diff --git a/backport-0001-CVE-2024-47072.patch b/backport-0001-CVE-2024-47072.patch new file mode 100644 index 0000000000000000000000000000000000000000..b1c31397d11cf7fe0f1a38d72e1e8ce55bfc93d4 --- /dev/null +++ b/backport-0001-CVE-2024-47072.patch @@ -0,0 +1,105 @@ +From fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a Mon Sep 17 00:00:00 2001 +From: joehni +Date: Wed, 18 Sep 2024 20:19:13 +0200 +Subject: [PATCH] Detect input manipulation in + c.t.x.io.binary.BinaryStreamReader. + +Origin: +https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a +--- + .../xstream/io/binary/BinaryStreamReader.java | 18 ++++++++++++------ + .../xstream/io/binary/BinaryStreamTest.java | 17 ++++++++++++++++- + 2 files changed, 28 insertions(+), 7 deletions(-) + +diff --git a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java +index 2839651..cd870cd 100644 +--- a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java ++++ b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java +@@ -1,6 +1,6 @@ + /* + * Copyright (C) 2006 Joe Walnes. +- * Copyright (C) 2006, 2007, 2011, 2013 XStream Committers. ++ * Copyright (C) 2006, 2007, 2011, 2013, 2024 XStream Committers. + * All rights reserved. + * + * The software in this package is published under the terms of the BSD +@@ -15,6 +15,7 @@ import com.thoughtworks.xstream.converters.ErrorWriter; + import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamReader; + import com.thoughtworks.xstream.io.HierarchicalStreamReader; + import com.thoughtworks.xstream.io.StreamException; ++import com.thoughtworks.xstream.security.InputManipulationException; + + import java.io.DataInputStream; + import java.io.IOException; +@@ -150,15 +151,20 @@ public class BinaryStreamReader implements ExtendedHierarchicalStreamReader { + private Token readToken() { + if (pushback == null) { + try { +- Token token = tokenFormatter.read(in); +- switch (token.getType()) { ++ boolean mapping = false; ++ do { ++ final Token token = tokenFormatter.read(in); ++ switch (token.getType()) { + case Token.TYPE_MAP_ID_TO_VALUE: + idRegistry.put(token.getId(), token.getValue()); +- return readToken(); // Next one please. ++ mapping ^= true; ++ continue; // Next one please. + default: + return token; +- } +- } catch (IOException e) { ++ } ++ } while (mapping); ++ throw new InputManipulationException("Binary stream will never have two mapping tokens in sequence"); ++ } catch (final IOException e) { + throw new StreamException(e); + } + } else { +diff --git a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java +index a01065a..d93954f 100644 +--- a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java ++++ b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java +@@ -1,6 +1,6 @@ + /* + * Copyright (C) 2006 Joe Walnes. +- * Copyright (C) 2006, 2007, 2011, 2015, 2016, 2021 XStream Committers. ++ * Copyright (C) 2006, 2007, 2011, 2015, 2016, 2021, 2024 XStream Committers. + * All rights reserved. + * + * The software in this package is published under the terms of the BSD +@@ -17,10 +17,12 @@ import com.thoughtworks.xstream.io.HierarchicalStreamWriter; + import com.thoughtworks.xstream.io.copy.HierarchicalStreamCopier; + import com.thoughtworks.xstream.io.xml.AbstractXMLReaderTest; + import com.thoughtworks.xstream.io.xml.MXParserDriver; ++import com.thoughtworks.xstream.security.InputManipulationException; + + import java.io.ByteArrayOutputStream; + import java.io.StringReader; + import java.io.ByteArrayInputStream; ++import java.io.InputStream; + + public class BinaryStreamTest extends AbstractXMLReaderTest { + +@@ -89,4 +91,17 @@ public class BinaryStreamTest extends AbstractXMLReaderTest { + } + } + ++ public void testHandleMaliciousInputsOfIdMappingTokens() { ++ // Insert two successive id mapping tokens into the stream ++ final byte[] byteArray = new byte[8]; ++ byteArray[0] = byteArray[4] = 10; ++ byteArray[1] = byteArray[5] = -127; ++ ++ final InputStream in = new ByteArrayInputStream(byteArray); ++ try { ++ new BinaryStreamReader(in); ++ fail("Thrown " + InputManipulationException.class.getName() + " expected"); ++ } catch (final InputManipulationException e) { ++ } ++ } + } +-- +2.47.0 + diff --git a/backport-0002-CVE-2024-47072.patch b/backport-0002-CVE-2024-47072.patch new file mode 100644 index 0000000000000000000000000000000000000000..f52163b0b7884f69785e1e6cfdc37a8c30405429 --- /dev/null +++ b/backport-0002-CVE-2024-47072.patch @@ -0,0 +1,174 @@ +From bb838ce2269cac47433e31c77b2b236466e9f266 Mon Sep 17 00:00:00 2001 +From: joehni +Date: Fri, 18 Oct 2024 11:33:48 +0200 +Subject: [PATCH] Document CVE-2024-47072 and add test case. + +Origin: +https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266 +--- + .../src/content/CVE-2024-47072.html | 68 +++++++++++++++++++ + .../src/content/security.html | 11 ++- + xstream-distribution/src/content/website.xml | 3 +- + .../acceptance/SecurityVulnerabilityTest.java | 19 ++++++ + 4 files changed, 99 insertions(+), 2 deletions(-) + create mode 100644 xstream-distribution/src/content/CVE-2024-47072.html + +diff --git a/xstream-distribution/src/content/CVE-2024-47072.html b/xstream-distribution/src/content/CVE-2024-47072.html +new file mode 100644 +index 000000000..9e021709b +--- /dev/null ++++ b/xstream-distribution/src/content/CVE-2024-47072.html +@@ -0,0 +1,68 @@ ++ ++ ++ ++ CVE-2024-47072 ++ ++ ++ ++

Vulnerability

++ ++

CVE-2024-47072: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated ++ binary input stream.

++ ++

Affected Versions

++ ++

All versions until and including version 1.4.20 are affected, if using XStream's BinaryStreamDriver.

++ ++

Description

++ ++

XStream provides a BinaryStreamDriver with an own optimized serialization format. The format uses ids for ++ string values as deduplication. The mapping for these ids are created on-the-fly at marshalling time. At ++ unmarshalling time the reader's implementation simply used a simple one-time recursion after reading a mapping ++ token to process the next normal token of the data stream. However, an endless recursion could be triggered with ++ manipulated input data resulting in a stack overflow causing a denial of service.

++ ++

Steps to Reproduce

++ ++

Prepare the manipulated data and provide it as input for a XStream instance using the BinaryDriver:

++
final byte[] byteArray = new byte[36000];
++for (int i = 0; i < byteArray.length / 4; i++) {
++      byteArray[i * 4] = 10;
++      byteArray[i * 4 + 1] = -127;
++      byteArray[i * 4 + 2] = 0;
++      byteArray[i * 4 + 3] = 0;
++}
++
++XStream xstream = new XStream(new BinaryStreamDriver());
++xstream.fromXML(new ByteArrayInputStream(byteArray));
++
++ ++

As soon as the data gets unmarshalled, the endless recursion is entered and the executing thread is aborted with ++ a stack overflow error.

++ ++

Impact

++ ++

The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting ++ in a denial of service only by manipulating the processed input stream if the instance is setup with a ++ BinaryStreamDriver.

++ ++

Workarounds

++ ++

A simple solution is to catch the StackOverflowError in the client code calling XStream. There's no other known ++ workaround when using the BinaryStreamDriver.

++ ++

Credits

++ ++

Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.

++ ++ ++ +diff --git a/xstream-distribution/src/content/security.html b/xstream-distribution/src/content/security.html +index f121ec273..1a68de0a8 100644 +--- a/xstream-distribution/src/content/security.html ++++ b/xstream-distribution/src/content/security.html +@@ -1,6 +1,6 @@ + +