
+-        String full = type.getRawClass().getName();
+ 
+-        if (_cfgIllegalClassNames.contains(full)) {
+-            throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons");
+-        }
+-    }
++        final Class<?> raw = type.getRawClass();
++        String full = raw.getName();
++
++        main_check:
++        do {
++            if (_cfgIllegalClassNames.contains(full)) {
++                break;
++            }
++
++            // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
++           //    for some Spring framework types
++            if (full.startsWith(PREFIX_STRING)) {
++                for (Class<?> cls = raw; cls != Object.class; cls = cls.getSuperclass()) {
++                    String name = cls.getSimpleName();
++                    // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
++                    if ("AbstractPointcutAdvisor".equals(name)
++                            // ditto  for "FileSystemXmlApplicationContext": block all ApplicationContexts
++                            || "AbstractApplicationContext".equals(name)) {
++                        break main_check;
++                    }
++                }
++            }
++            return;
++        } while (false);
++
++        throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons");
++     }
+ 
+ }

debian/patches/CVE-2018-5968.patch

+From: Markus Koschany <apo@debian.org>
+Date: Sat, 27 Jan 2018 19:00:33 +0100
+Subject: CVE-2018-5968
+
+Bug-Debian: https://bugs.debian.org/888316
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/1899
+Origin: https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05
+---
+ .../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java  | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 86b5c08..10ada70 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -69,6 +69,9 @@ public class BeanDeserializerFactory
+         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+         s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+         s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++        // [databind#1899]: more 3rd party
++        s.add("org.hibernate.jmx.StatisticsService");
++        s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
+ 
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }

debian/patches/CVE-2018-7489.patch

+From: Markus Koschany <apo@debian.org>
+Date: Tue, 1 May 2018 19:17:40 +0200
+Subject: CVE-2018-7489
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891614
+Origin: https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2
+---
+ .../jackson/databind/deser/BeanDeserializerFactory.java  | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 9b56b08..e797666 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -40,6 +40,8 @@ public class BeanDeserializerFactory
+ 
+     protected final static String PREFIX_STRING = "org.springframework.";
+ 
++    protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0.";
++
+     /**
+      * Signature of <b>Throwable.initCause</b> method.
+      */
+@@ -75,8 +77,8 @@ public class BeanDeserializerFactory
+         // [databind#1737]; 3rd party
+         s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
+         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+-        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+-        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++//        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
++//        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
+         // [databind#1855]: more 3rd party
+         s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
+         s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+@@ -959,6 +961,16 @@ public class BeanDeserializerFactory
+                         break main_check;
+                     }
+                 }
++            } else if (full.startsWith(PREFIX_C3P0)) {
++                // [databind#1737]; more 3rd party
++                // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
++                // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
++                // [databind#1931]; more 3rd party
++                // com.mchange.v2.c3p0.ComboPooledDataSource
++                // com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource
++                if (full.endsWith("DataSource")) {
++                    break main_check;
++                }
+             }
+             return;
+         } while (false);

debian/patches/series

 fix-using-bundle.diff
 CVE-2017-7525.patch
+CVE-2017-15095_1.patch
+CVE-2017-15095_2.patch
+CVE-2017-15095_3.patch
+CVE-2018-5968.patch
+CVE-2017-17485.patch
+CVE-2018-7489.patch