Disallow EventData deserialization by default (CVE-2018-8088)

- Resolves rhbz#1549928
2018-03-19 16:11:35 +01:00 · 2018-03-19 16:11:35 +01:00 · d7cd96bc7a
commit d7cd96bc7a
parent 8a6e4d9c24
2 changed files with 51 additions and 1 deletions
--- a/0001-Disallow-EventData-deserialization-by-default.patch
+++ b/0001-Disallow-EventData-deserialization-by-default.patch
@ -0,0 +1,44 @@
+From b1c0ca75ca38a7a8b50bfdfdf2c324169a6ddf02 Mon Sep 17 00:00:00 2001
+From: Michael Simacek <msimacek@redhat.com>
+Date: Mon, 19 Mar 2018 16:01:57 +0100
+Subject: [PATCH] Disallow EventData deserialization by default
+
+---
+ .../src/main/java/org/slf4j/ext/EventData.java      | 21 +++++++++++++++------
+ 1 file changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
+index dc5b502..fa5c125 100644
+--- a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
+++ b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
+@@ -76,12 +76,21 @@ public class EventData implements Serializable {
+      */
+     @SuppressWarnings("unchecked")
+     public EventData(String xml) {
+-        ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
+-        try {
+-            XMLDecoder decoder = new XMLDecoder(bais);
+-            this.eventData = (Map<String, Object>) decoder.readObject();
+-        } catch (Exception e) {
+-            throw new EventException("Error decoding " + xml, e);
+        if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) {
+            ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
+            try {
+                XMLDecoder decoder = new XMLDecoder(bais);
+                this.eventData = (Map<String, Object>) decoder.readObject();
+            } catch (Exception e) {
+                throw new EventException("Error decoding " + xml, e);
+            }
+        } else {
+            throw new UnsupportedOperationException(
+                    "Constructing EventData from XML is vulnerable to remote " +
+                    "excution and is not allowed by default. If you're " +
+                    "completely sure the source data is trusted, you can enable " +
+                    "it by setting org.slf4j.ext.allowInsecureDeserialization " +
+                    "JVM property to 1");
+         }
+     }
+ 
+-- 
+2.14.3
+
--- a/slf4j.spec
+++ b/slf4j.spec
@ -30,7 +30,7 @@

 Name:           slf4j
 Version:        1.7.25
-Release:        3%{?dist}
+Release:        4%{?dist}
 Epoch:          0
 Summary:        Simple Logging Facade for Java
 # the log4j-over-slf4j and jcl-over-slf4j submodules are ASL 2.0, rest is MIT
@ -38,6 +38,7 @@ License:        MIT and ASL 2.0
 URL:            http://www.slf4j.org/
 Source0:        http://www.slf4j.org/dist/%{name}-%{version}.tar.gz
 Source1:        http://www.apache.org/licenses/LICENSE-2.0.txt
+Patch0:         0001-Disallow-EventData-deserialization-by-default.patch
 BuildArch:      noarch

 BuildRequires:  maven-local
@ -124,6 +125,7 @@ SLF4J Source JARs.

 %prep
 %setup -q
+%patch0 -p1
 find . -name "*.jar" | xargs rm
 cp -p %{SOURCE1} APACHE-LICENSE

@ -212,6 +214,10 @@ cp -pr target/site/* $RPM_BUILD_ROOT%{_defaultdocdir}/%{name}-manual
 %{_defaultdocdir}/%{name}-manual

 %changelog
+* Mon Mar 19 2018 Michael Simacek <msimacek@redhat.com> - 0:1.7.25-4
+- Disallow EventData deserialization by default (CVE-2018-8088)
+- Resolves rhbz#1549928
+
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0:1.7.25-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild