Bug 21428

Summary: jackson-databind new security issue CVE-2017-7525
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: geiger.david68210, lewyssmith, sysadmin-bugs, tarazed25
Version: 6Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK MGA5-32-OK advisory
Source RPM: jackson-databind-2.7.6-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-08-01 03:16:41 CEST 
Fedora has issued an advisory today (July 31):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CZTM7JEB4G74ZPXYZSQCSH3SC64D2MJF/

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-08-01 03:16:55 CEST

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA6TOO, MGA5TOO

David Walser 2017-08-01 03:17:26 CEST

QA Contact: (none) => security
Component: RPM Packages => Security

David Walser 2017-08-01 03:17:34 CEST

Severity: normal => critical

Comment 1 David GEIGER 2017-08-01 09:15:12 CEST 
Fixed for Cauldron and also mga6!

But for mga5 I don't know how to fix this as the code has pretty changed.
Comment 2 David Walser 2017-08-04 21:27:41 CEST 
Hi David.  I finally got a chance to look at the code, and it doesn't actually look like it changed that much.  It looks like it should be fairly easy to integrate this patch into it.

It's actually two patches.  The second hunk goes at the very end of the class definition in each patch.  The first hunk of the first patch goes in the method:
public JsonDeserializer<Object> createBeanDeserializer(DeserializationContext ctxt, JavaType type, BeanDescription beanDesc) throws JsonMappingException

and the first hunk of the second patch goes right in the beginning of the class definition.  Whether it builds or if some adjustments would be necessary, I'm not sure.

For future reference, the mga6 update consists of:
jackson-databind-2.7.6-1.1.mga6
jackson-databind-javadoc-2.7.6-1.1.mga6

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

Comment 3 Nicolas Lécureuil 2017-08-11 00:35:17 CEST 
pushed in updates_testing for mageia6
src.rpm:
         jackson-databind-2.4.3-4.1.mga5

Assignee: mageia => qa-bugs

Comment 4 David Walser 2017-08-11 00:58:46 CEST 
Advisory:
========================

Updated jackson-databind packages fix security vulnerability:

A deserialization flaw was discovered in the jackson-databind which could allow
an unauthenticated user to perform code execution by sending the maliciously
crafted input to the readValue method of the ObjectMapper (CVE-2017-7525).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CZTM7JEB4G74ZPXYZSQCSH3SC64D2MJF/
========================

Updated packages in core/updates_testing:
========================
jackson-databind-2.4.3-4.1.mga5
jackson-databind-2.7.6-1.1.mga6
jackson-databind-javadoc-2.7.6-1.1.mga6

from SRPMS:
jackson-databind-2.4.3-4.1.mga5.src.rpm
jackson-databind-2.7.6-1.1.mga6.src.rpm
Comment 5 Len Lawrence 2017-08-11 12:07:43 CEST 
mga6  x86_64

All the packages which use this package seem to be connected mainly with build systems of interest to Java developers although there is mention of docker-client.  There appears to be no way to exercise this at a beginner's level and as there is no reproducer available we shall have to be content with a clean install.

Before the update installation of jackson-databind pulled in jackson-annotations and jackson-core.

The update installed cleanly:
$ rpm -qa | grep jackson
jackson-databind-2.7.6-1.1.mga6
jackson-annotations-2.7.6-1.mga6
jackson-core-2.7.6-1.mga6

Fine for 64-bits.

CC: (none) => tarazed25

Len Lawrence 2017-08-11 12:08:02 CEST

Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK

Comment 6 Len Lawrence 2017-08-11 12:21:15 CEST 
mga6  i586 in virtualbox

Installed jackson-databind then updated to jackson-databind-2.7.6-1.1.mga6.noarch.

Good, as far as it goes.
Len Lawrence 2017-08-11 12:49:04 CEST

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA6-32-OK

Comment 7 Len Lawrence 2017-08-11 13:02:36 CEST 
mga5  X86_64

Upgraded jackson-databind.
$ rpm -qa | grep jackson
jackson-annotations-2.4.3-4.mga5
jackson-databind-javadoc-2.4.3-4.mga5
jackson-core-2.4.2-4.mga5
jackson-databind-2.4.3-4.1.mga5

For the record, the javadoc update was also installed on the mga6 machine.
Len Lawrence 2017-08-11 13:02:59 CEST

Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK

Comment 8 Len Lawrence 2017-08-11 13:25:09 CEST 
jackson-databind-2.4.3-4.1.mga5 installed cleanly on a virtualbox running mga5.
Other components already installed.
Len Lawrence 2017-08-11 13:25:28 CEST

Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK MGA5-32-OK

Len Lawrence 2017-08-11 16:00:19 CEST

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Lewis Smith 2017-08-11 22:07:21 CEST

Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK MGA5-32-OK => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK MGA5-32-OK advisory
CC: (none) => lewyssmith

Comment 9 Mageia Robot 2017-08-12 00:25:01 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0255.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED