Backport a patch to fix CVE-2017-7525

CVE-2017-7525.patch

@@ -0,0 +1,92 @@
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java	2016-07-23 03:36:51.000000000 +0100
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java	2017-07-20 15:42:39.836790820 +0100
+@@ -139,6 +139,8 @@
+         if (!isPotentialBeanType(type.getRawClass())) {
+             return null;
+         }
++        // For checks like [databind#1599]
++        checkIllegalTypes(ctxt, type, beanDesc);
+         // Use generic bean introspection to build deserializer
+         return buildBeanDeserializer(ctxt, type, beanDesc);
+     }
+@@ -826,4 +828,22 @@
+         // We default to 'false', i.e. not ignorable
+         return (status == null) ? false : status.booleanValue(); 
+     }
++
++    protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
++            BeanDescription beanDesc)
++        throws JsonMappingException
++    {
++        // There are certain nasty classes that could cause problems, mostly
++        // via default typing -- catch them here.
++        Class<?> raw = type.getRawClass();
++        String name = raw.getSimpleName();
++
++        if ("TemplatesImpl".equals(name)) { // [databind#1599] 
++            if (raw.getName().startsWith("com.sun.org.apache.xalan")) {
++                throw JsonMappingException.from(ctxt,
++                        String.format("Illegal type (%s) to deserialize: prevented for security reasons",
++                                name));
++            }
++        }
++    }
+ }
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -39,7 +39,33 @@
+     private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { Throwable.class };
+ 
+     private final static Class<?>[] NO_VIEWS = new Class<?>[0];
+-    
++
++    /**
++     * Set of well-known "nasty classes", deserialization of which is considered dangerous
++     * and should (and is) prevented by default.
++     */
++    protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
++    static {
++        Set<String> s = new HashSet<String>();
++        // Courtesy of [https://github.com/kantega/notsoserial]:
++        // (and wrt [databind#1599]
++        s.add("org.apache.commons.collections.functors.InvokerTransformer");
++        s.add("org.apache.commons.collections.functors.InstantiateTransformer");
++        s.add("org.apache.commons.collections4.functors.InvokerTransformer");
++        s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
++        s.add("org.codehaus.groovy.runtime.ConvertedClosure");
++        s.add("org.codehaus.groovy.runtime.MethodClosure");
++        s.add("org.springframework.beans.factory.ObjectFactory");
++        s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
++        s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
++        DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
++    }
++
++    /**
++     * Set of class names of types that are never to be deserialized.
++     */
++    protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
++
+     /*
+     /**********************************************************
+     /* Life-cycle
+@@ -846,15 +871,11 @@ protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
+     {
+         // There are certain nasty classes that could cause problems, mostly
+         // via default typing -- catch them here.
+-        Class<?> raw = type.getRawClass();
+-        String name = raw.getSimpleName();
+-
+-        if ("TemplatesImpl".equals(name)) { // [databind#1599] 
+-            if (raw.getName().startsWith("com.sun.org.apache.xalan")) {
+-                throw JsonMappingException.from(ctxt,
+-                        String.format("Illegal type (%s) to deserialize: prevented for security reasons",
+-                                name));
+-            }
++        String full = type.getRawClass().getName();
++
++        if (_cfgIllegalClassNames.contains(full)) {
++            throw JsonMappingException.from(ctxt,
++                    String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
+         }
+     }
+ }

jackson-databind.spec

@@ -1,11 +1,13 @@
 Name:          jackson-databind
 Version:       2.7.6
-Release:       2%{?dist}
+Release:       3%{?dist}
 Summary:       General data-binding package for Jackson (2.x)
 License:       ASL 2.0 and LGPLv2+
 URL:           http://wiki.fasterxml.com/JacksonHome
 Source0:       https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz
 
+Patch0: CVE-2017-7525.patch
+
 BuildRequires: maven-local
 BuildRequires: mvn(com.fasterxml.jackson:jackson-parent:pom:)
 BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations) >= 2.4.1
@@ -29,6 +31,7 @@ This package contains javadoc for %{name}.
 
 %prep
 %setup -q -n %{name}-%{name}-%{version}
+%patch0 -p1
 
 cp -p src/main/resources/META-INF/LICENSE .
 cp -p src/main/resources/META-INF/NOTICE .
@@ -67,6 +70,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/TestJdkTypes.java \
 %license LICENSE NOTICE
 
 %changelog
+* Thu Jul 20 2017 Mat Booth <mat.booth@redhat.com> - 2.7.6-3
+- Backport a patch to fix CVE-2017-7525
+
 * Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.7.6-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild