From 7e6c4a671378352d43ef44a12387a6a0924aa37a Mon Sep 17 00:00:00 2001 From: Mat Booth Date: Wed, 24 Jan 2018 20:34:53 +0000 Subject: [PATCH] Update to latest upstream release Drop upstreamed CVE patches --- CVE-2017-17485.patch | 227 ------------------------------------------ CVE-2018-5968.patch | 24 ----- jackson-databind.spec | 22 ++-- sources | 2 +- 4 files changed, 12 insertions(+), 263 deletions(-) delete mode 100644 CVE-2017-17485.patch delete mode 100644 CVE-2018-5968.patch diff --git a/CVE-2017-17485.patch b/CVE-2017-17485.patch deleted file mode 100644 index caee2e3..0000000 --- a/CVE-2017-17485.patch +++ /dev/null @@ -1,227 +0,0 @@ -From 2235894210c75f624a3d0cd60bfb0434a20a18bf Mon Sep 17 00:00:00 2001 -From: Tatu Saloranta -Date: Mon, 18 Dec 2017 21:41:51 -0800 -Subject: [PATCH] Fix #1855 - ---- - .../databind/deser/BeanDeserializerFactory.java | 54 ++---------- - .../databind/jsontype/impl/SubTypeValidator.java | 98 ++++++++++++++++++++++ - 2 files changed, 103 insertions(+), 49 deletions(-) - create mode 100644 src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java - -diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java -index 217ffd9c6..b462c0c74 100644 ---- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java -+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java -@@ -11,6 +11,7 @@ - import com.fasterxml.jackson.databind.exc.InvalidDefinitionException; - import com.fasterxml.jackson.databind.introspect.*; - import com.fasterxml.jackson.databind.jsontype.TypeDeserializer; -+import com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator; - import com.fasterxml.jackson.databind.util.ClassUtil; - import com.fasterxml.jackson.databind.util.SimpleBeanPropertyDefinition; - -@@ -36,49 +37,6 @@ - */ - private final static Class[] INIT_CAUSE_PARAMS = new Class[] { Throwable.class }; - -- /** -- * Set of well-known "nasty classes", deserialization of which is considered dangerous -- * and should (and is) prevented by default. -- * -- * @since 2.8.9 -- */ -- protected final static Set DEFAULT_NO_DESER_CLASS_NAMES; -- static { -- Set s = new HashSet<>(); -- // Courtesy of [https://github.com/kantega/notsoserial]: -- // (and wrt [databind#1599]) -- s.add("org.apache.commons.collections.functors.InvokerTransformer"); -- s.add("org.apache.commons.collections.functors.InstantiateTransformer"); -- s.add("org.apache.commons.collections4.functors.InvokerTransformer"); -- s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); -- // 05-Aug-2017, tatu: as per [https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf] -- // this is NOT likely to be exploitable via Jackson. But keep excluded just in case. -- s.add("org.codehaus.groovy.runtime.ConvertedClosure"); -- s.add("org.codehaus.groovy.runtime.MethodClosure"); -- s.add("org.springframework.beans.factory.ObjectFactory"); -- s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); -- s.add("org.apache.xalan.xsltc.trax.TemplatesImpl"); -- // [databind#1680]: may or may not be problem, take no chance -- s.add("com.sun.rowset.JdbcRowSetImpl"); -- // [databind#1737]; JDK provided -- s.add("java.util.logging.FileHandler"); -- s.add("java.rmi.server.UnicastRemoteObject"); -- // [databind#1737]; 3rd party -- s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); -- s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); -- s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); -- s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); -- -- DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); -- } -- -- /** -- * Set of class names of types that are never to be deserialized. -- * -- * @since 2.8.9 -- */ -- protected Set _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES; -- - /* - /********************************************************** - /* Life-cycle -@@ -146,9 +104,9 @@ - if (type.isThrowable()) { - return buildThrowableDeserializer(ctxt, type, beanDesc); - } -- /* Or, for abstract types, may have alternate means for resolution -- * (defaulting, materialization) -- */ -+ // Or, for abstract types, may have alternate means for resolution -+ // (defaulting, materialization) -+ - // 29-Nov-2015, tatu: Also, filter out calls to primitive types, they are - // not something we could materialize anything for - if (type.isAbstract() && !type.isPrimitive() && !type.isEnumType()) { -@@ -174,7 +132,7 @@ - return null; - } - // For checks like [databind#1599] -- checkIllegalTypes(ctxt, type, beanDesc); -+ _validateSubType(ctxt, type, beanDesc); - // Use generic bean introspection to build deserializer - return buildBeanDeserializer(ctxt, type, beanDesc); - } -@@ -949,19 +907,12 @@ - } - - /** -- * @since 2.8.9 -+ * @since 2.8.11 - */ -- protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type, -+ protected void _validateSubType(DeserializationContext ctxt, JavaType type, - BeanDescription beanDesc) - throws JsonMappingException - { -- // There are certain nasty classes that could cause problems, mostly -- // via default typing -- catch them here. -- String full = type.getRawClass().getName(); -- -- if (_cfgIllegalClassNames.contains(full)) { -- ctxt.reportBadTypeDefinition(beanDesc, -- "Illegal type (%s) to deserialize: prevented for security reasons", full); -- } -+ SubTypeValidator.instance().validateSubType(ctxt, type, beanDesc); - } - } -diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java -new file mode 100644 -index 000000000..8a273cc15 ---- /dev/null -+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java -@@ -0,0 +1,103 @@ -+package com.fasterxml.jackson.databind.jsontype.impl; -+ -+import java.util.Collections; -+import java.util.HashSet; -+import java.util.Set; -+ -+import com.fasterxml.jackson.databind.BeanDescription; -+import com.fasterxml.jackson.databind.DeserializationContext; -+import com.fasterxml.jackson.databind.JavaType; -+import com.fasterxml.jackson.databind.JsonMappingException; -+ -+/** -+ * Helper class used to encapsulate rules that determine subtypes that -+ * are invalid to use, even with default typing, mostly due to security -+ * concerns. -+ * Used by BeanDeserializerFacotry -+ * -+ * @since 2.8.11 -+ */ -+public class SubTypeValidator -+{ -+ protected final static String PREFIX_STRING = "org.springframework."; -+ /** -+ * Set of well-known "nasty classes", deserialization of which is considered dangerous -+ * and should (and is) prevented by default. -+ */ -+ protected final static Set DEFAULT_NO_DESER_CLASS_NAMES; -+ static { -+ Set s = new HashSet(); -+ // Courtesy of [https://github.com/kantega/notsoserial]: -+ // (and wrt [databind#1599]) -+ s.add("org.apache.commons.collections.functors.InvokerTransformer"); -+ s.add("org.apache.commons.collections.functors.InstantiateTransformer"); -+ s.add("org.apache.commons.collections4.functors.InvokerTransformer"); -+ s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); -+ s.add("org.codehaus.groovy.runtime.ConvertedClosure"); -+ s.add("org.codehaus.groovy.runtime.MethodClosure"); -+ s.add("org.springframework.beans.factory.ObjectFactory"); -+ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); -+ s.add("org.apache.xalan.xsltc.trax.TemplatesImpl"); -+ // [databind#1680]: may or may not be problem, take no chance -+ s.add("com.sun.rowset.JdbcRowSetImpl"); -+ // [databind#1737]; JDK provided -+ s.add("java.util.logging.FileHandler"); -+ s.add("java.rmi.server.UnicastRemoteObject"); -+ // [databind#1737]; 3rd party -+//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855] -+ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); -+ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); -+ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); -+ // [databind#1855]: more 3rd party -+ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); -+ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); -+ -+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); -+ } -+ -+ /** -+ * Set of class names of types that are never to be deserialized. -+ */ -+ protected Set _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES; -+ -+ private final static SubTypeValidator instance = new SubTypeValidator(); -+ -+ protected SubTypeValidator() { } -+ -+ public static SubTypeValidator instance() { return instance; } -+ -+ public void validateSubType(DeserializationContext ctxt, JavaType type, -+ BeanDescription beanDesc) throws JsonMappingException -+ { -+ // There are certain nasty classes that could cause problems, mostly -+ // via default typing -- catch them here. -+ final Class raw = type.getRawClass(); -+ String full = raw.getName(); -+ -+ main_check: -+ do { -+ if (_cfgIllegalClassNames.contains(full)) { -+ break; -+ } -+ -+ // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling -+ // for some Spring framework types -+ // 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces -+ if (!raw.isInterface() && full.startsWith(PREFIX_STRING)) { -+ for (Class cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()) { -+ String name = cls.getSimpleName(); -+ // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there? -+ if ("AbstractPointcutAdvisor".equals(name) -+ // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts -+ || "AbstractApplicationContext".equals(name)) { -+ break main_check; -+ } -+ } -+ } -+ return; -+ } while (false); -+ -+ ctxt.reportBadTypeDefinition(beanDesc, -+ "Illegal type (%s) to deserialize: prevented for security reasons", full); -+ } -+} diff --git a/CVE-2018-5968.patch b/CVE-2018-5968.patch deleted file mode 100644 index 909a709..0000000 --- a/CVE-2018-5968.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 038b471e2efde2e8f96b4e0be958d3e5a1ff1d05 Mon Sep 17 00:00:00 2001 -From: Tatu Saloranta -Date: Sun, 21 Jan 2018 21:01:07 -0800 -Subject: [PATCH] Fix #1899 - ---- - release-notes/VERSION | 4 +++- - .../fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | 4 ++++ - 2 files changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java -index 42273e084..37b122734 100644 ---- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java -+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java -@@ -51,6 +51,9 @@ - // [databind#1855]: more 3rd party - s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); - s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); -+ // [databind#1899]: more 3rd party -+ s.add("org.hibernate.jmx.StatisticsService"); -+ s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory"); - - DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); - } diff --git a/jackson-databind.spec b/jackson-databind.spec index 8cf781e..602744e 100644 --- a/jackson-databind.spec +++ b/jackson-databind.spec @@ -1,14 +1,11 @@ Name: jackson-databind -Version: 2.9.3 +Version: 2.9.4 Release: 1%{?dist} Summary: General data-binding package for Jackson (2.x) License: ASL 2.0 and LGPLv2+ -URL: http://wiki.fasterxml.com/JacksonHome +URL: https://github.com/FasterXML/jackson-databind/ Source0: https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz -Patch0: CVE-2017-17485.patch -Patch1: CVE-2018-5968.patch - BuildRequires: maven-local BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version} BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= %{version} @@ -21,19 +18,18 @@ BuildRequires: mvn(org.powermock:powermock-module-junit4) BuildArch: noarch %description -General data-binding functionality for Jackson: -works on core streaming API. +The general-purpose data-binding functionality and tree-model for Jackson Data +Processor. It builds on core streaming parser/generator package, and uses +Jackson Annotations for configuration. %package javadoc -Summary: Javadoc for %{name} +Summary: Javadoc for %{name} %description javadoc -This package contains javadoc for %{name}. +This package contains API documentation for %{name}. %prep %setup -q -n %{name}-%{name}-%{version} -%patch0 -p1 -%patch1 -p1 # Remove plugins unnecessary for RPM builds %pom_remove_plugin ":maven-enforcer-plugin" @@ -71,6 +67,10 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest %license LICENSE NOTICE %changelog +* Wed Jan 24 2018 Mat Booth - 2.9.4-1 +- Update to latest upstream release +- Drop upstreamed CVE patches + * Mon Jan 22 2018 Mat Booth - 2.9.3-1 - Update to latest upstream release diff --git a/sources b/sources index 74629c7..976c4b4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (jackson-databind-2.9.3.tar.gz) = ef2fe0a944781631bae38a8ef9da603b2a5ba9cfac762ae77741bc4075a56a57981c751623c13c6f35d54b91d399e0be5d623a603659d8a53629c230907f36f8 +SHA512 (jackson-databind-2.9.4.tar.gz) = a867f985177deea0d9eaec3a32ea14d7b367c4b34765b413a13540f165b429335613c60fd11fd05ea4c6d676fb0d4f33043477ffce975369c4113a7ad841f1b6