Version in base suite: 3.1.3-9 Base version: libxmlrpc3-java_3.1.3-9 Target version: libxmlrpc3-java_3.1.3-9+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/libx/libxmlrpc3-java/libxmlrpc3-java_3.1.3-9.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/libx/libxmlrpc3-java/libxmlrpc3-java_3.1.3-9+deb10u1.dsc changelog | 15 +++++++++++++ patches/CVE-2019-17570.patch | 48 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 64 insertions(+) diff -Nru libxmlrpc3-java-3.1.3/debian/changelog libxmlrpc3-java-3.1.3/debian/changelog --- libxmlrpc3-java-3.1.3/debian/changelog 2017-12-21 11:41:51.000000000 +0000 +++ libxmlrpc3-java-3.1.3/debian/changelog 2020-02-06 16:57:54.000000000 +0000 @@ -1,3 +1,18 @@ +libxmlrpc3-java (3.1.3-9+deb10u1) buster-security; urgency=high + + * Team upload. + * Fix CVE-2019-17570: + An untrusted deserialization was found in the + org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache + XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a + XML-RPC client causing it to execute arbitrary code. + + Clients that expect to get server-side exceptions need to set the + enabledForExceptions property to true in order to process serialized + exception messages. (Closes: #949089) + + -- Markus Koschany Thu, 06 Feb 2020 17:57:54 +0100 + libxmlrpc3-java (3.1.3-9) unstable; urgency=medium * Team upload. diff -Nru libxmlrpc3-java-3.1.3/debian/patches/CVE-2019-17570.patch libxmlrpc3-java-3.1.3/debian/patches/CVE-2019-17570.patch --- libxmlrpc3-java-3.1.3/debian/patches/CVE-2019-17570.patch 1970-01-01 00:00:00.000000000 +0000 +++ libxmlrpc3-java-3.1.3/debian/patches/CVE-2019-17570.patch 2020-02-06 16:57:54.000000000 +0000 @@ -0,0 +1,48 @@ +From: Markus Koschany +Date: Mon, 27 Jan 2020 19:40:57 +0100 +Subject: CVE-2019-17570 + +Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1775193 +--- + .../apache/xmlrpc/parser/XmlRpcResponseParser.java | 28 ++++++++++++---------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java b/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java +index 087572b..f1b2427 100644 +--- a/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java ++++ b/common/src/main/java/org/apache/xmlrpc/parser/XmlRpcResponseParser.java +@@ -69,19 +69,21 @@ public class XmlRpcResponseParser extends RecursiveTypeParserImpl { + getDocumentLocator()); + } + errorMessage = (String) map.get("faultString"); +- Object exception = map.get("faultCause"); +- if (exception != null) { +- try { +- byte[] bytes = (byte[]) exception; +- ByteArrayInputStream bais = new ByteArrayInputStream(bytes); +- ObjectInputStream ois = new ObjectInputStream(bais); +- errorCause = (Throwable) ois.readObject(); +- ois.close(); +- bais.close(); +- } catch (Throwable t) { +- // Ignore me +- } +- } ++ if (((XmlRpcStreamRequestConfig)cfg).isEnabledForExceptions()) { ++ Object exception = map.get("faultCause"); ++ if (exception != null) { ++ try { ++ byte[] bytes = (byte[]) exception; ++ ByteArrayInputStream bais = new ByteArrayInputStream(bytes); ++ ObjectInputStream ois = new ObjectInputStream(bais); ++ errorCause = (Throwable) ois.readObject(); ++ ois.close(); ++ bais.close(); ++ } catch (Throwable t) { ++ // Ignore me ++ } ++ } ++ } + } + } + diff -Nru libxmlrpc3-java-3.1.3/debian/patches/series libxmlrpc3-java-3.1.3/debian/patches/series --- libxmlrpc3-java-3.1.3/debian/patches/series 2017-12-21 11:41:51.000000000 +0000 +++ libxmlrpc3-java-3.1.3/debian/patches/series 2020-02-06 16:57:54.000000000 +0000 @@ -1,3 +1,4 @@ 01-java8-compatibility.patch 02-servlet-api-compatibility.patch jaxb-api.patch +CVE-2019-17570.patch