rpms/jackson-databind
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to latest upstream release

Browse Source
This commit is contained in:
Mat Booth 2018-01-22 15:33:59 +00:00
parent 46016810f4
commit f5bc93f20b
8 changed files with 96 additions and 223 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
.gitignore vendored
View File

@ -1,10 +1,2 @@
/jackson-databind-2.2.2.tar.gz
/jackson-databind-2.4.1.1.tar.gz
/jackson-databind-2.4.1.3.tar.gz
/jackson-databind-2.4.2.tar.gz
/jackson-databind-2.5.0.tar.gz
/jackson-databind-2.6.2.tar.gz
/jackson-databind-2.6.3.tar.gz
/jackson-databind-2.6.6.tar.gz
/jackson-databind-2.6.7.tar.gz
/jackson-databind-2.7.6.tar.gz
/jackson-databind-*.tar.gz
/*.src.rpm

33
CVE-2017-15095.patch
View File

@ -1,33 +0,0 @@
--- src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java.orig 2017-11-01 09:57:37.083991374 +0000
+++ src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java 2017-11-01 10:00:58.032279501 +0000
@@ -48,16 +48,29 @@
static {
Set<String> s = new HashSet<String>();
// Courtesy of [https://github.com/kantega/notsoserial]:
- // (and wrt [databind#1599]
+ // (and wrt [databind#1599])
s.add("org.apache.commons.collections.functors.InvokerTransformer");
s.add("org.apache.commons.collections.functors.InstantiateTransformer");
s.add("org.apache.commons.collections4.functors.InvokerTransformer");
s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
+ // 05-Aug-2017, tatu: as per [https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf]
+ // this is NOT likely to be exploitable via Jackson. But keep excluded just in case.
s.add("org.codehaus.groovy.runtime.ConvertedClosure");
s.add("org.codehaus.groovy.runtime.MethodClosure");
s.add("org.springframework.beans.factory.ObjectFactory");
s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
+ // [databind#1680]: may or may not be problem, take no chance
+ s.add("com.sun.rowset.JdbcRowSetImpl");
+ // [databind#1737]; JDK provided
+ s.add("java.util.logging.FileHandler");
+ s.add("java.rmi.server.UnicastRemoteObject");
+ // [databind#1737]; 3rd party
+ s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
+ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}

41
CVE-2017-17485-2.patch
View File

@ -1,41 +0,0 @@
From bb45fb16709018842f858f1a6e1118676aaa34bd Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Tue, 19 Dec 2017 08:31:15 -0800
Subject: [PATCH] Fix issues with earlier fix for #1855
---
.../jackson/databind/jsontype/impl/SubTypeValidator.java | 5 +++--
.../jackson/databind/interop/IllegalTypesCheckTest.java | 7 +++++++
.../springframework/jacksontest/AbstractApplicationContext.java | 5 +++++
.../org/springframework/jacksontest/AbstractPointcutAdvisor.java | 5 +++++
.../org/springframework/jacksontest/BogusApplicationContext.java | 9 +++++++++
.../org/springframework/jacksontest/BogusPointcutAdvisor.java | 9 +++++++++
6 files changed, 38 insertions(+), 2 deletions(-)
create mode 100644 src/test/java/org/springframework/jacksontest/AbstractApplicationContext.java
create mode 100644 src/test/java/org/springframework/jacksontest/AbstractPointcutAdvisor.java
create mode 100644 src/test/java/org/springframework/jacksontest/BogusApplicationContext.java
create mode 100644 src/test/java/org/springframework/jacksontest/BogusPointcutAdvisor.java
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 8a273cc15..45a76169f 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -71,6 +71,7 @@ public void validateSubType(DeserializationContext ctxt, JavaType type) throws J
final Class<?> raw = type.getRawClass();
String full = raw.getName();
+ main_check:
do {
if (_cfgIllegalClassNames.contains(full)) {
break;
@@ -84,8 +85,8 @@ public void validateSubType(DeserializationContext ctxt, JavaType type) throws J
// looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
if ("AbstractPointcutAdvisor".equals(name)
// ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts
- || "AbstractApplicationContext.equals".equals(name)) {
- break;
+ || "AbstractApplicationContext".equals(name)) {
+ break main_check;
}
}
}

68
CVE-2017-17485-1.patch → CVE-2017-17485.patch
View File

@ -13,25 +13,27 @@ diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer
index 217ffd9c6..b462c0c74 100644
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
@@ -12,6 +12,7 @@
import com.fasterxml.jackson.databind.deser.std.ThrowableDeserializer;
@@ -11,6 +11,7 @@
import com.fasterxml.jackson.databind.exc.InvalidDefinitionException;
import com.fasterxml.jackson.databind.introspect.*;
import com.fasterxml.jackson.databind.jsontype.TypeDeserializer;
+import com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator;
import com.fasterxml.jackson.databind.util.ArrayBuilders;
import com.fasterxml.jackson.databind.util.ClassUtil;
import com.fasterxml.jackson.databind.util.SimpleBeanPropertyDefinition;
@@ -40,44 +41,6 @@
private final static Class<?>[] NO_VIEWS = new Class<?>[0];
@@ -36,49 +37,6 @@
*/
private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { Throwable.class };
- /**
- * Set of well-known "nasty classes", deserialization of which is considered dangerous
- * and should (and is) prevented by default.
- *
- * @since 2.8.9
- */
- protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
- static {
- Set<String> s = new HashSet<String>();
- Set<String> s = new HashSet<>();
- // Courtesy of [https://github.com/kantega/notsoserial]:
- // (and wrt [databind#1599])
- s.add("org.apache.commons.collections.functors.InvokerTransformer");
@ -61,12 +63,28 @@ index 217ffd9c6..b462c0c74 100644
-
- /**
- * Set of class names of types that are never to be deserialized.
- *
- * @since 2.8.9
- */
- protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
-
/*
/**********************************************************
@@ -179,7 +142,7 @@ public DeserializerFactory withConfig(DeserializerFactoryConfig config)
/* Life-cycle
@@ -146,9 +104,9 @@
if (type.isThrowable()) {
return buildThrowableDeserializer(ctxt, type, beanDesc);
}
- /* Or, for abstract types, may have alternate means for resolution
- * (defaulting, materialization)
- */
+ // Or, for abstract types, may have alternate means for resolution
+ // (defaulting, materialization)
+
// 29-Nov-2015, tatu: Also, filter out calls to primitive types, they are
// not something we could materialize anything for
if (type.isAbstract() && !type.isPrimitive() && !type.isEnumType()) {
@@ -174,7 +132,7 @@
return null;
}
// For checks like [databind#1599]
@ -75,10 +93,13 @@ index 217ffd9c6..b462c0c74 100644
// Use generic bean introspection to build deserializer
return buildBeanDeserializer(ctxt, type, beanDesc);
}
@@ -868,17 +831,10 @@
return (status == null) ? false : status.booleanValue();
@@ -949,19 +907,12 @@
}
/**
- * @since 2.8.9
+ * @since 2.8.11
*/
- protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
+ protected void _validateSubType(DeserializationContext ctxt, JavaType type,
BeanDescription beanDesc)
@ -89,10 +110,10 @@ index 217ffd9c6..b462c0c74 100644
- String full = type.getRawClass().getName();
-
- if (_cfgIllegalClassNames.contains(full)) {
- throw JsonMappingException.from(ctxt,
- String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
- ctxt.reportBadTypeDefinition(beanDesc,
- "Illegal type (%s) to deserialize: prevented for security reasons", full);
- }
+ SubTypeValidator.instance().validateSubType(ctxt, type);
+ SubTypeValidator.instance().validateSubType(ctxt, type, beanDesc);
}
}
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@ -100,13 +121,14 @@ new file mode 100644
index 000000000..8a273cc15
--- /dev/null
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -0,0 +1,98 @@
@@ -0,0 +1,103 @@
+package com.fasterxml.jackson.databind.jsontype.impl;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+
+import com.fasterxml.jackson.databind.BeanDescription;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JavaType;
+import com.fasterxml.jackson.databind.JsonMappingException;
@ -153,6 +175,7 @@ index 000000000..8a273cc15
+ // [databind#1855]: more 3rd party
+ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
+ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
@ -167,13 +190,15 @@ index 000000000..8a273cc15
+
+ public static SubTypeValidator instance() { return instance; }
+
+ public void validateSubType(DeserializationContext ctxt, JavaType type) throws JsonMappingException
+ public void validateSubType(DeserializationContext ctxt, JavaType type,
+ BeanDescription beanDesc) throws JsonMappingException
+ {
+ // There are certain nasty classes that could cause problems, mostly
+ // via default typing -- catch them here.
+ final Class<?> raw = type.getRawClass();
+ String full = raw.getName();
+
+ main_check:
+ do {
+ if (_cfgIllegalClassNames.contains(full)) {
+ break;
@ -181,21 +206,22 @@ index 000000000..8a273cc15
+
+ // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
+ // for some Spring framework types
+ if (full.startsWith(PREFIX_STRING)) {
+ for (Class<?> cls = raw; cls != Object.class; cls = cls.getSuperclass()) {
+ // 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces
+ if (!raw.isInterface() && full.startsWith(PREFIX_STRING)) {
+ for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()) {
+ String name = cls.getSimpleName();
+ // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
+ if ("AbstractPointcutAdvisor".equals(name)
+ // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts
+ || "AbstractApplicationContext.equals".equals(name)) {
+ break;
+ || "AbstractApplicationContext".equals(name)) {
+ break main_check;
+ }
+ }
+ }
+ return;
+ } while (false);
+
+ throw JsonMappingException.from(ctxt,
+ String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
+ ctxt.reportBadTypeDefinition(beanDesc,
+ "Illegal type (%s) to deserialize: prevented for security reasons", full);
+ }
+}

92
CVE-2017-7525.patch
View File

@ -1,92 +0,0 @@
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java 2016-07-23 03:36:51.000000000 +0100
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java 2017-07-20 15:42:39.836790820 +0100
@@ -139,6 +139,8 @@
if (!isPotentialBeanType(type.getRawClass())) {
return null;
}
+ // For checks like [databind#1599]
+ checkIllegalTypes(ctxt, type, beanDesc);
// Use generic bean introspection to build deserializer
return buildBeanDeserializer(ctxt, type, beanDesc);
}
@@ -826,4 +828,22 @@
// We default to 'false', i.e. not ignorable
return (status == null) ? false : status.booleanValue();
}
+
+ protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
+ BeanDescription beanDesc)
+ throws JsonMappingException
+ {
+ // There are certain nasty classes that could cause problems, mostly
+ // via default typing -- catch them here.
+ Class<?> raw = type.getRawClass();
+ String name = raw.getSimpleName();
+
+ if ("TemplatesImpl".equals(name)) { // [databind#1599]
+ if (raw.getName().startsWith("com.sun.org.apache.xalan")) {
+ throw JsonMappingException.from(ctxt,
+ String.format("Illegal type (%s) to deserialize: prevented for security reasons",
+ name));
+ }
+ }
+ }
}
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
@@ -39,7 +39,33 @@
private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { Throwable.class };
private final static Class<?>[] NO_VIEWS = new Class<?>[0];
-
+
+ /**
+ * Set of well-known "nasty classes", deserialization of which is considered dangerous
+ * and should (and is) prevented by default.
+ */
+ protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
+ static {
+ Set<String> s = new HashSet<String>();
+ // Courtesy of [https://github.com/kantega/notsoserial]:
+ // (and wrt [databind#1599]
+ s.add("org.apache.commons.collections.functors.InvokerTransformer");
+ s.add("org.apache.commons.collections.functors.InstantiateTransformer");
+ s.add("org.apache.commons.collections4.functors.InvokerTransformer");
+ s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
+ s.add("org.codehaus.groovy.runtime.ConvertedClosure");
+ s.add("org.codehaus.groovy.runtime.MethodClosure");
+ s.add("org.springframework.beans.factory.ObjectFactory");
+ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
+ s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
+ /**
+ * Set of class names of types that are never to be deserialized.
+ */
+ protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
+
/*
/**********************************************************
/* Life-cycle
@@ -846,15 +871,11 @@ protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
{
// There are certain nasty classes that could cause problems, mostly
// via default typing -- catch them here.
- Class<?> raw = type.getRawClass();
- String name = raw.getSimpleName();
-
- if ("TemplatesImpl".equals(name)) { // [databind#1599]
- if (raw.getName().startsWith("com.sun.org.apache.xalan")) {
- throw JsonMappingException.from(ctxt,
- String.format("Illegal type (%s) to deserialize: prevented for security reasons",
- name));
- }
+ String full = type.getRawClass().getName();
+
+ if (_cfgIllegalClassNames.contains(full)) {
+ throw JsonMappingException.from(ctxt,
+ String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
}
}
}

24
CVE-2018-5968.patch Normal file
View File

@ -0,0 +1,24 @@
From 038b471e2efde2e8f96b4e0be958d3e5a1ff1d05 Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Sun, 21 Jan 2018 21:01:07 -0800
Subject: [PATCH] Fix #1899
---
release-notes/VERSION | 4 +++-
.../fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | 4 ++++
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 42273e084..37b122734 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -51,6 +51,9 @@
// [databind#1855]: more 3rd party
s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+ // [databind#1899]: more 3rd party
+ s.add("org.hibernate.jmx.StatisticsService");
+ s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}

47
jackson-databind.spec
View File

@ -1,27 +1,24 @@
Name: jackson-databind
Version: 2.7.6
Release: 7%{?dist}
Version: 2.9.3
Release: 1%{?dist}
Summary: General data-binding package for Jackson (2.x)
License: ASL 2.0 and LGPLv2+
URL: http://wiki.fasterxml.com/JacksonHome
Source0: https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz
# These patches can go when we update to jackson >= 2.8.11 OR jackson >= 2.7.9.2
Patch0: CVE-2017-7525.patch
Patch1: CVE-2017-15095.patch
Patch2: CVE-2017-17485-1.patch
Patch3: CVE-2017-17485-2.patch
Patch0: CVE-2017-17485.patch
Patch1: CVE-2018-5968.patch
BuildRequires: maven-local
BuildRequires: mvn(com.fasterxml.jackson:jackson-parent:pom:)
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations) >= 2.4.1
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= 2.4.1
BuildRequires: mvn(com.google.guava:guava)
BuildRequires: mvn(com.google.code.maven-replacer-plugin:replacer)
BuildRequires: mvn(org.powermock:powermock-api-mockito)
BuildRequires: mvn(org.powermock:powermock-module-junit4)
BuildRequires: maven-local
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version}
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
BuildRequires: mvn(com.fasterxml.jackson:jackson-base:pom:) >= %{version}
BuildRequires: mvn(com.google.code.maven-replacer-plugin:replacer)
BuildRequires: mvn(org.apache.felix:maven-bundle-plugin)
BuildRequires: mvn(org.powermock:powermock-api-mockito)
BuildRequires: mvn(org.powermock:powermock-module-junit4)
BuildArch: noarch
BuildArch: noarch
%description
General data-binding functionality for Jackson:
@ -36,9 +33,10 @@ This package contains javadoc for %{name}.
%prep
%setup -q -n %{name}-%{name}-%{version}
%patch0 -p1
%patch1
%patch2 -p1
%patch3 -p1
%patch1 -p1
# Remove plugins unnecessary for RPM builds
%pom_remove_plugin ":maven-enforcer-plugin"
cp -p src/main/resources/META-INF/LICENSE .
cp -p src/main/resources/META-INF/NOTICE .
@ -49,21 +47,17 @@ sed -i 's/\r//' LICENSE NOTICE
rm src/test/java/com/fasterxml/jackson/databind/introspect/NoClassDefFoundWorkaroundTest.java
%pom_xpath_remove pom:classpathDependencyExcludes
%pom_xpath_inject "pom:plugin[pom:artifactId='maven-javadoc-plugin']/pom:configuration" "<additionalparam>-Xdoclint:none</additionalparam>"
%pom_xpath_remove pom:failOnError
# org.powermock.reflect.exceptions.FieldNotFoundException: Field 'fTestClass' was not found in class org.junit.internal.runners.MethodValidator.
rm src/test/java/com/fasterxml/jackson/databind/type/TestTypeFactoryWithClassLoader.java
# Off test that require connection with the web
rm src/test/java/com/fasterxml/jackson/databind/ser/TestJdkTypes.java \
src/test/java/com/fasterxml/jackson/databind/deser/TestJdkTypes.java \
rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest.java \
src/test/java/com/fasterxml/jackson/databind/deser/jdk/JDKStringLikeTypesTest.java \
src/test/java/com/fasterxml/jackson/databind/TestJDKSerialization.java
%mvn_file : %{name}
%build
%mvn_build -- -Dmaven.test.failure.ignore=true
%install
@ -77,6 +71,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/TestJdkTypes.java \
%license LICENSE NOTICE
%changelog
* Mon Jan 22 2018 Mat Booth <mat.booth@redhat.com> - 2.9.3-1
- Update to latest upstream release
* Mon Jan 15 2018 Mat Booth <mat.booth@redhat.com> - 2.7.6-7
- Better patch for CVE-2017-17485

2
sources
View File

@ -1 +1 @@
e656289bef8f4256ac1be14d9e858f32 jackson-databind-2.7.6.tar.gz
SHA512 (jackson-databind-2.9.3.tar.gz) = ef2fe0a944781631bae38a8ef9da603b2a5ba9cfac762ae77741bc4075a56a57981c751623c13c6f35d54b91d399e0be5d623a603659d8a53629c230907f36f8