Fedora has issued advisories today (April 19): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NINYW4L2T4MRN4RGENSWNBLOTKM7WD3T/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6RVKE5WBTS4ZUKOMHNUPCSO4KNISQATH/ The RedHat bug for the issue is here: https://bugzilla.redhat.com/show_bug.cgi?id=1441538 Mageia 5 is also affected (xstream package only).
Whiteboard: (none) => MGA5TOOCC: (none) => geiger.david68210
pushed in updates_testing src.rpm: xstream-1.4.9-1.1.mga5
Version: Cauldron => 5Assignee: mageia => qa-bugsWhiteboard: MGA5TOO => (none)
Thanks Nicolas. Note that jenkins-xstream still needs to be fixed or dropped in Cauldron. Advisory: ======================== Updated xstream packages fix security vulnerabilities: A vulnerability was found in XStream. Parsing a maliciously crafted file could cause the application to crash. The processed stream at unmarshalling type contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. The crash occurrs if this information advices XStream to create an instance of the primitive type 'void'. This situation can only happen if an attacker was able to manipulate the incoming data, since such an instance does not exist (rhbz#1441538). References: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NINYW4L2T4MRN4RGENSWNBLOTKM7WD3T/ ======================== Updated packages in core/updates_testing: ======================== xstream-1.4.9-1.1.mga5 xstream-javadoc-1.4.9-1.1.mga5 xstream-hibernate-1.4.9-1.1.mga5 xstream-benchmark-1.4.9-1.1.mga5 xstream-parent-1.4.9-1.1.mga5 from xstream-1.4.9-1.1.mga5.src.rpm
CC: (none) => mageia
Whiteboard: (none) => advisoryCC: (none) => davidwhodgins
Trying to implement a simple PoC for this. Bear with me.
CC: (none) => tarazed25
x86_64 real hardware Implemented the suggestion at http://seclists.org/oss-sec/2017/q2/9 to develop a simple PoC for the bug. Frank Griffin did most of the work by patiently guiding me through the Java framework, a long story with a very short denouement. The attached java snippet can be run to trigger a stackdump on the exploit (not sure if that is the expected outcome) and after the update the exploit is trapped and the jre provides the details: Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance ---- Debugging information ---- message : Type void cannot have an instance construction-type : void class : void required-type : void converter-type : com.thoughtworks.xstream.converters.reflection.ReflectionConverter ...................... Not taking this any further than that. OK for 64-bits.
Created attachment 9230 [details] Minimal java class file to test the bug <tcsh> $ setenv CLASSPATH .:/usr/share/java/xstream/xstream.jar <bash> $ export CLASSPATH=".:/usr/share/java/xstream/xstream.jar" $ javac JenkinsTest.java $ export CLASSPATH=".:/usr/share/java/xstream/xstream.jar:/usr/share/java/xpp3.jar:/usr/share/java/xpp3-path.jar" $ java JenkinsTest
According to the latest Jenkins advisory from upstream: https://jenkins.io/security/advisory/2017-04-26/ This is CVE-2017-1000355. Please update the advisory in SVN. Advisory: ======================== Updated xstream packages fix security vulnerabilities: A vulnerability was found in XStream. Parsing a maliciously crafted file could cause the application to crash. The processed stream at unmarshalling type contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. The crash occurrs if this information advices XStream to create an instance of the primitive type 'void'. This situation can only happen if an attacker was able to manipulate the incoming data, since such an instance does not exist (CVE-2017-1000355). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000355 https://jenkins.io/security/advisory/2017-04-26/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NINYW4L2T4MRN4RGENSWNBLOTKM7WD3T/
Whiteboard: advisory => (none)Summary: xstream, jenkins-xstream new security issue => xstream, jenkins-xstream new security issue (CVE-2017-1000355)
Ran the PoC CVE-2017-1000355 in i586 virtualbox and found the same results. OK for 32-bits. Assuming the other vulnerabilities are not to be included in this test then let's push this unless somebody knows how to use jenkins-xstream to serialize and unserialize data.
Whiteboard: (none) => MGA5-32-OK MGA5-64-OK
Comment on attachment 9230 [details] Minimal java class file to test the bug >// JenkinsTest.java for PoC testing of jenkins-xstream package >// Based on jackson-data-xml test, example from seclists.org and >// input from Frank Griffin and Martin Whitaker. >/* > Compile to JenkinsTest.class using: > $ javac -cp ".:/usr/share/java/xstream/xstream.jar" JenkinsTest.java >*/ >import com.thoughtworks.xstream.*; > >public class JenkinsTest { > > public static void main( String args[ ] ) > throws Exception > { > // Suggestion from http://seclists.org/oss-sec/2017/q2/9 > // Create XStream object > XStream xstream = new XStream( ); > // xstream.fromXML( "<void/>" ); > xstream.fromXML( "<string class='void'>Hello, world!</string>" ); > // System.out.println( "working\n" ); > } >}
Thanks Len. Advisory committed to svn. Validating the update.
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisoryKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0119.html
Status: NEW => RESOLVEDResolution: (none) => FIXED