rpms/jackson-databind
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to latest upstream release

Browse Source 
Drop upstreamed CVE patches
This commit is contained in:
Mat Booth 2018-01-24 20:34:53 +00:00
parent f5bc93f20b
commit 7e6c4a6713
4 changed files with 12 additions and 263 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

227
CVE-2017-17485.patch
View File

@ -1,227 +0,0 @@
From 2235894210c75f624a3d0cd60bfb0434a20a18bf Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Mon, 18 Dec 2017 21:41:51 -0800
Subject: [PATCH] Fix #1855
---
.../databind/deser/BeanDeserializerFactory.java | 54 ++----------
.../databind/jsontype/impl/SubTypeValidator.java | 98 ++++++++++++++++++++++
2 files changed, 103 insertions(+), 49 deletions(-)
create mode 100644 src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
index 217ffd9c6..b462c0c74 100644
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
@@ -11,6 +11,7 @@
import com.fasterxml.jackson.databind.exc.InvalidDefinitionException;
import com.fasterxml.jackson.databind.introspect.*;
import com.fasterxml.jackson.databind.jsontype.TypeDeserializer;
+import com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator;
import com.fasterxml.jackson.databind.util.ClassUtil;
import com.fasterxml.jackson.databind.util.SimpleBeanPropertyDefinition;
@@ -36,49 +37,6 @@
*/
private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { Throwable.class };
- /**
- * Set of well-known "nasty classes", deserialization of which is considered dangerous
- * and should (and is) prevented by default.
- *
- * @since 2.8.9
- */
- protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
- static {
- Set<String> s = new HashSet<>();
- // Courtesy of [https://github.com/kantega/notsoserial]:
- // (and wrt [databind#1599])
- s.add("org.apache.commons.collections.functors.InvokerTransformer");
- s.add("org.apache.commons.collections.functors.InstantiateTransformer");
- s.add("org.apache.commons.collections4.functors.InvokerTransformer");
- s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
- // 05-Aug-2017, tatu: as per [https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf]
- // this is NOT likely to be exploitable via Jackson. But keep excluded just in case.
- s.add("org.codehaus.groovy.runtime.ConvertedClosure");
- s.add("org.codehaus.groovy.runtime.MethodClosure");
- s.add("org.springframework.beans.factory.ObjectFactory");
- s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
- s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
- // [databind#1680]: may or may not be problem, take no chance
- s.add("com.sun.rowset.JdbcRowSetImpl");
- // [databind#1737]; JDK provided
- s.add("java.util.logging.FileHandler");
- s.add("java.rmi.server.UnicastRemoteObject");
- // [databind#1737]; 3rd party
- s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
- s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
- s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
- s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
-
- DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
- }
-
- /**
- * Set of class names of types that are never to be deserialized.
- *
- * @since 2.8.9
- */
- protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
-
/*
/**********************************************************
/* Life-cycle
@@ -146,9 +104,9 @@
if (type.isThrowable()) {
return buildThrowableDeserializer(ctxt, type, beanDesc);
}
- /* Or, for abstract types, may have alternate means for resolution
- * (defaulting, materialization)
- */
+ // Or, for abstract types, may have alternate means for resolution
+ // (defaulting, materialization)
+
// 29-Nov-2015, tatu: Also, filter out calls to primitive types, they are
// not something we could materialize anything for
if (type.isAbstract() && !type.isPrimitive() && !type.isEnumType()) {
@@ -174,7 +132,7 @@
return null;
}
// For checks like [databind#1599]
- checkIllegalTypes(ctxt, type, beanDesc);
+ _validateSubType(ctxt, type, beanDesc);
// Use generic bean introspection to build deserializer
return buildBeanDeserializer(ctxt, type, beanDesc);
}
@@ -949,19 +907,12 @@
}
/**
- * @since 2.8.9
+ * @since 2.8.11
*/
- protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
+ protected void _validateSubType(DeserializationContext ctxt, JavaType type,
BeanDescription beanDesc)
throws JsonMappingException
{
- // There are certain nasty classes that could cause problems, mostly
- // via default typing -- catch them here.
- String full = type.getRawClass().getName();
-
- if (_cfgIllegalClassNames.contains(full)) {
- ctxt.reportBadTypeDefinition(beanDesc,
- "Illegal type (%s) to deserialize: prevented for security reasons", full);
- }
+ SubTypeValidator.instance().validateSubType(ctxt, type, beanDesc);
}
}
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
new file mode 100644
index 000000000..8a273cc15
--- /dev/null
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -0,0 +1,103 @@
+package com.fasterxml.jackson.databind.jsontype.impl;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+import com.fasterxml.jackson.databind.BeanDescription;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JavaType;
+import com.fasterxml.jackson.databind.JsonMappingException;
+
+/**
+ * Helper class used to encapsulate rules that determine subtypes that
+ * are invalid to use, even with default typing, mostly due to security
+ * concerns.
+ * Used by <code>BeanDeserializerFacotry</code>
+ *
+ * @since 2.8.11
+ */
+public class SubTypeValidator
+{
+ protected final static String PREFIX_STRING = "org.springframework.";
+ /**
+ * Set of well-known "nasty classes", deserialization of which is considered dangerous
+ * and should (and is) prevented by default.
+ */
+ protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
+ static {
+ Set<String> s = new HashSet<String>();
+ // Courtesy of [https://github.com/kantega/notsoserial]:
+ // (and wrt [databind#1599])
+ s.add("org.apache.commons.collections.functors.InvokerTransformer");
+ s.add("org.apache.commons.collections.functors.InstantiateTransformer");
+ s.add("org.apache.commons.collections4.functors.InvokerTransformer");
+ s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
+ s.add("org.codehaus.groovy.runtime.ConvertedClosure");
+ s.add("org.codehaus.groovy.runtime.MethodClosure");
+ s.add("org.springframework.beans.factory.ObjectFactory");
+ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+ s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
+ // [databind#1680]: may or may not be problem, take no chance
+ s.add("com.sun.rowset.JdbcRowSetImpl");
+ // [databind#1737]; JDK provided
+ s.add("java.util.logging.FileHandler");
+ s.add("java.rmi.server.UnicastRemoteObject");
+ // [databind#1737]; 3rd party
+//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
+ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+ // [databind#1855]: more 3rd party
+ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
+ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
+ /**
+ * Set of class names of types that are never to be deserialized.
+ */
+ protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
+
+ private final static SubTypeValidator instance = new SubTypeValidator();
+
+ protected SubTypeValidator() { }
+
+ public static SubTypeValidator instance() { return instance; }
+
+ public void validateSubType(DeserializationContext ctxt, JavaType type,
+ BeanDescription beanDesc) throws JsonMappingException
+ {
+ // There are certain nasty classes that could cause problems, mostly
+ // via default typing -- catch them here.
+ final Class<?> raw = type.getRawClass();
+ String full = raw.getName();
+
+ main_check:
+ do {
+ if (_cfgIllegalClassNames.contains(full)) {
+ break;
+ }
+
+ // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
+ // for some Spring framework types
+ // 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces
+ if (!raw.isInterface() && full.startsWith(PREFIX_STRING)) {
+ for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()) {
+ String name = cls.getSimpleName();
+ // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
+ if ("AbstractPointcutAdvisor".equals(name)
+ // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts
+ || "AbstractApplicationContext".equals(name)) {
+ break main_check;
+ }
+ }
+ }
+ return;
+ } while (false);
+
+ ctxt.reportBadTypeDefinition(beanDesc,
+ "Illegal type (%s) to deserialize: prevented for security reasons", full);
+ }
+}

24
CVE-2018-5968.patch
View File

@ -1,24 +0,0 @@
From 038b471e2efde2e8f96b4e0be958d3e5a1ff1d05 Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Sun, 21 Jan 2018 21:01:07 -0800
Subject: [PATCH] Fix #1899
---
release-notes/VERSION | 4 +++-
.../fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | 4 ++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 42273e084..37b122734 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -51,6 +51,9 @@
// [databind#1855]: more 3rd party
s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+ // [databind#1899]: more 3rd party
+ s.add("org.hibernate.jmx.StatisticsService");
+ s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}

22
jackson-databind.spec
View File

@ -1,14 +1,11 @@
Name: jackson-databind
Version: 2.9.3
Version: 2.9.4
Release: 1%{?dist}
Summary: General data-binding package for Jackson (2.x)
License: ASL 2.0 and LGPLv2+
URL: http://wiki.fasterxml.com/JacksonHome
URL: https://github.com/FasterXML/jackson-databind/
Source0: https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz
Patch0: CVE-2017-17485.patch
Patch1: CVE-2018-5968.patch
BuildRequires: maven-local
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version}
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
@ -21,19 +18,18 @@ BuildRequires: mvn(org.powermock:powermock-module-junit4)
BuildArch: noarch
%description
General data-binding functionality for Jackson:
works on core streaming API.
The general-purpose data-binding functionality and tree-model for Jackson Data
Processor. It builds on core streaming parser/generator package, and uses
Jackson Annotations for configuration.
%package javadoc
Summary: Javadoc for %{name}
Summary: Javadoc for %{name}
%description javadoc
This package contains javadoc for %{name}.
This package contains API documentation for %{name}.
%prep
%setup -q -n %{name}-%{name}-%{version}
%patch0 -p1
%patch1 -p1
# Remove plugins unnecessary for RPM builds
%pom_remove_plugin ":maven-enforcer-plugin"
@ -71,6 +67,10 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest
%license LICENSE NOTICE
%changelog
* Wed Jan 24 2018 Mat Booth <mat.booth@redhat.com> - 2.9.4-1
- Update to latest upstream release
- Drop upstreamed CVE patches
* Mon Jan 22 2018 Mat Booth <mat.booth@redhat.com> - 2.9.3-1
- Update to latest upstream release

2
sources
View File

@ -1 +1 @@
SHA512 (jackson-databind-2.9.3.tar.gz) = ef2fe0a944781631bae38a8ef9da603b2a5ba9cfac762ae77741bc4075a56a57981c751623c13c6f35d54b91d399e0be5d623a603659d8a53629c230907f36f8
SHA512 (jackson-databind-2.9.4.tar.gz) = a867f985177deea0d9eaec3a32ea14d7b367c4b34765b413a13540f165b429335613c60fd11fd05ea4c6d676fb0d4f33043477ffce975369c4113a7ad841f1b6