Disallow EventData deserialization by default (CVE-2018-8088)
- Resolves rhbz#1549928
This commit is contained in:
parent
8a6e4d9c24
commit
d7cd96bc7a
44
0001-Disallow-EventData-deserialization-by-default.patch
Normal file
44
0001-Disallow-EventData-deserialization-by-default.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From b1c0ca75ca38a7a8b50bfdfdf2c324169a6ddf02 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Simacek <msimacek@redhat.com>
|
||||
Date: Mon, 19 Mar 2018 16:01:57 +0100
|
||||
Subject: [PATCH] Disallow EventData deserialization by default
|
||||
|
||||
---
|
||||
.../src/main/java/org/slf4j/ext/EventData.java | 21 +++++++++++++++------
|
||||
1 file changed, 15 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
|
||||
index dc5b502..fa5c125 100644
|
||||
--- a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
|
||||
+++ b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
|
||||
@@ -76,12 +76,21 @@ public class EventData implements Serializable {
|
||||
*/
|
||||
@SuppressWarnings("unchecked")
|
||||
public EventData(String xml) {
|
||||
- ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
|
||||
- try {
|
||||
- XMLDecoder decoder = new XMLDecoder(bais);
|
||||
- this.eventData = (Map<String, Object>) decoder.readObject();
|
||||
- } catch (Exception e) {
|
||||
- throw new EventException("Error decoding " + xml, e);
|
||||
+ if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) {
|
||||
+ ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
|
||||
+ try {
|
||||
+ XMLDecoder decoder = new XMLDecoder(bais);
|
||||
+ this.eventData = (Map<String, Object>) decoder.readObject();
|
||||
+ } catch (Exception e) {
|
||||
+ throw new EventException("Error decoding " + xml, e);
|
||||
+ }
|
||||
+ } else {
|
||||
+ throw new UnsupportedOperationException(
|
||||
+ "Constructing EventData from XML is vulnerable to remote " +
|
||||
+ "excution and is not allowed by default. If you're " +
|
||||
+ "completely sure the source data is trusted, you can enable " +
|
||||
+ "it by setting org.slf4j.ext.allowInsecureDeserialization " +
|
||||
+ "JVM property to 1");
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.14.3
|
||||
|
@ -30,7 +30,7 @@
|
||||
|
||||
Name: slf4j
|
||||
Version: 1.7.25
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
Epoch: 0
|
||||
Summary: Simple Logging Facade for Java
|
||||
# the log4j-over-slf4j and jcl-over-slf4j submodules are ASL 2.0, rest is MIT
|
||||
@ -38,6 +38,7 @@ License: MIT and ASL 2.0
|
||||
URL: http://www.slf4j.org/
|
||||
Source0: http://www.slf4j.org/dist/%{name}-%{version}.tar.gz
|
||||
Source1: http://www.apache.org/licenses/LICENSE-2.0.txt
|
||||
Patch0: 0001-Disallow-EventData-deserialization-by-default.patch
|
||||
BuildArch: noarch
|
||||
|
||||
BuildRequires: maven-local
|
||||
@ -124,6 +125,7 @@ SLF4J Source JARs.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch0 -p1
|
||||
find . -name "*.jar" | xargs rm
|
||||
cp -p %{SOURCE1} APACHE-LICENSE
|
||||
|
||||
@ -212,6 +214,10 @@ cp -pr target/site/* $RPM_BUILD_ROOT%{_defaultdocdir}/%{name}-manual
|
||||
%{_defaultdocdir}/%{name}-manual
|
||||
|
||||
%changelog
|
||||
* Mon Mar 19 2018 Michael Simacek <msimacek@redhat.com> - 0:1.7.25-4
|
||||
- Disallow EventData deserialization by default (CVE-2018-8088)
|
||||
- Resolves rhbz#1549928
|
||||
|
||||
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0:1.7.25-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user