From 372f37b827e9869b8dbae7b50e662461e577ff98 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bastien=20Roucari=C3=A8s?= <rouca@debian.org>
Date: Sun, 22 Dec 2024 10:14:50 +0000
Subject: [PATCH] CVE-2024-47072
---
debian/changelog | 10 ++++
debian/patches/0004-CVE-2024-47072.patch | 61 ++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 72 insertions(+)
create mode 100644 debian/patches/0004-CVE-2024-47072.patch
diff --git a/debian/changelog b/debian/changelog
index d58fc78..3069437 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+libxstream-java (1.4.20-1+deb12u1) bookworm; urgency=medium
+
+ * Team upload
+ * Fix CVE-2024-47072: XStream is vulnerable to a
+ Denial of Service attack due to stack overflow
+ from a manipulated binary input stream.
+ (Closes: #1087274)
+
+ -- Bastien Roucariès <rouca@debian.org> Sun, 22 Dec 2024 10:12:11 +0000
+
libxstream-java (1.4.20-1) unstable; urgency=medium
* Team upload.
diff --git a/debian/patches/0004-CVE-2024-47072.patch b/debian/patches/0004-CVE-2024-47072.patch
new file mode 100644
index 0000000..26d912d
--- /dev/null
+++ b/debian/patches/0004-CVE-2024-47072.patch
@@ -0,0 +1,61 @@
+From: joehni <joerg.schaible@gmx.de>
+Date: Wed, 18 Sep 2024 20:19:13 +0200
+Subject: CVE-2024-47072
+
+This vulnerability may allow a remote attacker to terminate the application
+with a stack overflow error resulting in a denial of service only
+by manipulating the processed input stream when XStream is configured
+to use the BinaryStreamDrive
+
+origin: backport, https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a
+bug: https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q
+---
+ .../xstream/io/binary/BinaryStreamReader.java | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+index 2839651..cd870cd 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
++++ b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+@@ -1,6 +1,6 @@
+ /*
+ * Copyright (C) 2006 Joe Walnes.
+- * Copyright (C) 2006, 2007, 2011, 2013 XStream Committers.
++ * Copyright (C) 2006, 2007, 2011, 2013, 2024 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+@@ -15,6 +15,7 @@ import com.thoughtworks.xstream.converters.ErrorWriter;
+ import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.StreamException;
++import com.thoughtworks.xstream.security.InputManipulationException;
+
+ import java.io.DataInputStream;
+ import java.io.IOException;
+@@ -150,15 +151,20 @@ public class BinaryStreamReader implements ExtendedHierarchicalStreamReader {
+ private Token readToken() {
+ if (pushback == null) {
+ try {
+- Token token = tokenFormatter.read(in);
+- switch (token.getType()) {
++ boolean mapping = false;
++ do {
++ final Token token = tokenFormatter.read(in);
++ switch (token.getType()) {
+ case Token.TYPE_MAP_ID_TO_VALUE:
+ idRegistry.put(token.getId(), token.getValue());
+- return readToken(); // Next one please.
++ mapping ^= true;
++ continue; // Next one please.
+ default:
+ return token;
+- }
+- } catch (IOException e) {
++ }
++ } while (mapping);
++ throw new InputManipulationException("Binary stream will never have two mapping tokens in sequence");
++ } catch (final IOException e) {
+ throw new StreamException(e);
+ }
+ } else {
diff --git a/debian/patches/series b/debian/patches/series
index 19ef9cf..794c6ba 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
01-java7-compatibility.patch
02-disable-beastax-driver.patch
no-mxparser.patch
+0004-CVE-2024-47072.patch
--
GitLab