From dfc39d7204a48796e573296fde3031e8e50f73ad Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Tue, 12 Jan 2021 14:49:37 +0800
Subject: [PATCH] Fix CVE-2020-26258 CVE-2020-26259
---
CVE-2020-26258.patch | 25 ++++++
CVE-2020-26259.patch | 199 +++++++++++++++++++++++++++++++++++++++++++
xstream.spec | 11 ++-
3 files changed, 234 insertions(+), 1 deletion(-)
create mode 100644 CVE-2020-26258.patch
create mode 100644 CVE-2020-26259.patch
diff --git a/CVE-2020-26258.patch b/CVE-2020-26258.patch
new file mode 100644
index 0000000..9769c33
--- /dev/null
+++ b/CVE-2020-26258.patch
@@ -0,0 +1,25 @@
+From f391169515d77446e94da4836eb65adfbc8acfa2 Mon Sep 17 00:00:00 2001
+Date: Mon, 11 Jan 2021 17:32:52 +0800
+Subject: [PATCH] Fix and document CVE-2020-26258.
+
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index 692243e..8a4b104 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -698,7 +698,11 @@ public class XStream {
+ }
+
+ addPermission(AnyTypePermission.ANY);
+- denyTypes(new String[]{"java.beans.EventHandler", "javax.imageio.ImageIO$ContainsFilter"});
++ denyTypes(new String[]{
++ "java.beans.EventHandler", //
++ "java.lang.ProcessBuilder", //
++ "javax.imageio.ImageIO$ContainsFilter", //
++ "jdk.nashorn.internal.objects.NativeString"});
+ denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
+ allowTypeHierarchy(Exception.class);
+ securityInitialized = false;
+--
+2.23.0
+
diff --git a/CVE-2020-26259.patch b/CVE-2020-26259.patch
new file mode 100644
index 0000000..6a783eb
--- /dev/null
+++ b/CVE-2020-26259.patch
@@ -0,0 +1,199 @@
+From aacd07da7e2be020ef2924153838c7b0a05b596f Mon Sep 17 00:00:00 2001
+Date: Mon, 11 Jan 2021 18:00:38 +0800
+Subject: [PATCH] fix CVE-2020-26259
+
+
+diff --git a/pom.xml b/pom.xml
+index e6fc1a1..15ff064 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -546,6 +546,11 @@
+ jaxb-api
+ ${version.javax.xml.bind.api}
+
++
++ com.sun.xml.ws
++ jaxws-rt
++ ${version.javax.xml.ws.jaxws.rt}
++
+
+
+ org.hibernate
+@@ -905,6 +910,7 @@
+ 1.1.1
+ 1.3.2
+ 2.3.1
++ 2.2
+ 1.0.1
+ 1.6
+ 3.8.1
+diff --git a/xstream/pom.xml b/xstream/pom.xml
+index 525425a..6543ff7 100644
+--- a/xstream/pom.xml
++++ b/xstream/pom.xml
+@@ -144,6 +144,54 @@
+ commons-lang
+ test
+
++
++
++ com.sun.xml.ws
++ jaxws-rt
++ test
++
++
++ javax.xml.ws
++ jaxws-api
++
++
++ com.sun.istack
++ istack-commons-runtime
++
++
++ com.sun.xml.bind
++ jaxb-impl
++
++
++ com.sun.xml.messaging.saaj
++ saaj-impl
++
++
++ com.sun.xml.stream.buffer
++ streambuffer
++
++
++ com.sun.xml.ws
++ policy
++
++
++ com.sun.org.apache.xml.internal
++ resolver
++
++
++ org.glassfish.gmbal
++ gmbal-api-only
++
++
++ org.jvnet
++ mimepull
++
++
++ org.jvnet.staxex
++ stax-ex
++
++
++
+
+
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+index 8a4b104..57cf804 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
++++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
+@@ -356,6 +356,7 @@ public class XStream {
+ private static final Pattern IGNORE_ALL = Pattern.compile(".*");
+ private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
+ private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
++ private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
+
+ /**
+ * Constructs a default XStream.
+@@ -702,8 +703,8 @@ public class XStream {
+ "java.beans.EventHandler", //
+ "java.lang.ProcessBuilder", //
+ "javax.imageio.ImageIO$ContainsFilter", //
+- "jdk.nashorn.internal.objects.NativeString"});
+- denyTypesByRegExp(new Pattern[] {LAZY_ITERATORS, JAVAX_CRYPTO});
++ "jdk.nashorn.internal.objects.NativeString" });
++ denyTypesByRegExp(new Pattern[]{LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
+ allowTypeHierarchy(Exception.class);
+ securityInitialized = false;
+ }
+diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+index 309c146..7604aa5 100644
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -11,6 +11,11 @@
+ package com.thoughtworks.acceptance;
+
+ import java.beans.EventHandler;
++import java.io.File;
++import java.io.FileOutputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
+ import java.util.Iterator;
+
+ import com.thoughtworks.xstream.XStream;
+@@ -214,4 +219,68 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ // OK
+ }
+ }
++
++ public void testCannotUseJaxwsInputStreamToDeleteFile() {
++ if (JVM.isVersion(5)) {
++ final String xml = ""
++ + "\n"
++ + " target/junit/test.txt\n"
++ + "";
++
++ xstream.aliasType("is", InputStream.class);
++ try {
++ xstream.fromXML(xml);
++ fail("Thrown " + ConversionException.class.getName() + " expected");
++ } catch (final ForbiddenClassException e) {
++ // OK
++ }
++ }
++ }
++
++ public void testExplicitlyUseJaxwsInputStreamToDeleteFile() throws IOException {
++ if (JVM.isVersion(5)) {
++ final File testDir = new File("target/junit");
++ final File testFile = new File(testDir, "test.txt");
++ try {
++ testDir.mkdirs();
++
++ final OutputStream out = new FileOutputStream(testFile);
++ out.write("JUnit".getBytes());
++ out.flush();
++ out.close();
++
++ assertTrue("Test file " + testFile.getPath() + " does not exist.", testFile.exists());
++
++ final String xml = ""
++ + "\n"
++ + " target/junit/test.txt\n"
++ + "";
++
++ xstream.addPermission(AnyTypePermission.ANY); // clear out defaults
++ xstream.aliasType("is", InputStream.class);
++
++ InputStream is = null;
++ try {
++ is = (InputStream)xstream.fromXML(xml);
++ } catch (final ForbiddenClassException e) {
++ // OK
++ }
++
++ assertTrue("Test file " + testFile.getPath() + " no longer exists.", testFile.exists());
++
++ byte[] data = new byte[10];
++ is.read(data);
++ is.close();
++
++ assertFalse("Test file " + testFile.getPath() + " still exists exist.", testFile.exists());
++ } finally {
++ if (testFile.exists()) {
++ testFile.delete();
++ }
++ if (testDir.exists()) {
++ testDir.delete();
++ }
++ }
++ }
++ }
+ }
+--
+2.23.0
+
diff --git a/xstream.spec b/xstream.spec
index 808ad43..0370c00 100644
--- a/xstream.spec
+++ b/xstream.spec
@@ -1,7 +1,7 @@
%bcond_with jp_minimal
Name: xstream
Version: 1.4.11.1
-Release: 2
+Release: 3
Summary: Java XML serialization library
License: BSD
URL: http://x-stream.github.io/
@@ -9,6 +9,9 @@ BuildArch: noarch
Source0: http://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/%{version}/xstream-distribution-%{version}-src.zip
Patch0: New-predefined-blacklist-avoids-vulnerability.patch
Patch1: CVE-2020-26217-CVE-2017-9805.patch
+Patch2: CVE-2020-26258.patch
+Patch3: CVE-2020-26259.patch
+
BuildRequires: maven-local mvn(cglib:cglib) mvn(dom4j:dom4j) mvn(javax.xml.bind:jaxb-api)
BuildRequires: mvn(joda-time:joda-time) mvn(net.sf.kxml:kxml2-min)
BuildRequires: mvn(org.apache.felix:maven-bundle-plugin)
@@ -71,6 +74,9 @@ Parent POM for xstream.
%setup -qn xstream-%{version}
%patch0 -p1
%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+
find . -name "*.class" -print -delete
find . -name "*.jar" -print -delete
%pom_disable_module xstream-distribution
@@ -128,6 +134,9 @@ rm xstream-benchmark/src/java/com/thoughtworks/xstream/tools/benchmark/products/
%license LICENSE.txt
%changelog
+* Mon Jan 11 2021 wangyue-1.4.11.1-3
+- Fix CVE-2020-26258 CVE-2020-26259
+
* Sat Dec 12 2020 huanghaitao - 1.4.11.1-2
- Fix CVE-2020-26217 CVE-2017-9805
--
Gitee