diff --git a/SOURCES/CVE-2017-15095.patch b/SOURCES/CVE-2017-15095.patch new file mode 100644 index 0000000..1f06b1c --- /dev/null +++ b/SOURCES/CVE-2017-15095.patch @@ -0,0 +1,33 @@ +--- src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java.orig 2017-11-01 09:57:37.083991374 +0000 ++++ src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java 2017-11-01 10:00:58.032279501 +0000 +@@ -48,16 +48,29 @@ + static { + Set s = new HashSet(); + // Courtesy of [https://github.com/kantega/notsoserial]: +- // (and wrt [databind#1599] ++ // (and wrt [databind#1599]) + s.add("org.apache.commons.collections.functors.InvokerTransformer"); + s.add("org.apache.commons.collections.functors.InstantiateTransformer"); + s.add("org.apache.commons.collections4.functors.InvokerTransformer"); + s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); ++ // 05-Aug-2017, tatu: as per [https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf] ++ // this is NOT likely to be exploitable via Jackson. But keep excluded just in case. + s.add("org.codehaus.groovy.runtime.ConvertedClosure"); + s.add("org.codehaus.groovy.runtime.MethodClosure"); + s.add("org.springframework.beans.factory.ObjectFactory"); + s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); + s.add("org.apache.xalan.xsltc.trax.TemplatesImpl"); ++ // [databind#1680]: may or may not be problem, take no chance ++ s.add("com.sun.rowset.JdbcRowSetImpl"); ++ // [databind#1737]; JDK provided ++ s.add("java.util.logging.FileHandler"); ++ s.add("java.rmi.server.UnicastRemoteObject"); ++ // [databind#1737]; 3rd party ++ s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); ++ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); ++ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); ++ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); ++ + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + diff --git a/SOURCES/CVE-2017-17485-1.patch b/SOURCES/CVE-2017-17485-1.patch new file mode 100644 index 0000000..fe11fc4 --- /dev/null +++ b/SOURCES/CVE-2017-17485-1.patch @@ -0,0 +1,201 @@ +From 2235894210c75f624a3d0cd60bfb0434a20a18bf Mon Sep 17 00:00:00 2001 +From: Tatu Saloranta +Date: Mon, 18 Dec 2017 21:41:51 -0800 +Subject: [PATCH] Fix #1855 + +--- + .../databind/deser/BeanDeserializerFactory.java | 54 ++---------- + .../databind/jsontype/impl/SubTypeValidator.java | 98 ++++++++++++++++++++++ + 2 files changed, 103 insertions(+), 49 deletions(-) + create mode 100644 src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java + +diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +index 217ffd9c6..b462c0c74 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java ++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +@@ -12,6 +12,7 @@ + import com.fasterxml.jackson.databind.deser.std.ThrowableDeserializer; + import com.fasterxml.jackson.databind.introspect.*; + import com.fasterxml.jackson.databind.jsontype.TypeDeserializer; ++import com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator; + import com.fasterxml.jackson.databind.util.ArrayBuilders; + import com.fasterxml.jackson.databind.util.ClassUtil; + import com.fasterxml.jackson.databind.util.SimpleBeanPropertyDefinition; +@@ -40,44 +41,6 @@ + + private final static Class[] NO_VIEWS = new Class[0]; + +- /** +- * Set of well-known "nasty classes", deserialization of which is considered dangerous +- * and should (and is) prevented by default. +- */ +- protected final static Set DEFAULT_NO_DESER_CLASS_NAMES; +- static { +- Set s = new HashSet(); +- // Courtesy of [https://github.com/kantega/notsoserial]: +- // (and wrt [databind#1599]) +- s.add("org.apache.commons.collections.functors.InvokerTransformer"); +- s.add("org.apache.commons.collections.functors.InstantiateTransformer"); +- s.add("org.apache.commons.collections4.functors.InvokerTransformer"); +- s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); +- // 05-Aug-2017, tatu: as per [https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf] +- // this is NOT likely to be exploitable via Jackson. But keep excluded just in case. +- s.add("org.codehaus.groovy.runtime.ConvertedClosure"); +- s.add("org.codehaus.groovy.runtime.MethodClosure"); +- s.add("org.springframework.beans.factory.ObjectFactory"); +- s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); +- s.add("org.apache.xalan.xsltc.trax.TemplatesImpl"); +- // [databind#1680]: may or may not be problem, take no chance +- s.add("com.sun.rowset.JdbcRowSetImpl"); +- // [databind#1737]; JDK provided +- s.add("java.util.logging.FileHandler"); +- s.add("java.rmi.server.UnicastRemoteObject"); +- // [databind#1737]; 3rd party +- s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); +- s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); +- s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); +- s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); +- +- DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); +- } +- +- /** +- * Set of class names of types that are never to be deserialized. +- */ +- protected Set _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES; + + /* + /********************************************************** +@@ -179,7 +142,7 @@ public DeserializerFactory withConfig(DeserializerFactoryConfig config) + return null; + } + // For checks like [databind#1599] +- checkIllegalTypes(ctxt, type, beanDesc); ++ _validateSubType(ctxt, type, beanDesc); + // Use generic bean introspection to build deserializer + return buildBeanDeserializer(ctxt, type, beanDesc); + } +@@ -878,17 +841,10 @@ + return (status == null) ? false : status.booleanValue(); + } + +- protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type, ++ protected void _validateSubType(DeserializationContext ctxt, JavaType type, + BeanDescription beanDesc) + throws JsonMappingException + { +- // There are certain nasty classes that could cause problems, mostly +- // via default typing -- catch them here. +- String full = type.getRawClass().getName(); +- +- if (_cfgIllegalClassNames.contains(full)) { +- throw JsonMappingException.from(ctxt.getParser(), +- String.format("Illegal type (%s) to deserialize: prevented for security reasons", full)); +- } ++ SubTypeValidator.instance().validateSubType(ctxt, type); + } + } +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +new file mode 100644 +index 000000000..8a273cc15 +--- /dev/null ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -0,0 +1,98 @@ ++package com.fasterxml.jackson.databind.jsontype.impl; ++ ++import java.util.Collections; ++import java.util.HashSet; ++import java.util.Set; ++ ++import com.fasterxml.jackson.databind.DeserializationContext; ++import com.fasterxml.jackson.databind.JavaType; ++import com.fasterxml.jackson.databind.JsonMappingException; ++ ++/** ++ * Helper class used to encapsulate rules that determine subtypes that ++ * are invalid to use, even with default typing, mostly due to security ++ * concerns. ++ * Used by BeanDeserializerFacotry ++ * ++ * @since 2.8.11 ++ */ ++public class SubTypeValidator ++{ ++ protected final static String PREFIX_STRING = "org.springframework."; ++ /** ++ * Set of well-known "nasty classes", deserialization of which is considered dangerous ++ * and should (and is) prevented by default. ++ */ ++ protected final static Set DEFAULT_NO_DESER_CLASS_NAMES; ++ static { ++ Set s = new HashSet(); ++ // Courtesy of [https://github.com/kantega/notsoserial]: ++ // (and wrt [databind#1599]) ++ s.add("org.apache.commons.collections.functors.InvokerTransformer"); ++ s.add("org.apache.commons.collections.functors.InstantiateTransformer"); ++ s.add("org.apache.commons.collections4.functors.InvokerTransformer"); ++ s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); ++ s.add("org.codehaus.groovy.runtime.ConvertedClosure"); ++ s.add("org.codehaus.groovy.runtime.MethodClosure"); ++ s.add("org.springframework.beans.factory.ObjectFactory"); ++ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); ++ s.add("org.apache.xalan.xsltc.trax.TemplatesImpl"); ++ // [databind#1680]: may or may not be problem, take no chance ++ s.add("com.sun.rowset.JdbcRowSetImpl"); ++ // [databind#1737]; JDK provided ++ s.add("java.util.logging.FileHandler"); ++ s.add("java.rmi.server.UnicastRemoteObject"); ++ // [databind#1737]; 3rd party ++//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855] ++ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); ++ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); ++ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); ++ // [databind#1855]: more 3rd party ++ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); ++ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); ++ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); ++ } ++ ++ /** ++ * Set of class names of types that are never to be deserialized. ++ */ ++ protected Set _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES; ++ ++ private final static SubTypeValidator instance = new SubTypeValidator(); ++ ++ protected SubTypeValidator() { } ++ ++ public static SubTypeValidator instance() { return instance; } ++ ++ public void validateSubType(DeserializationContext ctxt, JavaType type) throws JsonMappingException ++ { ++ // There are certain nasty classes that could cause problems, mostly ++ // via default typing -- catch them here. ++ final Class raw = type.getRawClass(); ++ String full = raw.getName(); ++ ++ do { ++ if (_cfgIllegalClassNames.contains(full)) { ++ break; ++ } ++ ++ // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling ++ // for some Spring framework types ++ if (full.startsWith(PREFIX_STRING)) { ++ for (Class cls = raw; cls != Object.class; cls = cls.getSuperclass()) { ++ String name = cls.getSimpleName(); ++ // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there? ++ if ("AbstractPointcutAdvisor".equals(name) ++ // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts ++ || "AbstractApplicationContext.equals".equals(name)) { ++ break; ++ } ++ } ++ } ++ return; ++ } while (false); ++ ++ throw JsonMappingException.from(ctxt.getParser(), ++ String.format("Illegal type (%s) to deserialize: prevented for security reasons", full)); ++ } ++} diff --git a/SOURCES/CVE-2017-17485-2.patch b/SOURCES/CVE-2017-17485-2.patch new file mode 100644 index 0000000..2a028e4 --- /dev/null +++ b/SOURCES/CVE-2017-17485-2.patch @@ -0,0 +1,41 @@ +From bb45fb16709018842f858f1a6e1118676aaa34bd Mon Sep 17 00:00:00 2001 +From: Tatu Saloranta +Date: Tue, 19 Dec 2017 08:31:15 -0800 +Subject: [PATCH] Fix issues with earlier fix for #1855 + +--- + .../jackson/databind/jsontype/impl/SubTypeValidator.java | 5 +++-- + .../jackson/databind/interop/IllegalTypesCheckTest.java | 7 +++++++ + .../springframework/jacksontest/AbstractApplicationContext.java | 5 +++++ + .../org/springframework/jacksontest/AbstractPointcutAdvisor.java | 5 +++++ + .../org/springframework/jacksontest/BogusApplicationContext.java | 9 +++++++++ + .../org/springframework/jacksontest/BogusPointcutAdvisor.java | 9 +++++++++ + 6 files changed, 38 insertions(+), 2 deletions(-) + create mode 100644 src/test/java/org/springframework/jacksontest/AbstractApplicationContext.java + create mode 100644 src/test/java/org/springframework/jacksontest/AbstractPointcutAdvisor.java + create mode 100644 src/test/java/org/springframework/jacksontest/BogusApplicationContext.java + create mode 100644 src/test/java/org/springframework/jacksontest/BogusPointcutAdvisor.java + +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +index 8a273cc15..45a76169f 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -71,6 +71,7 @@ public void validateSubType(DeserializationContext ctxt, JavaType type) throws J + final Class raw = type.getRawClass(); + String full = raw.getName(); + ++ main_check: + do { + if (_cfgIllegalClassNames.contains(full)) { + break; +@@ -84,8 +85,8 @@ public void validateSubType(DeserializationContext ctxt, JavaType type) throws J + // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there? + if ("AbstractPointcutAdvisor".equals(name) + // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts +- || "AbstractApplicationContext.equals".equals(name)) { +- break; ++ || "AbstractApplicationContext".equals(name)) { ++ break main_check; + } + } + } diff --git a/SOURCES/CVE-2017-7525.patch b/SOURCES/CVE-2017-7525.patch new file mode 100644 index 0000000..c4869c1 --- /dev/null +++ b/SOURCES/CVE-2017-7525.patch @@ -0,0 +1,92 @@ +--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java 2016-07-23 03:36:51.000000000 +0100 ++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java 2017-07-20 15:42:39.836790820 +0100 +@@ -139,6 +139,8 @@ + if (!isPotentialBeanType(type.getRawClass())) { + return null; + } ++ // For checks like [databind#1599] ++ checkIllegalTypes(ctxt, type, beanDesc); + // Use generic bean introspection to build deserializer + return buildBeanDeserializer(ctxt, type, beanDesc); + } +@@ -826,4 +828,22 @@ + // We default to 'false', i.e. not ignorable + return (status == null) ? false : status.booleanValue(); + } ++ ++ protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type, ++ BeanDescription beanDesc) ++ throws JsonMappingException ++ { ++ // There are certain nasty classes that could cause problems, mostly ++ // via default typing -- catch them here. ++ Class raw = type.getRawClass(); ++ String name = raw.getSimpleName(); ++ ++ if ("TemplatesImpl".equals(name)) { // [databind#1599] ++ if (raw.getName().startsWith("com.sun.org.apache.xalan")) { ++ throw JsonMappingException.from(ctxt, ++ String.format("Illegal type (%s) to deserialize: prevented for security reasons", ++ name)); ++ } ++ } ++ } + } +--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java ++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +@@ -39,7 +39,33 @@ + private final static Class[] INIT_CAUSE_PARAMS = new Class[] { Throwable.class }; + + private final static Class[] NO_VIEWS = new Class[0]; +- ++ ++ /** ++ * Set of well-known "nasty classes", deserialization of which is considered dangerous ++ * and should (and is) prevented by default. ++ */ ++ protected final static Set DEFAULT_NO_DESER_CLASS_NAMES; ++ static { ++ Set s = new HashSet(); ++ // Courtesy of [https://github.com/kantega/notsoserial]: ++ // (and wrt [databind#1599] ++ s.add("org.apache.commons.collections.functors.InvokerTransformer"); ++ s.add("org.apache.commons.collections.functors.InstantiateTransformer"); ++ s.add("org.apache.commons.collections4.functors.InvokerTransformer"); ++ s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); ++ s.add("org.codehaus.groovy.runtime.ConvertedClosure"); ++ s.add("org.codehaus.groovy.runtime.MethodClosure"); ++ s.add("org.springframework.beans.factory.ObjectFactory"); ++ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); ++ s.add("org.apache.xalan.xsltc.trax.TemplatesImpl"); ++ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); ++ } ++ ++ /** ++ * Set of class names of types that are never to be deserialized. ++ */ ++ protected Set _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES; ++ + /* + /********************************************************** + /* Life-cycle +@@ -846,15 +871,11 @@ protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type, + { + // There are certain nasty classes that could cause problems, mostly + // via default typing -- catch them here. +- Class raw = type.getRawClass(); +- String name = raw.getSimpleName(); +- +- if ("TemplatesImpl".equals(name)) { // [databind#1599] +- if (raw.getName().startsWith("com.sun.org.apache.xalan")) { +- throw JsonMappingException.from(ctxt, +- String.format("Illegal type (%s) to deserialize: prevented for security reasons", +- name)); +- } ++ String full = type.getRawClass().getName(); ++ ++ if (_cfgIllegalClassNames.contains(full)) { ++ throw JsonMappingException.from(ctxt.getParser(), ++ String.format("Illegal type (%s) to deserialize: prevented for security reasons", full)); + } + } + } diff --git a/SPECS/jackson-databind.spec b/SPECS/jackson-databind.spec index dc65829..7925327 100644 --- a/SPECS/jackson-databind.spec +++ b/SPECS/jackson-databind.spec @@ -3,11 +3,15 @@ Name: %{?scl_prefix}jackson-databind Version: 2.7.6 -Release: 2.2%{?dist} +Release: 2.4%{?dist} Summary: General data-binding package for Jackson (2.x) License: ASL 2.0 and LGPLv2+ URL: http://wiki.fasterxml.com/JacksonHome Source0: https://github.com/FasterXML/jackson-databind/archive/%{pkg_name}-%{version}.tar.gz +Patch0: CVE-2017-7525.patch +Patch1: CVE-2017-15095.patch +Patch2: CVE-2017-17485-1.patch +Patch3: CVE-2017-17485-2.patch BuildRequires: %{?scl_prefix}maven-local BuildRequires: %{?scl_prefix}mvn(com.fasterxml.jackson:jackson-parent:pom:) @@ -32,6 +36,10 @@ This package contains javadoc for %{pkg_name}. %prep %setup -q -n %{pkg_name}-%{pkg_name}-%{version} +%patch0 -p1 +%patch1 +%patch2 -p1 +%patch3 -p1 cp -p src/main/resources/META-INF/LICENSE . cp -p src/main/resources/META-INF/NOTICE . @@ -70,6 +78,14 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/TestJdkTypes.java \ %license LICENSE NOTICE %changelog +* Wed Jan 31 2018 Mikolaj Izdebski - 2.7.6-2.4 +- Fix deserialization vulnerability +- Resolves: CVE-2017-17485 + +* Tue Dec 19 2017 Mikolaj Izdebski - 2.7.6-2.3 +- Fix deserialization vulnerability +- Resolves: CVE-2017-7525, CVE-2017-15095 + * Thu Jun 22 2017 Michael Simacek - 2.7.6-2.2 - Mass rebuild 2017-06-22