diff -Nru libxstream-java-1.4.7/debian/changelog libxstream-java-1.4.7/debian/changelog --- libxstream-java-1.4.7/debian/changelog 2014-03-12 09:16:28.000000000 -0400 +++ libxstream-java-1.4.7/debian/changelog 2018-07-11 08:07:49.000000000 -0400 @@ -1,3 +1,11 @@ +libxstream-java (1.4.7-1ubuntu0.1) trusty-security; urgency=medium + + * SECURITY UPDATE: handle void type class (LP: #1780844) + - d/p/CVE-2017-7957.patch: Prevent deserialization of void. + - CVE-2017-7957 + + -- Dan Streetman Mon, 09 Jul 2018 15:29:05 -0400 + libxstream-java (1.4.7-1) unstable; urgency=low * New upstream release diff -Nru libxstream-java-1.4.7/debian/patches/CVE-2017-7957.patch libxstream-java-1.4.7/debian/patches/CVE-2017-7957.patch --- libxstream-java-1.4.7/debian/patches/CVE-2017-7957.patch 1969-12-31 19:00:00.000000000 -0500 +++ libxstream-java-1.4.7/debian/patches/CVE-2017-7957.patch 2018-07-09 16:07:54.000000000 -0400 @@ -0,0 +1,139 @@ +Origin: backport, https://github.com/x-stream/xstream/commit/b3570be +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1780844 +Author: joehni +Date: Mon, 3 Apr 2017 14:40:04 +0200 +Subject: [PATCH] Prevent deserialization of void. + +--- + .../SunLimitedUnsafeReflectionProvider.java | 22 ++++++++++------- + .../security/PrimitiveTypePermission.java | 8 ++++--- + .../acceptance/SecurityVulnerabilityTest.java | 24 ++++++++++++++++++- + 3 files changed, 41 insertions(+), 13 deletions(-) + +--- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java ++++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/SunLimitedUnsafeReflectionProvider.java +@@ -1,6 +1,6 @@ + /* + * Copyright (C) 2004, 2005 Joe Walnes. +- * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014 XStream Committers. ++ * Copyright (C) 2006, 2007, 2008, 2011, 2013, 2014, 2016, 2017 XStream Committers. + * All rights reserved. + * + * Created on 08. January 2014 by Joerg Schaible, factored out from SunUnsafeReflectionProvider +@@ -9,6 +9,8 @@ + + import java.lang.reflect.Field; + ++import com.thoughtworks.xstream.converters.ConversionException; ++ + import sun.misc.Unsafe; + + +@@ -72,14 +74,18 @@ + if (exception != null) { + throw new ObjectAccessException("Cannot construct " + type.getName(), exception); + } +- try { +- return unsafe.allocateInstance(type); +- } catch (SecurityException e) { +- throw new ObjectAccessException("Cannot construct " + type.getName(), e); +- } catch (InstantiationException e) { +- throw new ObjectAccessException("Cannot construct " + type.getName(), e); +- } catch (IllegalArgumentException e) { +- throw new ObjectAccessException("Cannot construct " + type.getName(), e); ++ if (type == void.class || type == Void.class) { ++ throw new ConversionException("Type void cannot have an instance"); ++ } else { ++ try { ++ return unsafe.allocateInstance(type); ++ } catch (SecurityException e) { ++ throw new ObjectAccessException("Cannot construct " + type.getName(), e); ++ } catch (InstantiationException e) { ++ throw new ObjectAccessException("Cannot construct " + type.getName(), e); ++ } catch (IllegalArgumentException e) { ++ throw new ObjectAccessException("Cannot construct " + type.getName(), e); ++ } + } + } + +--- a/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java ++++ b/xstream/src/java/com/thoughtworks/xstream/security/PrimitiveTypePermission.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2014 XStream Committers. ++ * Copyright (C) 2014, 2017 XStream Committers. + * All rights reserved. + * + * Created on 09. January 2014 by Joerg Schaible +@@ -8,8 +8,9 @@ + + import com.thoughtworks.xstream.core.util.Primitives; + ++ + /** +- * Permission for any primitive type and its boxed counterpart (incl. void). ++ * Permission for any primitive type and its boxed counterpart (excl. void). + * + * @author Jörg Schaible + * @since 1.4.7 +@@ -21,7 +22,8 @@ + public static final TypePermission PRIMITIVES = new PrimitiveTypePermission(); + + public boolean allows(Class type) { +- return type != null && type.isPrimitive() || Primitives.isBoxed(type); ++ return type != null && type != void.class && type != Void.class && type.isPrimitive() ++ || Primitives.isBoxed(type); + } + + public int hashCode() { +--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java ++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2013, 2014 XStream Committers. ++ * Copyright (C) 2013, 2014, 2017 XStream Committers. + * All rights reserved. + * + * The software in this package is published under the terms of the BSD +@@ -13,9 +13,12 @@ + import java.beans.EventHandler; + + import com.thoughtworks.xstream.XStreamException; ++import com.thoughtworks.xstream.converters.ConversionException; + import com.thoughtworks.xstream.converters.reflection.ReflectionConverter; ++import com.thoughtworks.xstream.security.ForbiddenClassException; + import com.thoughtworks.xstream.security.ProxyTypePermission; + ++ + /** + * @author Jörg Schaible + */ +@@ -80,4 +83,23 @@ + BUFFER.append("Executed!"); + } + } ++ ++ public void testDeniedInstanceOfVoid() { ++ try { ++ xstream.fromXML(""); ++ fail("Thrown " + ForbiddenClassException.class.getName() + " expected"); ++ } catch (final ForbiddenClassException e) { ++ // OK ++ } ++ } ++ ++ public void testAllowedInstanceOfVoid() { ++ xstream.allowTypes(void.class, Void.class); ++ try { ++ xstream.fromXML(""); ++ fail("Thrown " + ConversionException.class.getName() + " expected"); ++ } catch (final ConversionException e) { ++ assertEquals("void", e.get("construction-type")); ++ } ++ } + } diff -Nru libxstream-java-1.4.7/debian/patches/series libxstream-java-1.4.7/debian/patches/series --- libxstream-java-1.4.7/debian/patches/series 2013-08-27 04:38:52.000000000 -0400 +++ libxstream-java-1.4.7/debian/patches/series 2018-07-09 15:28:51.000000000 -0400 @@ -0,0 +1 @@ +CVE-2017-7957.patch