jackson-databind: CVE-2017-17485

Debian Bug report logs - #888318
jackson-databind: CVE-2017-17485

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: jackson-databind: CVE-2017-17485

Date: Wed, 24 Jan 2018 23:11:13 +0100

Source: jackson-databind
Version: 2.9.1-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/FasterXML/jackson-databind/issues/1855

Hi,

the following vulnerability was published for jackson-databind.

CVE-2017-17485[0]:
| FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3
| allows unauthenticated remote code execution because of an incomplete
| fix for the CVE-2017-7525 deserialization flaw. This is exploitable by
| sending maliciously crafted JSON input to the readValue method of the
| ObjectMapper, bypassing a blacklist that is ineffective if the Spring
| libraries are available in the classpath.

Please note in the security-tracker we initially marked this issue as
not-affected, since Red Hat claimed in [2] that it was a incomplete
fix specific to some Red Hat packages.
Could you double-check this and in case this bug was wronly open
report back? But it looks that the corresponding changes would as well
be missing from the Debian package.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-17485
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485
[1] https://github.com/FasterXML/jackson-databind/issues/1855
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1528565#c0

Please adjust the affected versions in the BTS as needed, in
particular no check for stable and oldstable has been done yet.

Regards,
Salvatore

Message #10 received at 888318@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 888318@bugs.debian.org

Subject: Re: Bug#888318: jackson-databind: CVE-2017-17485

Date: Wed, 24 Jan 2018 23:14:29 +0100

On Wed, Jan 24, 2018 at 11:11:13PM +0100, Salvatore Bonaccorso wrote:
> Source: jackson-databind
> Version: 2.9.1-1
> Severity: grave
> Tags: security upstream
> Forwarded: https://github.com/FasterXML/jackson-databind/issues/1855
> 
> Hi,
> 
> the following vulnerability was published for jackson-databind.
> 
> CVE-2017-17485[0]:
> | FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3
> | allows unauthenticated remote code execution because of an incomplete
> | fix for the CVE-2017-7525 deserialization flaw. This is exploitable by
> | sending maliciously crafted JSON input to the readValue method of the
> | ObjectMapper, bypassing a blacklist that is ineffective if the Spring
> | libraries are available in the classpath.
> 
> Please note in the security-tracker we initially marked this issue as
> not-affected, since Red Hat claimed in [2] that it was a incomplete
> fix specific to some Red Hat packages.
> Could you double-check this and in case this bug was wronly open
> report back? But it looks that the corresponding changes would as well
> be missing from the Debian package.

From a quick skimm over the applied patches in stable I would say we
missed those as well. 

Regards,
Salvatore

Message #15 received at 888318-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 888318-close@bugs.debian.org

Subject: Bug#888318: fixed in jackson-databind 2.9.4-1

Date: Thu, 25 Jan 2018 23:19:37 +0000

Source: jackson-databind
Source-Version: 2.9.4-1

We believe that the bug you reported is fixed in the latest version of
jackson-databind, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888318@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated jackson-databind package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 25 Jan 2018 14:45:19 +0100
Source: jackson-databind
Binary: libjackson2-databind-java libjackson2-databind-java-doc
Architecture: source
Version: 2.9.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libjackson2-databind-java - fast and powerful JSON library for Java -- data binding
 libjackson2-databind-java-doc - Documentation for jackson-databind
Closes: 888316 888318
Changes:
 jackson-databind (2.9.4-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream version 2.9.4.
     - Fix CVE-2018-5968: bypass of deserialization blacklist related to
       CVE-2017-7525 and CVE-2017-17485. (Closes: #888316)
     - Fix CVE-2017-17485: unauthenticated remote code execution
       because of an incomplete fix for CVE-2017-7525. (Closes: #888318)
   * Use compat level 11.
   * Declare compliance with Debian Policy 4.1.3.
Checksums-Sha1:
 a3d1d2e49764ea0b2c761e8243bb5fe9ec2627f8 2728 jackson-databind_2.9.4-1.dsc
 64e99d866cf9520a5d237e614b232c14ef4bd86e 1237542 jackson-databind_2.9.4.orig.tar.gz
 0172687bda1e45548c65cedbff7a2a6f5bb51e9b 4320 jackson-databind_2.9.4-1.debian.tar.xz
 3bae230b4c23ec8faf6f280446f98289c39f4723 17211 jackson-databind_2.9.4-1_amd64.buildinfo
Checksums-Sha256:
 63789275fbed8d774c97831bd0ebc6de61e2b2e8ff08baad2e4baeb56529d01e 2728 jackson-databind_2.9.4-1.dsc
 08e8439ad91035ec446733037fa85062b3e86f82dd24f5515fb34df30967a2fd 1237542 jackson-databind_2.9.4.orig.tar.gz
 2a9ea35c988ba86ed674a1cc6f5eb12261e4d877872c4ca4045f3add2e8aaf14 4320 jackson-databind_2.9.4-1.debian.tar.xz
 de3ee482f5afd378422980bfe4cb3cc9d39eefadadea36d7cf24bcc11cf9de9e 17211 jackson-databind_2.9.4-1_amd64.buildinfo
Files:
 f4d3678269270f6d345e130656b3ae04 2728 java optional jackson-databind_2.9.4-1.dsc
 d1f5c7f7c1f32d798219d384e8c055ed 1237542 java optional jackson-databind_2.9.4.orig.tar.gz
 0bdcd302bbc390f9c6a720316507400d 4320 java optional jackson-databind_2.9.4-1.debian.tar.xz
 eed9fd48116f3844d3d3e600c3612043 17211 java optional jackson-databind_2.9.4-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlpqYPFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkPRwP/ReNNsjgoiJpC9ic/AweO0jPJYHsGj9otDDQ
uxbuH89ue2Ovs6jTiXnJHa5DZhEEnRCyC6kZ0OWpIvE/SAJG+SXX00zXdn82q76R
YotQdEa9xTPe5M/cpXO542XZypWsyF9/f1k+RHItd0B465ei7MRVp84J0hhenSBj
3huqgOLxqoCCzwm2LyzE+sLoLw8K6/3m/biagfpCdelsbYs4LJJ44xLqLSZW54pK
qR9NLYnWRgVGYeQUJvpChQ3n5Z2qMTPe/Brp4xw2fE3PLdx2/PxqMll+V73a4tsM
kylEz2DxU3yHhbIViQDb960b2rdZlXIupQ2okhH2k8Io0sd4JOpi38F+Odd/eT5+
moxjpSaA4GFXa/DiIqx2e8hDWUQKOchlw8ViVrDF1Jaow4g46BBkXZho0pDBriIN
j0UUPkdSPE/KHK89ehzFkgWHUphz6C0JXMhVwGj2Gq0XSe2RK6kaxh45fbcD6xSI
e5+uKxlE1ZXZ8znnqoTt3b9MDv59Q6ZPJ4rX3UugtgyeJ0sXlVzU8t/gBgIFbEp6
HzyAWwzE+CPbYlZjgpt1oXYifFyr1xuORhIFA7zyz6S80+Xic/c1iqQdmSyXci0+
4OGlI/n6Q6bO1nCo6GvKvlmOwpOfbiNSSNv4kAlu/hy6UyvMgbPghpdEvTURrtt7
HUf3j8ze
=77kV
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.