From e3ef8a1b62d10273a814090be9168aa3019ace72 Mon Sep 17 00:00:00 2001 From: gil Date: Dec 15 2015 07:54:59 +0000 Subject: fix for CVE-2015-5254 --- diff --git a/activemq-5.6.0-CVE-2015-5254.patch b/activemq-5.6.0-CVE-2015-5254.patch new file mode 100644 index 0000000..c6b78c8 --- /dev/null +++ b/activemq-5.6.0-CVE-2015-5254.patch @@ -0,0 +1,231 @@ +diff -Nru activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java +--- activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java 2012-09-11 01:12:25.000000000 +0200 ++++ activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/transport/stomp/JmsFrameTranslator.java 2015-12-15 08:35:09.050277423 +0100 +@@ -84,7 +84,7 @@ + msg = createMapMessage(in); + break; + default: +- throw new Exception("Unkown transformation: " + transformation); ++ throw new Exception("Unknown transformation: " + transformation); + } + } catch (Throwable e) { + command.getHeaders().put(Stomp.Headers.TRANSFORMATION_ERROR, e.getMessage()); +@@ -243,7 +243,8 @@ + } + + if (xstream == null) { +- xstream = new XStream(); ++ xstream = XStreamSupport.createXStream(); ++ xstream.ignoreUnknownElements(); + } + return xstream; + +diff -Nru activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java +--- activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java 1970-01-01 01:00:00.000000000 +0100 ++++ activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/transport/stomp/XStreamSupport.java 2015-12-15 08:36:14.665520108 +0100 +@@ -0,0 +1,47 @@ ++/** ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package org.apache.activemq.transport.stomp; ++ ++import com.thoughtworks.xstream.XStream; ++import com.thoughtworks.xstream.security.AnyTypePermission; ++import com.thoughtworks.xstream.security.NoTypePermission; ++import com.thoughtworks.xstream.security.PrimitiveTypePermission; ++import org.apache.activemq.util.ClassLoadingAwareObjectInputStream; ++ ++import java.util.Collection; ++import java.util.Map; ++ ++public class XStreamSupport { ++ ++ public static XStream createXStream() { ++ XStream stream = new XStream(); ++ stream.addPermission(NoTypePermission.NONE); ++ stream.addPermission(PrimitiveTypePermission.PRIMITIVES); ++ stream.allowTypeHierarchy(Collection.class); ++ stream.allowTypeHierarchy(Map.class); ++ stream.allowTypes(new Class[]{String.class}); ++ if (ClassLoadingAwareObjectInputStream.isAllAllowed()) { ++ stream.addPermission(AnyTypePermission.ANY); ++ } else { ++ for (String packageName : ClassLoadingAwareObjectInputStream.getSerialziablePackages()) { ++ stream.allowTypesByWildcard(new String[]{packageName + ".**"}); ++ } ++ } ++ return stream; ++ } ++ ++} +diff -Nru activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java +--- activemq-5.6.0/activemq-core/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java 2012-09-11 01:12:25.000000000 +0200 ++++ activemq-5.6.0.CVE-2015-5254/activemq-core/src/main/java/org/apache/activemq/util/ClassLoadingAwareObjectInputStream.java 2015-12-15 08:47:58.347381368 +0100 +@@ -21,7 +21,10 @@ + import java.io.ObjectInputStream; + import java.io.ObjectStreamClass; + import java.lang.reflect.Proxy; ++import java.util.Arrays; ++import java.util.Collection; + import java.util.HashMap; ++import java.util.Map; + + @SuppressWarnings("rawtypes") + public class ClassLoadingAwareObjectInputStream extends ObjectInputStream { +@@ -29,6 +32,8 @@ + private static final ClassLoader FALLBACK_CLASS_LOADER = + ClassLoadingAwareObjectInputStream.class.getClassLoader(); + ++ private static String[] serializablePackages; ++ + /** + * Maps primitive type names to corresponding class objects. + */ +@@ -40,7 +45,9 @@ + + protected Class resolveClass(ObjectStreamClass classDesc) throws IOException, ClassNotFoundException { + ClassLoader cl = Thread.currentThread().getContextClassLoader(); +- return load(classDesc.getName(), cl); ++ Class clazz = load(classDesc.getName(), cl); ++ checkSecurity(clazz); ++ return clazz; + } + + protected Class resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException { +@@ -50,18 +57,56 @@ + cinterfaces[i] = load(interfaces[i], cl); + } + ++ Class clazz = null; + try { +- return Proxy.getProxyClass(cl, cinterfaces); ++ clazz = Proxy.getProxyClass(cl, cinterfaces); + } catch (IllegalArgumentException e) { + try { +- return Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces); ++ clazz = Proxy.getProxyClass(FALLBACK_CLASS_LOADER, cinterfaces); + } catch (IllegalArgumentException e1) { + } + +- throw new ClassNotFoundException(null, e); ++ } ++ ++ if (clazz != null) { ++ checkSecurity(clazz); ++ return clazz; ++ } else { ++ throw new ClassNotFoundException(null); + } + } + ++ public static String[] getSerialziablePackages() { ++ if (serializablePackages == null) { ++ serializablePackages = System.getProperty("org.apache.activemq.SERIALIZABLE_PACKAGES", ++ "java.lang,java.util,org.apache.activemq,org.fusesource.hawtbuf,com.thoughtworks.xstream.mapper").split(","); ++ } ++ ++ return serializablePackages; ++ }; ++ ++ public static boolean isAllAllowed() { ++ return getSerialziablePackages().length == 1 && getSerialziablePackages()[0].equals("*"); ++ } ++ ++ private void checkSecurity(Class clazz) throws ClassNotFoundException { ++ if (!clazz.isPrimitive()) { ++ if (clazz.getPackage() != null && !isAllAllowed()) { ++ boolean found = false; ++ for (String packageName : getSerialziablePackages()) { ++ if (clazz.getPackage().getName().equals(packageName) || clazz.getPackage().getName().startsWith(packageName + ".")) { ++ found = true; ++ break; ++ } ++ } ++ ++ if (!found) { ++ throw new ClassNotFoundException("Forbidden " + clazz + "! This class is not allowed to be serialized. Add package with 'org.apache.activemq.SERIALIZABLE_PACKAGES' system property."); ++ } ++ } ++ } ++ } ++ + private Class load(String className, ClassLoader cl) throws ClassNotFoundException { + try { + return Class.forName(className, false, cl); +diff -Nru activemq-5.6.0/activemq-optional/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java activemq-5.6.0.CVE-2015-5254/activemq-optional/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java +--- activemq-5.6.0/activemq-optional/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java 2012-09-11 01:12:25.000000000 +0200 ++++ activemq-5.6.0.CVE-2015-5254/activemq-optional/src/main/java/org/apache/activemq/transport/xstream/XStreamWireFormat.java 2015-12-15 08:41:19.421068945 +0100 +@@ -17,9 +17,15 @@ + package org.apache.activemq.transport.xstream; + + import com.thoughtworks.xstream.XStream; ++import com.thoughtworks.xstream.converters.Converter; ++import com.thoughtworks.xstream.converters.MarshallingContext; ++import com.thoughtworks.xstream.converters.UnmarshallingContext; ++import com.thoughtworks.xstream.io.HierarchicalStreamReader; ++import com.thoughtworks.xstream.io.HierarchicalStreamWriter; + import org.apache.activemq.command.Command; + import org.apache.activemq.command.MarshallAware; + import org.apache.activemq.command.MessageDispatch; ++import org.apache.activemq.transport.stomp.XStreamSupport; + import org.apache.activemq.transport.util.TextWireFormat; + import org.apache.activemq.wireformat.WireFormat; + +@@ -105,7 +111,28 @@ + // Implementation methods + // ------------------------------------------------------------------------- + protected XStream createXStream() { +- return new XStream(); ++ final XStream xstream = XStreamSupport.createXStream(); ++ xstream.ignoreUnknownElements(); ++ xstream.registerConverter(new Converter() { ++ final Converter delegate = xstream.getConverterLookup().lookupConverterForType(ByteSequence.class); ++ @Override ++ public void marshal(Object o, HierarchicalStreamWriter hierarchicalStreamWriter, MarshallingContext marshallingContext) { ++ ByteSequence byteSequence = (ByteSequence)o; ++ byteSequence.compact(); ++ delegate.marshal(byteSequence, hierarchicalStreamWriter, marshallingContext); ++ } ++ ++ @Override ++ public Object unmarshal(HierarchicalStreamReader hierarchicalStreamReader, UnmarshallingContext unmarshallingContext) { ++ return delegate.unmarshal(hierarchicalStreamReader, unmarshallingContext); ++ } ++ ++ @Override ++ public boolean canConvert(Class aClass) { ++ return aClass == ByteSequence.class; ++ } ++ }); ++ return xstream; + } + + } +diff -Nru activemq-5.6.0/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java activemq-5.6.0.CVE-2015-5254/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java +--- activemq-5.6.0/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java 2012-09-11 01:12:25.000000000 +0200 ++++ activemq-5.6.0.CVE-2015-5254/activemq-web/src/main/java/org/apache/activemq/web/MessageQuery.java 2015-12-15 08:38:03.340297084 +0100 +@@ -80,9 +80,9 @@ + if (message instanceof ObjectMessage) { + try { + return ((ObjectMessage) message).getObject(); +- } catch (JMSException e) { ++ } catch (Exception e) { + //message could not be parsed, make the reason available +- return e; ++ return new String("Cannot display ObjectMessage body. Reason: " + e.getMessage()); + } + } + if (message instanceof MapMessage) { diff --git a/activemq.spec b/activemq.spec index 3cef2fa..a6a9dcb 100644 --- a/activemq.spec +++ b/activemq.spec @@ -1,6 +1,6 @@ Name: activemq Version: 5.6.0 -Release: 13%{?dist} +Release: 14%{?dist} Summary: Open source messaging and Integration Patterns server License: ASL 2.0 URL: http://activemq.apache.org @@ -10,8 +10,10 @@ URL: http://activemq.apache.org Source0: activemq-5.6.0.tar.xz Patch0: activemq-5.6.0-jaas-CVE-2015-6524.patch +Patch1: activemq-5.6.0-CVE-2015-5254.patch BuildRequires: maven-local +BuildRequires: mvn(com.thoughtworks.xstream:xstream) BuildRequires: mvn(commons-net:commons-net) BuildRequires: mvn(org.apache.derby:derby) BuildRequires: mvn(org.apache.activemq:activeio-core) @@ -61,6 +63,7 @@ and provides faster recovery than its predecessor, the AMQ Message Store. %setup -q -n %{name}-%{version} %patch0 -p1 +%patch1 -p1 # Disable modules for m in all camel console fileserver blueprint karaf \ @@ -87,11 +90,6 @@ done # Remove missing optional dependencies %pom_remove_dep org.apache.geronimo.specs:geronimo-j2ee-management_1.1_spec -# Remove xstream support (fedora version is out of date) -rm -rf %{name}-core/src/main/java/org/apache/activemq/transport/stomp -rm -rf %{name}-core/src/main/java/org/apache/activemq/util/XStreamFactoryBean.java -%pom_remove_dep com.thoughtworks.xstream:xstream %{name}-core/pom.xml - # Remove jmdns support rm -rf %{name}-core/src/main/java/org/apache/activemq/transport/discovery/zeroconf %pom_remove_dep org.apache.activemq:activemq-jmdns_1.0 %{name}-core/pom.xml @@ -146,6 +144,9 @@ iconv -f iso-8859-1 -t utf-8 LICENSE.orig > LICENSE %license LICENSE NOTICE %changelog +* Tue Dec 15 2015 gil cattaneo 5.6.0-14 +- fix for CVE-2015-5254 (rhbz#1291292,1291293) + * Sat Nov 28 2015 gil cattaneo - 5.6.0-13 - rebuilt