diff --git a/0001-fix-CVE-2024-47072.patch b/0001-fix-CVE-2024-47072.patch new file mode 100644 index 0000000000000000000000000000000000000000..80375e224b96d7d1bcdc601f6de8393465e4b0db --- /dev/null +++ b/0001-fix-CVE-2024-47072.patch @@ -0,0 +1,175 @@ +From bb838ce2269cac47433e31c77b2b236466e9f266 Mon Sep 17 00:00:00 2001 +From: joehni +Date: Thu, 24 Oct 2024 13:45:02 +0800 +Subject: [PATCH] fix CVE-2024-47072 + +--- + .../src/content/CVE-2024-47072.html | 69 +++++++++++++++++++ + .../src/content/security.html | 11 ++- + xstream-distribution/src/content/website.xml | 5 +- + .../acceptance/SecurityVulnerabilityTest.java | 18 +++++ + 4 files changed, 100 insertions(+), 3 deletions(-) + create mode 100644 xstream-distribution/src/content/CVE-2024-47072.html + +diff --git a/xstream-distribution/src/content/CVE-2024-47072.html b/xstream-distribution/src/content/CVE-2024-47072.html +new file mode 100644 +index 0000000..40ec841 +--- /dev/null ++++ b/xstream-distribution/src/content/CVE-2024-47072.html +@@ -0,0 +1,69 @@ ++ ++ ++ ++ CVE-2024-47072 ++ ++ ++ ++

Vulnerability

++ ++

CVE-2024-47072: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated ++ binary input stream.

++ ++

Affected Versions

++ ++

All versions until and including version 1.4.20 are affected, if using XStream's BinaryStreamDriver.

++ ++

Description

++ ++

XStream provides a BinaryStreamDriver with an own optimized serialization format. The format uses ids for ++ string values as deduplication. The mapping for these ids are created on-the-fly at marshalling time. At ++ unmarshalling time the reader's implementation simply used a simple one-time recursion after reading a mapping ++ token to process the next normal token of the data stream. However, an endless recursion could be triggered with ++ manipulated input data resulting in a stack overflow causing a denial of service.

++ ++

Steps to Reproduce

++ ++

Prepare the manipulated data and provide it as input for a XStream instance using the BinaryDriver:

++
final byte[] byteArray = new byte[36000];
++for (int i = 0; i < byteArray.length / 4; i++) {
++      byteArray[i * 4] = 10;
++      byteArray[i * 4 + 1] = -127;
++      byteArray[i * 4 + 2] = 0;
++      byteArray[i * 4 + 3] = 0;
++}
++
++XStream xstream = new XStream(new BinaryStreamDriver());
++xstream.fromXML(new ByteArrayInputStream(byteArray));
++
++ ++

As soon as the data gets unmarshalled, the endless recursion is entered and the executing thread is aborted with ++ a stack overflow error.

++ ++

Impact

++ ++

The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting ++ in a denial of service only by manipulating the processed input stream if the instance is setup with a ++ BinaryStreamDriver.

++ ++

Workarounds

++ ++

A simple solution is to catch the StackOverflowError in the client code calling XStream. There's no other known ++ workaround when using the BinaryStreamDriver.

++ ++

Credits

++ ++

Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.

++ ++ ++ ++ +diff --git a/xstream-distribution/src/content/security.html b/xstream-distribution/src/content/security.html +index f121ec2..1a68de0 100644 +--- a/xstream-distribution/src/content/security.html ++++ b/xstream-distribution/src/content/security.html +@@ -1,6 +1,6 @@ + +