diff --git a/CVE-2017-17485-1.patch b/CVE-2017-17485-1.patch new file mode 100644 index 0000000..836366f --- /dev/null +++ b/CVE-2017-17485-1.patch @@ -0,0 +1,201 @@ +From 2235894210c75f624a3d0cd60bfb0434a20a18bf Mon Sep 17 00:00:00 2001 +From: Tatu Saloranta +Date: Mon, 18 Dec 2017 21:41:51 -0800 +Subject: [PATCH] Fix #1855 + +--- + .../databind/deser/BeanDeserializerFactory.java | 54 ++---------- + .../databind/jsontype/impl/SubTypeValidator.java | 98 ++++++++++++++++++++++ + 2 files changed, 103 insertions(+), 49 deletions(-) + create mode 100644 src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java + +diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +index 217ffd9c6..b462c0c74 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java ++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java +@@ -12,6 +12,7 @@ + import com.fasterxml.jackson.databind.deser.std.ThrowableDeserializer; + import com.fasterxml.jackson.databind.introspect.*; + import com.fasterxml.jackson.databind.jsontype.TypeDeserializer; ++import com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator; + import com.fasterxml.jackson.databind.util.ArrayBuilders; + import com.fasterxml.jackson.databind.util.ClassUtil; + import com.fasterxml.jackson.databind.util.SimpleBeanPropertyDefinition; +@@ -40,44 +41,6 @@ + + private final static Class[] NO_VIEWS = new Class[0]; + +- /** +- * Set of well-known "nasty classes", deserialization of which is considered dangerous +- * and should (and is) prevented by default. +- */ +- protected final static Set DEFAULT_NO_DESER_CLASS_NAMES; +- static { +- Set s = new HashSet(); +- // Courtesy of [https://github.com/kantega/notsoserial]: +- // (and wrt [databind#1599]) +- s.add("org.apache.commons.collections.functors.InvokerTransformer"); +- s.add("org.apache.commons.collections.functors.InstantiateTransformer"); +- s.add("org.apache.commons.collections4.functors.InvokerTransformer"); +- s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); +- // 05-Aug-2017, tatu: as per [https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf] +- // this is NOT likely to be exploitable via Jackson. But keep excluded just in case. +- s.add("org.codehaus.groovy.runtime.ConvertedClosure"); +- s.add("org.codehaus.groovy.runtime.MethodClosure"); +- s.add("org.springframework.beans.factory.ObjectFactory"); +- s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); +- s.add("org.apache.xalan.xsltc.trax.TemplatesImpl"); +- // [databind#1680]: may or may not be problem, take no chance +- s.add("com.sun.rowset.JdbcRowSetImpl"); +- // [databind#1737]; JDK provided +- s.add("java.util.logging.FileHandler"); +- s.add("java.rmi.server.UnicastRemoteObject"); +- // [databind#1737]; 3rd party +- s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); +- s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); +- s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); +- s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); +- +- DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); +- } +- +- /** +- * Set of class names of types that are never to be deserialized. +- */ +- protected Set _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES; + + /* + /********************************************************** +@@ -179,7 +142,7 @@ public DeserializerFactory withConfig(DeserializerFactoryConfig config) + return null; + } + // For checks like [databind#1599] +- checkIllegalTypes(ctxt, type, beanDesc); ++ _validateSubType(ctxt, type, beanDesc); + // Use generic bean introspection to build deserializer + return buildBeanDeserializer(ctxt, type, beanDesc); + } +@@ -868,17 +831,10 @@ + return (status == null) ? false : status.booleanValue(); + } + +- protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type, ++ protected void _validateSubType(DeserializationContext ctxt, JavaType type, + BeanDescription beanDesc) + throws JsonMappingException + { +- // There are certain nasty classes that could cause problems, mostly +- // via default typing -- catch them here. +- String full = type.getRawClass().getName(); +- +- if (_cfgIllegalClassNames.contains(full)) { +- throw JsonMappingException.from(ctxt, +- String.format("Illegal type (%s) to deserialize: prevented for security reasons", full)); +- } ++ SubTypeValidator.instance().validateSubType(ctxt, type); + } + } +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +new file mode 100644 +index 000000000..8a273cc15 +--- /dev/null ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -0,0 +1,98 @@ ++package com.fasterxml.jackson.databind.jsontype.impl; ++ ++import java.util.Collections; ++import java.util.HashSet; ++import java.util.Set; ++ ++import com.fasterxml.jackson.databind.DeserializationContext; ++import com.fasterxml.jackson.databind.JavaType; ++import com.fasterxml.jackson.databind.JsonMappingException; ++ ++/** ++ * Helper class used to encapsulate rules that determine subtypes that ++ * are invalid to use, even with default typing, mostly due to security ++ * concerns. ++ * Used by BeanDeserializerFacotry ++ * ++ * @since 2.8.11 ++ */ ++public class SubTypeValidator ++{ ++ protected final static String PREFIX_STRING = "org.springframework."; ++ /** ++ * Set of well-known "nasty classes", deserialization of which is considered dangerous ++ * and should (and is) prevented by default. ++ */ ++ protected final static Set DEFAULT_NO_DESER_CLASS_NAMES; ++ static { ++ Set s = new HashSet(); ++ // Courtesy of [https://github.com/kantega/notsoserial]: ++ // (and wrt [databind#1599]) ++ s.add("org.apache.commons.collections.functors.InvokerTransformer"); ++ s.add("org.apache.commons.collections.functors.InstantiateTransformer"); ++ s.add("org.apache.commons.collections4.functors.InvokerTransformer"); ++ s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); ++ s.add("org.codehaus.groovy.runtime.ConvertedClosure"); ++ s.add("org.codehaus.groovy.runtime.MethodClosure"); ++ s.add("org.springframework.beans.factory.ObjectFactory"); ++ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); ++ s.add("org.apache.xalan.xsltc.trax.TemplatesImpl"); ++ // [databind#1680]: may or may not be problem, take no chance ++ s.add("com.sun.rowset.JdbcRowSetImpl"); ++ // [databind#1737]; JDK provided ++ s.add("java.util.logging.FileHandler"); ++ s.add("java.rmi.server.UnicastRemoteObject"); ++ // [databind#1737]; 3rd party ++//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855] ++ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); ++ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); ++ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); ++ // [databind#1855]: more 3rd party ++ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); ++ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); ++ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); ++ } ++ ++ /** ++ * Set of class names of types that are never to be deserialized. ++ */ ++ protected Set _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES; ++ ++ private final static SubTypeValidator instance = new SubTypeValidator(); ++ ++ protected SubTypeValidator() { } ++ ++ public static SubTypeValidator instance() { return instance; } ++ ++ public void validateSubType(DeserializationContext ctxt, JavaType type) throws JsonMappingException ++ { ++ // There are certain nasty classes that could cause problems, mostly ++ // via default typing -- catch them here. ++ final Class raw = type.getRawClass(); ++ String full = raw.getName(); ++ ++ do { ++ if (_cfgIllegalClassNames.contains(full)) { ++ break; ++ } ++ ++ // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling ++ // for some Spring framework types ++ if (full.startsWith(PREFIX_STRING)) { ++ for (Class cls = raw; cls != Object.class; cls = cls.getSuperclass()) { ++ String name = cls.getSimpleName(); ++ // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there? ++ if ("AbstractPointcutAdvisor".equals(name) ++ // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts ++ || "AbstractApplicationContext.equals".equals(name)) { ++ break; ++ } ++ } ++ } ++ return; ++ } while (false); ++ ++ throw JsonMappingException.from(ctxt, ++ String.format("Illegal type (%s) to deserialize: prevented for security reasons", full)); ++ } ++} diff --git a/CVE-2017-17485-2.patch b/CVE-2017-17485-2.patch new file mode 100644 index 0000000..2a028e4 --- /dev/null +++ b/CVE-2017-17485-2.patch @@ -0,0 +1,41 @@ +From bb45fb16709018842f858f1a6e1118676aaa34bd Mon Sep 17 00:00:00 2001 +From: Tatu Saloranta +Date: Tue, 19 Dec 2017 08:31:15 -0800 +Subject: [PATCH] Fix issues with earlier fix for #1855 + +--- + .../jackson/databind/jsontype/impl/SubTypeValidator.java | 5 +++-- + .../jackson/databind/interop/IllegalTypesCheckTest.java | 7 +++++++ + .../springframework/jacksontest/AbstractApplicationContext.java | 5 +++++ + .../org/springframework/jacksontest/AbstractPointcutAdvisor.java | 5 +++++ + .../org/springframework/jacksontest/BogusApplicationContext.java | 9 +++++++++ + .../org/springframework/jacksontest/BogusPointcutAdvisor.java | 9 +++++++++ + 6 files changed, 38 insertions(+), 2 deletions(-) + create mode 100644 src/test/java/org/springframework/jacksontest/AbstractApplicationContext.java + create mode 100644 src/test/java/org/springframework/jacksontest/AbstractPointcutAdvisor.java + create mode 100644 src/test/java/org/springframework/jacksontest/BogusApplicationContext.java + create mode 100644 src/test/java/org/springframework/jacksontest/BogusPointcutAdvisor.java + +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +index 8a273cc15..45a76169f 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -71,6 +71,7 @@ public void validateSubType(DeserializationContext ctxt, JavaType type) throws J + final Class raw = type.getRawClass(); + String full = raw.getName(); + ++ main_check: + do { + if (_cfgIllegalClassNames.contains(full)) { + break; +@@ -84,8 +85,8 @@ public void validateSubType(DeserializationContext ctxt, JavaType type) throws J + // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there? + if ("AbstractPointcutAdvisor".equals(name) + // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts +- || "AbstractApplicationContext.equals".equals(name)) { +- break; ++ || "AbstractApplicationContext".equals(name)) { ++ break main_check; + } + } + } diff --git a/CVE-2017-17485.patch b/CVE-2017-17485.patch deleted file mode 100644 index fe7435a..0000000 --- a/CVE-2017-17485.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java.orig 2018-01-11 13:52:07.289025352 +0000 -+++ src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java 2018-01-11 13:52:33.253913719 +0000 -@@ -70,6 +70,9 @@ - s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); - s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); - s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); -+ // [databind#1855]: more 3rd party -+ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); -+ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); - - DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); - } diff --git a/jackson-databind.spec b/jackson-databind.spec index 2b7f3cc..02e29c4 100644 --- a/jackson-databind.spec +++ b/jackson-databind.spec @@ -1,6 +1,6 @@ Name: jackson-databind Version: 2.7.6 -Release: 6%{?dist} +Release: 7%{?dist} Summary: General data-binding package for Jackson (2.x) License: ASL 2.0 and LGPLv2+ URL: http://wiki.fasterxml.com/JacksonHome @@ -9,7 +9,8 @@ Source0: https://github.com/FasterXML/jackson-databind/archive/%{name}-%{v # These patches can go when we update to jackson >= 2.8.11 OR jackson >= 2.7.9.2 Patch0: CVE-2017-7525.patch Patch1: CVE-2017-15095.patch -Patch2: CVE-2017-17485.patch +Patch2: CVE-2017-17485-1.patch +Patch3: CVE-2017-17485-2.patch BuildRequires: maven-local BuildRequires: mvn(com.fasterxml.jackson:jackson-parent:pom:) @@ -36,7 +37,8 @@ This package contains javadoc for %{name}. %setup -q -n %{name}-%{name}-%{version} %patch0 -p1 %patch1 -%patch2 +%patch2 -p1 +%patch3 -p1 cp -p src/main/resources/META-INF/LICENSE . cp -p src/main/resources/META-INF/NOTICE . @@ -75,6 +77,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/TestJdkTypes.java \ %license LICENSE NOTICE %changelog +* Mon Jan 15 2018 Mat Booth - 2.7.6-7 +- Better patch for CVE-2017-17485 + * Thu Jan 11 2018 Mat Booth - 2.7.6-6 - Backport a patch to fix CVE-2017-17485