Version in base suite: 1.4.15-3+deb11u1

Base version: libxstream-java_1.4.15-3+deb11u1
Target version: libxstream-java_1.4.15-3+deb11u2
Base file: /srv/ftp-master.debian.org/ftp/pool/main/libx/libxstream-java/libxstream-java_1.4.15-3+deb11u1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/libx/libxstream-java/libxstream-java_1.4.15-3+deb11u2.dsc

 changelog                    |   20 +++++
 patches/CVE-2022-41966.patch |  165 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 186 insertions(+)

diff -Nru libxstream-java-1.4.15/debian/changelog libxstream-java-1.4.15/debian/changelog
--- libxstream-java-1.4.15/debian/changelog	2021-10-02 11:30:58.000000000 +0000
+++ libxstream-java-1.4.15/debian/changelog	2023-01-11 13:00:44.000000000 +0000
@@ -1,3 +1,23 @@
+libxstream-java (1.4.15-3+deb11u2) bullseye-security; urgency=high
+
+  * Team upload.
+  * Fix CVE-2022-41966:
+    XStream serializes Java objects to XML and back again. Versions prior to
+    1.4.15-3+deb11u2 may allow a remote attacker to terminate the application
+    with a stack overflow error, resulting in a denial of service only via
+    manipulation of the processed input stream. The attack uses the hash code
+    implementation for collections and maps to force recursive hash calculation
+    causing a stack overflow. This issue is patched in version 1.4.15-3+deb11u2
+    which handles the stack overflow and raises an InputManipulationException
+    instead. A potential workaround for users who only use HashMap or HashSet
+    and whose XML refers these only as default map or set, is to change the
+    default implementation of java.util.Map and java.util per the code example
+    in the referenced advisory. However, this implies that your application
+    does not care about the implementation of the map and all elements are
+    comparable. (Closes: #1027754)
+
+ -- Markus Koschany <apo@debian.org>  Wed, 11 Jan 2023 14:00:44 +0100
+
 libxstream-java (1.4.15-3+deb11u1) bullseye-security; urgency=high
 
   * Team upload.
diff -Nru libxstream-java-1.4.15/debian/patches/CVE-2022-41966.patch libxstream-java-1.4.15/debian/patches/CVE-2022-41966.patch
--- libxstream-java-1.4.15/debian/patches/CVE-2022-41966.patch	1970-01-01 00:00:00.000000000 +0000
+++ libxstream-java-1.4.15/debian/patches/CVE-2022-41966.patch	2023-01-11 13:00:44.000000000 +0000
@@ -0,0 +1,165 @@
+From: Markus Koschany <apo@debian.org>
+Date: Wed, 11 Jan 2023 13:57:58 +0100
+Subject: CVE-2022-41966
+
+Bug-Debian: https://bugs.debian.org/1027754
+Origin: https://github.com/x-stream/xstream/commit/e9151f221b4969fb15b1e946d5d61dcdd459a391
+---
+ .../src/java/com/thoughtworks/xstream/XStream.java |  8 +++--
+ .../security/AbstractSecurityException.java        | 29 ++++++++++++++++++
+ .../security/InputManipulationException.java       | 27 +++++++++++++++++
+ .../acceptance/SecurityVulnerabilityTest.java      | 35 +++++++++++++++++++++-
+ 4 files changed, 96 insertions(+), 3 deletions(-)
+ create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+ create mode 100644 xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index 129be1c..24c51cf 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -162,6 +162,7 @@ import com.thoughtworks.xstream.security.RegExpTypePermission;
+ import com.thoughtworks.xstream.security.TypeHierarchyPermission;
+ import com.thoughtworks.xstream.security.TypePermission;
+ import com.thoughtworks.xstream.security.WildcardTypePermission;
++import com.thoughtworks.xstream.security.InputManipulationException;
+ 
+ 
+ /**
+@@ -1398,8 +1399,11 @@ public class XStream {
+                     .println(
+                         "Security framework of XStream not explicitly initialized, using predefined black list on your own risk.");
+             }
+-            return marshallingStrategy.unmarshal(root, reader, dataHolder, converterLookup, mapper);
+-
++            try {
++                return marshallingStrategy.unmarshal(root, reader, dataHolder, converterLookup, mapper);
++            } catch (final StackOverflowError e) {
++                throw new InputManipulationException("Possible Denial of Service attack by Stack Overflow");
++            }
+         } catch (ConversionException e) {
+             Package pkg = getClass().getPackage();
+             String version = pkg != null ? pkg.getImplementationVersion() : null;
+diff --git a/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+new file mode 100644
+index 0000000..777765a
+--- /dev/null
++++ b/xstream/src/java/com/thoughtworks/xstream/security/AbstractSecurityException.java
+@@ -0,0 +1,29 @@
++/*
++ * Copyright (C) 2021, 2022 XStream Committers.
++ * All rights reserved.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.security;
++
++import com.thoughtworks.xstream.XStreamException;
++
++
++/**
++ * General base class for a Security Exception in XStream.
++ * 
++ * @author J&ouml;rg Schaible
++ * @since 1.4.19
++ */
++public abstract class AbstractSecurityException extends XStreamException {
++    private static final long serialVersionUID = 20210921L;
++
++    /**
++     * Constructs a SecurityException.
++     * @param message the exception message
++     * @since 1.4.19
++     */
++    public AbstractSecurityException(final String message) {
++        super(message);
++    }
++}
+diff --git a/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+new file mode 100644
+index 0000000..80f492c
+--- /dev/null
++++ b/xstream/src/java/com/thoughtworks/xstream/security/InputManipulationException.java
+@@ -0,0 +1,27 @@
++/*
++ * Copyright (C) 2021, 2022 XStream Committers.
++ * All rights reserved.
++ *
++ * Created on 21. September 2021 by Joerg Schaible
++ */
++package com.thoughtworks.xstream.security;
++
++
++/**
++ * Class for a Security Exception assuming input manipulation in XStream.
++ * 
++ * @author J&ouml;rg Schaible
++ * @since 1.4.19
++ */
++public class InputManipulationException extends AbstractSecurityException {
++    private static final long serialVersionUID = 20210921L;
++
++    /**
++     * Constructs a SecurityException.
++     * @param message the exception message
++     * @since 1.4.19
++     */
++    public InputManipulationException(final String message) {
++        super(message);
++    }
++}
+diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+index d387bcd..f21ea45 100644
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2013, 2014, 2017, 2018, 2020, 2021 XStream Committers.
++ * Copyright (C) 2013, 2014, 2017, 2018, 2020, 2021, 2022 XStream Committers.
+  * All rights reserved.
+  *
+  * The software in this package is published under the terms of the BSD
+@@ -25,6 +25,8 @@ import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
+ import com.thoughtworks.xstream.security.AnyTypePermission;
+ import com.thoughtworks.xstream.security.ForbiddenClassException;
+ import com.thoughtworks.xstream.security.ProxyTypePermission;
++import com.thoughtworks.xstream.security.InputManipulationException;
++
+ 
+ 
+ /**
+@@ -187,4 +189,35 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+             assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
+         }
+     }
++
++    public void testStackOverflowWithRecursiveHashSet() {
++        final String xml = ""
++            + "<set>\n"
++            + "  <set>\n"
++            + "    <set>\n"
++            + "      <set>\n"
++            + "        <set>\n"
++            + "          <set>\n"
++            + "            <string>a</string>\n"
++            + "          </set>\n"
++            + "          <set>\n"
++            + "            <string>b</string>\n"
++            + "          </set>\n"
++            + "        </set>\n"
++            + "        <set>\n"
++            + "          <string>c</string>\n"
++            + "          <set reference=\"../../../set/set[2]\"/>\n"
++            + "        </set>\n"
++            + "      </set>\n"
++            + "    </set>\n"
++            + "  </set>\n"
++            + "</set>";
++
++        try {
++            xstream.fromXML(xml);
++            fail("Thrown " + InputManipulationException.class.getName() + " expected");
++        } catch (final InputManipulationException e) {
++            assertTrue(e.getMessage().indexOf("Stack Overflow") >= 0);
++        }
++    }
+ }
diff -Nru libxstream-java-1.4.15/debian/patches/series libxstream-java-1.4.15/debian/patches/series
--- libxstream-java-1.4.15/debian/patches/series	2021-10-02 11:30:58.000000000 +0000
+++ libxstream-java-1.4.15/debian/patches/series	2023-01-11 13:00:44.000000000 +0000
@@ -3,3 +3,4 @@
 enable-security-whitelist-by-default.patch
 SecurityVulnerabilityTest.patch
 debian-specific-whitelist-extension.patch
+CVE-2022-41966.patch