debian/0000775000000000000000000000000013321512725007171 5ustar debian/maven.rules0000664000000000000000000000306512227432355011363 0ustar # Maven rules - transform Maven dependencies and plugins # Format of this file is: # [group] [artifact] [type] [version] [classifier] [scope] # where each element can be either # - the exact string, for example org.apache for the group, or 3.1 # for the version. In this case, the element is simply matched # and left as it is # - * (the star character, alone). In this case, anything will # match and be left as it is. For example, using * on the # position of the artifact field will match any artifact id # - a regular expression of the form s/match/replace/ # in this case, elements that match are transformed using # the regex rule. # All elements much match before a rule can be applied # Example rule: match jar with groupid= junit, artifactid= junit # and version starting with 3., replacing the version with 3.x # junit junit jar s/3\..*/3.x/ com.thoughtworks.xstream xstream-benchmark jar s/.*/debian/ * * com.thoughtworks.xstream xstream-distribution pom s/.*/debian/ * * com.thoughtworks.xstream xstream-hibernate jar s/.*/debian/ * * com.thoughtworks.xstream xstream-parent pom s/.*/debian/ * * com.thoughtworks.xstream xstream jar s/.*/debian/ * * s/jdom/org.jdom/ jdom jar s/1\..*/debian/ * * org.jdom jdom2 jar s/.*/debian/ * * s/net.sf.kxml/kxml2/ kxml2-min jar s/.*/debian/ * * s/net.sf.kxml/kxml2/ kxml2 jar s/.*/debian/ * * joda-time joda-time jar s/.*/debian/ * * junit junit jar s/3\..*/3.x/ * * org.codehaus.jettison jettison s/bundle/jar/ s/.*/debian/ * * s/hsqldb/org.hsqldb/ hsqldb * s/.*/debian/ * * s/jboss/javassist/ javassist * s/.*/debian/ * * debian/source/0000775000000000000000000000000012207062634010472 5ustar debian/source/format0000664000000000000000000000001412207062634011700 0ustar 3.0 (quilt) debian/build.properties0000664000000000000000000000027312207062634012411 0ustar ant.build.javac.source=1.5 ant.build.javac.target=1.5 javadoc.dir=target/api build.sourceDirectory=src/java classpath.compile=\ ${basedir}/xstream/build/xstream-${version}.jardebian/patches/0000775000000000000000000000000013321512725010620 5ustar debian/patches/CVE-2017-7957.patch0000664000000000000000000001217613321512725013265 0ustar Origin: backport, https://github.com/x-stream/xstream/commit/b3570be Bug-Ubuntu: https://bugs.launchpad.net/bugs/1780844 Author: joehni Date: Mon, 3 Apr 2017 14:40:04 +0200 Subject: [PATCH] Prevent deserialization of void. --- .../SunLimitedUnsafeReflectionProvider.java | 22 ++++++++++------- .../security/PrimitiveTypePermission.java | 8 ++++--- .../acceptance/SecurityVulnerabilityTest.java | 24 ++++++++++++++++++- 3 files changed, 41 insertions(+), 13 deletions(-) --- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java +++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java @@ -1,6 +1,6 @@ /* * Copyright (C) 2004, 2005 Joe Walnes. - * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014 XStream Committers. + * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016, 2017 XStream Committers. * All rights reserved. * * Created on 08. January 2014 by Joerg Schaible, factored out from SunUnsafeReflectionProvider @@ -9,6 +9,8 @@ import java.lang.reflect.Field; +import com.thoughtworks.xstream.converters.ConversionException; + import sun.misc.Unsafe; @@ -72,14 +74,18 @@ if (exception != null) { throw new ObjectAccessException("Cannot construct " + type.getName(), exception); } - try { - return unsafe.allocateInstance(type); - } catch (SecurityException e) { - throw new ObjectAccessException("Cannot construct " + type.getName(), e); - } catch (InstantiationException e) { - throw new ObjectAccessException("Cannot construct " + type.getName(), e); - } catch (IllegalArgumentException e) { - throw new ObjectAccessException("Cannot construct " + type.getName(), e); + if (type == void.class || type == Void.class) { + throw new ConversionException("Type void cannot have an instance"); + } else { + try { + return unsafe.allocateInstance(type); + } catch (SecurityException e) { + throw new ObjectAccessException("Cannot construct " + type.getName(), e); + } catch (InstantiationException e) { + throw new ObjectAccessException("Cannot construct " + type.getName(), e); + } catch (IllegalArgumentException e) { + throw new ObjectAccessException("Cannot construct " + type.getName(), e); + } } } --- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java +++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 XStream Committers. + * Copyright (C) 2014, 2017 XStream Committers. * All rights reserved. * * Created on 09. January 2014 by Joerg Schaible @@ -8,8 +8,9 @@ import com.thoughtworks.xstream.core.util.Primitives; + /** - * Permission for any primitive type and its boxed counterpart (incl. void). + * Permission for any primitive type and its boxed counterpart (excl. void). * * @author Jörg Schaible * @since 1.4.7 @@ -21,7 +22,8 @@ public static final TypePermission PRIMITIVES = new PrimitiveTypePermission(); public boolean allows(Class type) { - return type != null && type.isPrimitive() || Primitives.isBoxed(type); + return type != null && type != void.class && type != Void.class && type.isPrimitive() + || Primitives.isBoxed(type); } public int hashCode() { --- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java +++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013, 2014 XStream Committers. + * Copyright (C) 2013, 2014, 2017 XStream Committers. * All rights reserved. * * The software in this package is published under the terms of the BSD @@ -13,9 +13,12 @@ import java.beans.EventHandler; import com.thoughtworks.xstream.XStreamException; +import com.thoughtworks.xstream.converters.ConversionException; import com.thoughtworks.xstream.converters.reflection.ReflectionConverter; +import com.thoughtworks.xstream.security.ForbiddenClassException; import com.thoughtworks.xstream.security.ProxyTypePermission; + /** * @author Jörg Schaible */ @@ -80,4 +83,23 @@ BUFFER.append("Executed!"); } } + + public void testDeniedInstanceOfVoid() { + try { + xstream.fromXML(""); + fail("Thrown " + ForbiddenClassException.class.getName() + " expected"); + } catch (final ForbiddenClassException e) { + // OK + } + } + + public void testAllowedInstanceOfVoid() { + xstream.allowTypes(void.class, Void.class); + try { + xstream.fromXML(""); + fail("Thrown " + ConversionException.class.getName() + " expected"); + } catch (final ConversionException e) { + assertEquals("void", e.get("construction-type")); + } + } } debian/patches/series0000664000000000000000000000002413321512725012031 0ustar CVE-2017-7957.patch debian/compat0000664000000000000000000000000212227432253010370 0ustar 9 debian/changelog0000664000000000000000000001110713321512725011043 0ustar libxstream-java (1.4.7-1ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: handle void type class (LP: #1780844) - d/p/CVE-2017-7957.patch: Prevent deserialization of void. - CVE-2017-7957 -- Dan Streetman Mon, 09 Jul 2018 15:29:05 -0400 libxstream-java (1.4.7-1) unstable; urgency=low * New upstream release - Fixes CVE-2013-7285 (Closes: #734821) - Added a dependency on libjdom2-java * Standards-Version updated to 3.9.5 (no changes) * Use XZ compression for the upstream tarball * Build depend on debhelper >= 9 * debian/copyright: Updated to the Copyright Format 1.0 -- Emmanuel Bourg Wed, 12 Mar 2014 14:06:33 +0100 libxstream-java (1.4.4-1) unstable; urgency=low * New upstream release * Update Standards-Version: 3.9.4 (no changes) * Use canonical URLs for the Vcs-* fields * debian/rules: Improved the clean target to allow rebuilds -- Emmanuel Bourg Tue, 02 Jul 2013 22:38:00 +0200 libxstream-java (1.4.2-1) unstable; urgency=low [ tony mancill ] * Remove Michael Koch from Uploaders (Closes: #654106) * Update Standards-Version: 3.9.3. [ Damien Raude-Morvan ] * New upstream release (Closes: #655908) - Add Build-Depends on libstax-java, libwoodstox-java, libstax2-api-java and libkxml2-java (and Suggests). * Use maven-ant-helper for build: - Add Build-Depends on maven-ant-helper. - New debian/build.xml. - Drop patch on MANIFEST.MF update and use jh_manifest. - Add Build-Depends on javahelper. * Add myself as Uploader. -- Damien Raude-Morvan Mon, 28 May 2012 23:14:16 +0200 libxstream-java (1.3.1-7) unstable; urgency=low * Switch to source format 3.0. * Update Standards-Version: 3.9.1. -- Torsten Werner Thu, 18 Aug 2011 15:01:00 +0200 libxstream-java (1.3.1-6) unstable; urgency=low [ Onkar Shinde ] * debian/control - Add quilt build dependency. * debian/rules - Include patchsys-quilt.mk rule. * debian/patches/01_fix_classpath.diff - Add appropriate jar files in classpath using manifest attribute. (LP: #457660) * debian/patches/series - Create new and include the new patch added. * debian/README.source - Add to comply with policy. [ Michael Koch ] * Added myself to Uploaders. -- Michael Koch Wed, 04 Nov 2009 21:10:05 +0100 libxstream-java (1.3.1-5) unstable; urgency=low * Switch to default-jdk * Build-Depends: replace cglib2.1 with cglib (Closes: #550613) * Bump Standards-Version to 3.8.3 * Bump dh compat to 7 -- Varun Hiremath Thu, 15 Oct 2009 14:35:55 -0400 libxstream-java (1.3.1-4) unstable; urgency=low * Add missing dependencies to Depends and Suggests -- Ludovic Claude Fri, 14 Aug 2009 23:30:34 +0100 libxstream-java (1.3.1-3) unstable; urgency=low * Upload to unstable. -- Torsten Werner Sun, 09 Aug 2009 12:57:52 +0200 libxstream-java (1.3.1-2) experimental; urgency=low * Change section to java * Bump up Standards-Version to 3.8.2 * Add ${misc:Depends} to Depends to clear Lintian warnings * Remove Depends on Java runtimes as it is a library * Add the Maven POM to the package * Add a Build-Depends-Indep dependency on maven-repo-helper -- Ludovic Claude Tue, 28 Jul 2009 20:51:09 +0100 libxstream-java (1.3.1-1) unstable; urgency=low * New upstream release * Minor cleanups -- Torsten Werner Thu, 01 Jan 2009 01:20:34 +0100 libxstream-java (1.3-4) unstable; urgency=low * Fix java bytecode / java runtime version mismatch by setting -source and -target to 1.5 (Closes: #503789) -- Varun Hiremath Sat, 01 Nov 2008 11:41:26 -0400 libxstream-java (1.3-3) unstable; urgency=low * Really move package to main. -- Torsten Werner Mon, 11 Aug 2008 18:13:41 +0200 libxstream-java (1.3-2) unstable; urgency=low * Build package with OpenJDK now. * Move package to main. * Bump Standards-Version: 3.8.0 (no changes needed). -- Torsten Werner Mon, 11 Aug 2008 17:50:31 +0200 libxstream-java (1.3-1) unstable; urgency=low * New upstream release * Add myself to Uploaders * Bump Standards-Version to 3.7.3 * Remove patches/encoding.diff - not required -- Varun Hiremath Thu, 28 Feb 2008 15:30:34 +0530 libxstream-java (1.2.2-1) unstable; urgency=low * initial version (Closes: #453149) -- Torsten Werner Sat, 24 Nov 2007 00:01:40 +0100 debian/maven.ignoreRules0000664000000000000000000000306512207062634012524 0ustar # Maven ignore rules - ignore some Maven dependencies and plugins # Format of this file is: # [group] [artifact] [type] [version] [classifier] [scope] # where each element can be either # - the exact string, for example org.apache for the group, or 3.1 # for the version. In this case, the element is simply matched # and left as it is # - * (the star character, alone). In this case, anything will # match and be left as it is. For example, using * on the # position of the artifact field will match any artifact id # All elements much match before a rule can be applied # Example rule: match jar with groupid= junit, artifactid= junit # and version starting with 3., this dependency is then removed # from the POM # junit junit jar s/3\..*/3.x/ com.megginson.sax xml-writer * * * * commons-cli commons-cli * * * * commons-io commons-io * * * * commons-lang commons-lang * * * * jmock jmock * * * * org.apache.maven.plugins maven-assembly-plugin * * * * org.apache.maven.plugins maven-eclipse-plugin * * * * org.apache.maven.plugins maven-enforcer-plugin * * * * org.apache.maven.plugins maven-javadoc-plugin * * * * org.apache.maven.plugins maven-release-plugin * * * * org.apache.maven.plugins maven-source-plugin * * * * org.apache.maven.plugins maven-surefire-plugin * * * * org.apache.maven.plugins maven-surefire-report-plugin * * * * org.apache.maven.wagon wagon-webdav * * * * org.codehaus.mojo cobertura-maven-plugin * * * * org.codehaus.mojo jxr-maven-plugin * * * * org.codehaus.woodstox wstx-asl * * * * org.json json * * * * oro oro * * * * xmlpull xmlpull * * * * debian/manifest0000664000000000000000000000021412227432737010727 0ustar usr/share/java/xstream.jar: Class-Path: cglib.jar dom4j.jar jdom1.jar jdom2.jar jettison.jar joda-time.jar xom.jar xpp3.jar xpp3-xpath.jar debian/rules0000775000000000000000000000202512227432435010253 0ustar #!/usr/bin/make -f include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/cdbs/1/class/ant.mk PACKAGE := $(DEB_SOURCE_PACKAGE) VERSION := $(DEB_UPSTREAM_VERSION) JAVA_HOME := /usr/lib/jvm/default-java DEB_JARS := ant-nodeps xom joda-time jettison cglib dom4j xpp3 jdom1 jdom2 stax woodstox-core-lgpl kxml2 stax2-api DEB_ANT_BUILD_TARGET := package javadoc DEB_ANT_BUILDFILE := debian/build.xml DEB_ANT_ARGS := -Dbasedir=$(realpath .) -Dpackage=xstream -Dversion=$(VERSION) pre-build:: -rm xstream/src/java/com/thoughtworks/xstream/converters/reflection/HarmonyReflectionProvider.java binary-post-install/$(PACKAGE):: mh_installpoms -p$(PACKAGE) mh_installjar -p$(PACKAGE) -l xstream/pom.xml xstream/build/xstream-$(VERSION).jar mh_installjar -p$(PACKAGE) -l xstream-benchmark/pom.xml xstream-benchmark/build/xstream-benchmark-$(VERSION).jar jh_manifest clean:: mh_clean rm -Rf target mh_unpatchpoms -p$(PACKAGE) get-orig-source: uscan --force-download --rename debian/watch0000664000000000000000000000022612207062634010223 0ustar version=3 opts=uversionmangle=s/-/~/ \ http://xstream.codehaus.org/download.html \ .*/xstream-distribution-(.*)-src.zip debian debian/orig-tar.sh debian/libxstream-java.poms0000664000000000000000000000012412207062634013160 0ustar pom.xml --no-parent xstream/pom.xml --java-lib xstream-benchmark/pom.xml --java-lib debian/orig-tar.sh0000775000000000000000000000060012223220107011236 0ustar #!/bin/sh -e # called by uscan with '--upstream-version' DIR=xstream-$2 TAR=../libxstream-java_$2.orig.tar.xz # clean up the upstream tarball unzip $3 XZ_OPT=--best tar -c -J -f $TAR --exclude '*.jar' $DIR rm -rf $DIR $3 # move to directory 'tarballs' if [ -r .svn/deb-layout ]; then . .svn/deb-layout mv $TAR $origDir echo "moved $TAR to $origDir" fi debian/copyright0000664000000000000000000000356512310057232011127 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: XStream Source: http://xstream.codehaus.org Files: * Copyright: 2003-2006, Joe Walnes 2006-2014, XStream Committers License: BSD-3-Clause Files: debian/* Copyright: 2007-2001, Torsten Werner 2008-2009, Varun Hiremath 2009, Ludovic Claude License: BSD-3-Clause License: BSD-3-Clause Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. . Neither the name of XStream nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. . THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. debian/control0000664000000000000000000000610413321512760010574 0ustar Source: libxstream-java Section: java Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian Java Maintainers Uploaders: Torsten Werner , Varun Hiremath , Damien Raude-Morvan , Emmanuel Bourg Build-Depends: ant, cdbs, debhelper (>= 9), default-jdk, javahelper, libcglib-java, libdom4j-java, libjdom1-java, libjdom2-java, libjettison-java, libjoda-time-java, libkxml2-java, libstax-java, libstax2-api-java, libwoodstox-java, libxom-java, libxpp3-java, maven-ant-helper, maven-repo-helper Standards-Version: 3.9.5 Vcs-Svn: svn://anonscm.debian.org/pkg-java/trunk/libxstream-java Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-java/trunk/libxstream-java Homepage: http://xstream.codehaus.org Package: libxstream-java Architecture: all Depends: libxpp3-java, ${misc:Depends} Suggests: libcglib-java, libdom4j-java, libjdom1-java, libjdom2-java, libjettison-java, libjoda-time-java, libkxml2-java, libstax-java, libstax2-api-java, libwoodstox-java, libxom-java Description: Java library to serialize objects to XML and back again The features of the XStream library are: . - Ease of use. A high level facade is supplied that simplifies common use cases. - No mappings required. Most objects can be serialized without need for specifying mappings. - Performance. Speed and low memory footprint are a crucial part of the design, making it suitable for large object graphs or systems with high message throughput. - Clean XML. No information is duplicated that can be obtained via reflection. This results in XML that is easier to read for humans and more compact than native Java serialization. - Requires no modifications to objects. Serializes internal fields, including private and final. Supports non-public and inner classes. Classes are not required to have default constructor. - Full object graph support. Duplicate references encountered in the object-model will be maintained. Supports circular references. - Integrates with other XML APIs. By implementing an interface, XStream can serialize directly to/from any tree structure (not just XML). - Customizable conversion strategies. Strategies can be registered allowing customization of how particular types are represented as XML. - Error messages. When an exception occurs due to malformed XML, detailed diagnostics are provided to help isolate and fix the problem. - Alternative output format. The modular design allows other output formats. XStream ships currently with JSON support and morphing. debian/build.xml0000664000000000000000000000250712207062634011017 0ustar