Debian Bug report logs -
#949089
libxmlrpc3-java: CVE-2019-17570: deserialization of server-side exception from faultCause in XMLRPC error response
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#949089; Package src:libxmlrpc3-java.
(Thu, 16 Jan 2020 20:33:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Thu, 16 Jan 2020 20:33:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libxmlrpc3-java
Version: 3.1.3-9
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerability was published for libxmlrpc3-java.
CVE-2019-17570[0]:
| Deserialization of server-side exception from faultCause in XMLRPC
| error response
That said, should libxmlrpc3-java rather be removed from unstable, and
not included in bullseye?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-17570
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17570
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1775193
Regards,
Salvatore
Marked as found in versions libxmlrpc3-java/3.1.3-8.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 16 Jan 2020 20:39:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#949089; Package src:libxmlrpc3-java.
(Thu, 16 Jan 2020 22:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Thu, 16 Jan 2020 22:57:02 GMT) (full text, mbox, link).
Message #12 received at 949089@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: owner -1 !
More information and proposed patch at
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-17570
[signature.asc (application/pgp-signature, attachment)]
Owner recorded as Markus Koschany <apo@debian.org>.
Request was from Markus Koschany <apo@debian.org>
to 949089-submit@bugs.debian.org.
(Thu, 16 Jan 2020 22:57:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#949089; Package src:libxmlrpc3-java.
(Fri, 17 Jan 2020 00:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 17 Jan 2020 00:09:03 GMT) (full text, mbox, link).
Message #19 received at 949089@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
Am 16.01.20 um 21:27 schrieb Salvatore Bonaccorso:
> Source: libxmlrpc3-java
> Version: 3.1.3-9
> Severity: grave
> Tags: security upstream
> Justification: user security hole
>
> Hi,
>
> The following vulnerability was published for libxmlrpc3-java.
>
> CVE-2019-17570[0]:
> | Deserialization of server-side exception from faultCause in XMLRPC
> | error response
>
> That said, should libxmlrpc3-java rather be removed from unstable, and
> not included in bullseye?
[...]
It looks like starjava-topcat is the only package that build-depends on
libxmlrpc3-java at the moment (need to check that again). I think the
issue itself can be fixed by the proposed Red Hat patch, making the use
of some parts of the vulnerable method conditional on a set property.
Since Apache xml-rpc is EOL it makes sense to remove it from Debian
though. I will file a bug report for starjava-topcat and then let's see
how it goes.
Regards,
Markus
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>, Markus Koschany <apo@debian.org>:
Bug#949089; Package src:libxmlrpc3-java.
(Fri, 17 Jan 2020 05:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>, Markus Koschany <apo@debian.org>.
(Fri, 17 Jan 2020 05:33:03 GMT) (full text, mbox, link).
Message #24 received at 949089@bugs.debian.org (full text, mbox, reply):
Hi Markus,
On Fri, Jan 17, 2020 at 01:04:10AM +0100, Markus Koschany wrote:
> Hi,
>
> Am 16.01.20 um 21:27 schrieb Salvatore Bonaccorso:
> > Source: libxmlrpc3-java
> > Version: 3.1.3-9
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> >
> > Hi,
> >
> > The following vulnerability was published for libxmlrpc3-java.
> >
> > CVE-2019-17570[0]:
> > | Deserialization of server-side exception from faultCause in XMLRPC
> > | error response
> >
> > That said, should libxmlrpc3-java rather be removed from unstable, and
> > not included in bullseye?
>
> [...]
>
> It looks like starjava-topcat is the only package that build-depends on
> libxmlrpc3-java at the moment (need to check that again). I think the
> issue itself can be fixed by the proposed Red Hat patch, making the use
> of some parts of the vulnerable method conditional on a set property.
> Since Apache xml-rpc is EOL it makes sense to remove it from Debian
> though. I will file a bug report for starjava-topcat and then let's see
> how it goes.
I did check yesterday for that to see what impact it would have on the
archive, and indeed the "only" package problem are as follows, as you
have already spotted:
| Will remove the following packages from sid:
|
| libxmlrpc3-client-java | 3.1.3-9 | all
| libxmlrpc3-common-java | 3.1.3-9 | all
| libxmlrpc3-java | 3.1.3-9 | source
| libxmlrpc3-java-doc | 3.1.3-9 | all
| libxmlrpc3-server-java | 3.1.3-9 | all
|
| Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
|
| ------------------- Reason -------------------
|
| ----------------------------------------------
|
| Checking reverse dependencies...
| # Broken Build-Depends:
| starjava-topcat: libxmlrpc3-client-java
|
| Dependency problem found.
The patch proposed by Red Hat looks straightforward (with my limited
understanding though), but might have as well potential for regression
reports, as it is disabling deserialization by default, i.e. only uses
it if isEnabledForExceptions is set.
So I'm wary yet on what to do for stable (and older releases and have
not done any marking yet in the security tracker.
Opinions on that?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#949089; Package src:libxmlrpc3-java.
(Fri, 17 Jan 2020 23:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Fri, 17 Jan 2020 23:15:03 GMT) (full text, mbox, link).
Message #29 received at 949089@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Salvatore,
Am 17.01.20 um 06:31 schrieb Salvatore Bonaccorso:
[...]
> The patch proposed by Red Hat looks straightforward (with my limited
> understanding though), but might have as well potential for regression
> reports, as it is disabling deserialization by default, i.e. only uses
> it if isEnabledForExceptions is set.
>
> So I'm wary yet on what to do for stable (and older releases and have
> not done any marking yet in the security tracker.
>
> Opinions on that?
I have just filed
https://bugs.debian.org/949188
and asked the maintainer of starjava-topcat to remove the
build-dependency on libxmlrpc3-client-java. As it turned out it is not
even required to build the package.
As I know the patch only disables the feature to convert an exception
into a byte array but not deserialization as a whole. The problem is
that the client cannot control if potential exceptions should be
serialized and that opens a potential attack surface if someone is able
to control those serialized exceptions.
In my opinion the severity for Debian is low and besides starjava-topcat
there is only eclipse-mylyn in Jessie that depends on the library. I
don't see a potential regression in these packages but rather in the
rare case when someone uses the library in a custom project. I believe a
security announcement that explains the vulnerability and what property
needs to be set in order to restore the old behavior should be
sufficient. The version is identical in all distributions, so I think I
can just prepare an update for Jessie/Stretch/Buster and we are done
with it.
Regards,
Markus
[signature.asc (application/pgp-signature, attachment)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Jan 24 08:09:51 2020;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon