From 194f44192581ed683d4d8487314dba2a84342c74 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 31 2017 16:10:12 +0000 Subject: import devtoolset-4-jackson-databind-2.5.0-2.4.el7 --- diff --git a/SOURCES/CVE-2017-7525.patch b/SOURCES/CVE-2017-7525.patch new file mode 100644 index 0000000..c4869c1 --- /dev/null +++ b/SOURCES/CVE-2017-7525.patch @@ -0,0 +1,92 @@ +--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java 2016-07-23 03:36:51.000000000 +0100 ++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java 2017-07-20 15:42:39.836790820 +0100 +@@ -139,6 +139,8 @@ + if (!isPotentialBeanType(type.getRawClass())) { + return null; + } ++ // For checks like [databind#1599] ++ checkIllegalTypes(ctxt, type, beanDesc); + // Use generic bean introspection to build deserializer + return buildBeanDeserializer(ctxt, type, beanDesc); + } +@@ -826,4 +828,22 @@ + // We default to 'false', i.e. not ignorable + return (status == null) ? false : status.booleanValue(); + } ++ ++ protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type, ++ BeanDescription beanDesc) ++ throws JsonMappingException ++ { ++ // There are certain nasty classes that could cause problems, mostly ++ // via default typing -- catch them here. ++ Class raw = type.getRawClass(); ++ String name = raw.getSimpleName(); ++ ++ if ("TemplatesImpl".equals(name)) { // [databind#1599] ++ if (raw.getName().startsWith("com.sun.org.apache.xalan")) { ++ throw JsonMappingException.from(ctxt, ++ String.format("Illegal type (%s) to deserialize: prevented for security reasons", ++ name)); ++ } ++ } ++ } + } +--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java ++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +@@ -39,7 +39,33 @@ + private final static Class[] INIT_CAUSE_PARAMS = new Class[] { Throwable.class }; + + private final static Class[] NO_VIEWS = new Class[0]; +- ++ ++ /** ++ * Set of well-known "nasty classes", deserialization of which is considered dangerous ++ * and should (and is) prevented by default. ++ */ ++ protected final static Set DEFAULT_NO_DESER_CLASS_NAMES; ++ static { ++ Set s = new HashSet(); ++ // Courtesy of [https://github.com/kantega/notsoserial]: ++ // (and wrt [databind#1599] ++ s.add("org.apache.commons.collections.functors.InvokerTransformer"); ++ s.add("org.apache.commons.collections.functors.InstantiateTransformer"); ++ s.add("org.apache.commons.collections4.functors.InvokerTransformer"); ++ s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); ++ s.add("org.codehaus.groovy.runtime.ConvertedClosure"); ++ s.add("org.codehaus.groovy.runtime.MethodClosure"); ++ s.add("org.springframework.beans.factory.ObjectFactory"); ++ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); ++ s.add("org.apache.xalan.xsltc.trax.TemplatesImpl"); ++ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); ++ } ++ ++ /** ++ * Set of class names of types that are never to be deserialized. ++ */ ++ protected Set _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES; ++ + /* + /********************************************************** + /* Life-cycle +@@ -846,15 +871,11 @@ protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type, + { + // There are certain nasty classes that could cause problems, mostly + // via default typing -- catch them here. +- Class raw = type.getRawClass(); +- String name = raw.getSimpleName(); +- +- if ("TemplatesImpl".equals(name)) { // [databind#1599] +- if (raw.getName().startsWith("com.sun.org.apache.xalan")) { +- throw JsonMappingException.from(ctxt, +- String.format("Illegal type (%s) to deserialize: prevented for security reasons", +- name)); +- } ++ String full = type.getRawClass().getName(); ++ ++ if (_cfgIllegalClassNames.contains(full)) { ++ throw JsonMappingException.from(ctxt.getParser(), ++ String.format("Illegal type (%s) to deserialize: prevented for security reasons", full)); + } + } + } diff --git a/SPECS/jackson-databind.spec b/SPECS/jackson-databind.spec index d82daed..ee7f509 100644 --- a/SPECS/jackson-databind.spec +++ b/SPECS/jackson-databind.spec @@ -3,11 +3,12 @@ %{?java_common_find_provides_and_requires} Name: %{?scl_prefix}jackson-databind Version: 2.5.0 -Release: 2.3%{?dist} +Release: 2.4%{?dist} Summary: General data-binding package for Jackson (2.x) License: ASL 2.0 and LGPLv2+ URL: http://wiki.fasterxml.com/JacksonHome Source0: https://github.com/FasterXML/jackson-databind/archive/%{pkg_name}-%{version}.tar.gz +Patch0: CVE-2017-7525.patch BuildRequires: %{?scl_prefix}mvn(com.fasterxml.jackson.core:jackson-annotations) >= 2.4.1 BuildRequires: %{?scl_prefix}mvn(com.fasterxml.jackson.core:jackson-core) >= 2.4.1 # test deps @@ -35,6 +36,7 @@ This package contains javadoc for %{pkg_name}. %{?scl:scl enable %{scl_maven} %{scl} - << "EOF"} %setup -q -n %{pkg_name}-%{pkg_name}-%{version} +%patch0 -p1 cp -p src/main/resources/META-INF/LICENSE . cp -p src/main/resources/META-INF/NOTICE . @@ -139,6 +141,9 @@ cp ${file} ${file%.in} %doc LICENSE NOTICE %changelog +* Fri Jul 21 2017 Mat Booth - 2.5.0-2.4 +- Backport a patch to fix CVE-2017-7525 + * Thu Jul 30 2015 Roland Grunberg - 2.5.0-2.3 - Add missing osgi.versionpolicy property.