java-xstream@1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351

DoneSubmitted by Léo Le Bouter.
Details
3 participants
  • Julien Lepiller
  • Leo Famulari
  • Léo Le Bouter
Owner
unassigned
Severity
normal
L
L
Léo Le Bouter wrote on 23 Mar 15:33 +0100
(address . bug-guix@gnu.org)
4b90a1518c9453ca529a5a6c4e12728cd0f2fbc7.camel@zaclys.net
Upstream has made a release: 1.4.16 - which fixes all the issues,following is an unfinished patchset that fixes the issues, java-mxparser package does not build and help from some more experiencedJava packagers is welcome to fix and push this patchset.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBZ/DYACgkQRaix6GvNEKajtw//bUSSuk7gRJEqw37hETabwiag6UIltEmX+Dwid9H+C/7GQPEh2zZMmCU5wmrwgd2Fnlb/HyKTPqv+9QNkyI/lUdYW8TTOxXnHtczbBlBgBnTBygG4TfRp/a3ObdgWEEM/sRes3vofrRL6NjTRz274oe6WB+hOQolJknCDFdUo9DSlnbiOAMK/DCDyUraHF5rhLSbifnrKa9AkBeHhiUZ/BuziGTEUM/whEU008vvvQmS6na14tEnJaD430d8r0yTcRU60TZtIMpxp/uL2Op7nDCCCLMn6Up2YmYyPnEklRl/sTcXO8vpaoWJvC3dSZ4bvDTNaUevfdhdLvKOinvM6WWwSjwMRhtjdf7NtXY1OE/hB+YpUTDNHGewi+2ciFH9Xk+E0yYo2SdiLvdJoU1Vx2Tg993WyhDWKy/C9uoaeIWrinSw9cV6DXEDP2SW0MWQRrFK9ChAwBh7Wdt+JRenEUHVqbcM20QzgF+sRF1+rNttdRi8cl5JIr52DKUmWyU1ySrEyZdnW6VR7qUhoXVB+RBMWXchwFxLyas3FM4gIvR4OpY8CtvDSLGU+HGvoyfr5BrBY0ziXf5aFdKTO6aLUXRqiuBtnINPtQdvkzlWdDZbLkCxEwnr7zNPyEJQT/3/K4rjg80bkKO20xq8cFhOP7aoG3r8vsKY/XzFi/sM44e8==KXxi-----END PGP SIGNATURE-----

L
L
Léo Le Bouter wrote on 23 Mar 15:38 +0100
[PATCH 2/2] gnu: java-xstream: Update to 1.4.16 [security fixes].
(address . 47342@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210323143840.22600-2-lle-bout@zaclys.net
Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.
* gnu/packages/xml.scm (java-xstream): Update to 1.4.16.[inputs]: Replace java-xpp3 with java-mxparser, the latter being a fork of theformer made by upstream.--- gnu/packages/xml.scm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
Toggle diff (33 lines)diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scmindex 96287b3174..fdb8bff601 100644--- a/gnu/packages/xml.scm+++ b/gnu/packages/xml.scm@@ -2217,7 +2217,7 @@ outputting XML data from Java code.") (define-public java-xstream (package (name "java-xstream")- (version "1.4.15")+ (version "1.4.16") (source (origin (method git-fetch)@@ -2229,7 +2229,7 @@ outputting XML data from Java code.") version))))) (file-name (git-file-name name version)) (sha256- (base32 "1178qryrjwjp44439pi5dxzd32896r5zs429z1qhlc09951r7mi9"))))+ (base32 "16k2mc63h2fw7lxv74qmhg4p8q9hfrw114daa6nxwnpv08cnq755")))) (build-system ant-build-system) (arguments `(#:jar-name "xstream.jar"@@ -2244,7 +2244,7 @@ outputting XML data from Java code.") ("java-joda-time" ,java-joda-time) ("java-jettison" ,java-jettison) ("java-xom" ,java-xom)- ("java-xpp3" ,java-xpp3)+ ("java-mxparser" ,java-mxparser) ("java-dom4j" ,java-dom4j) ("java-stax2-api" ,java-stax2-api) ("java-woodstox-core" ,java-woodstox-core)-- 2.31.0
L
L
Léo Le Bouter wrote on 23 Mar 15:38 +0100
[PATCH 1/2] gnu: Add java-mxparser.
(address . 47342@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210323143840.22600-1-lle-bout@zaclys.net
* gnu/packages/xml.scm (java-mxparser): New variable.--- gnu/packages/xml.scm | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+)
Toggle diff (41 lines)diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scmindex 2a72fc6ad2..96287b3174 100644--- a/gnu/packages/xml.scm+++ b/gnu/packages/xml.scm@@ -2256,6 +2256,34 @@ outputting XML data from Java code.") and back again.") (license license:bsd-3))) +(define-public java-mxparser+ (package+ (name "java-mxparser")+ (version "1.2.1")+ (source (origin+ (method url-fetch)+ (uri+ (string-append+ "https://repo1.maven.org/maven2/io/github/x-stream/mxparser/"+ version "/mxparser-" version "-sources.jar"))+ (sha256+ (base32+ "0mly55qbs2109wwbiz890n87r54iz7cykazl0rlsih6sg5lx8kdl"))))+ (build-system ant-build-system)+ (home-page "https://github.com/x-stream/mxparser")+ (synopsis "Streaming pull XML parser forked from @code{java-xpp3}")+ (description "Xml Pull Parser (in short XPP) is a streaming pull XML+parser and should be used when there is a need to process quickly and+efficiently all input elements (for example in SOAP processors). This+package is a stable XmlPull parsing engine that is based on ideas from XPP+and in particular XPP2 but completely revised and rewritten to take the best+advantage of JIT JVMs.++MXParser is a fork of xpp3_min 1.1.7 containing only the parser with merged+changes of the Plexus fork. It is an implementation of the XMLPULL V1 API+(parser only).")+ (license (license:non-copyleft "file://LICENSE.txt"))))+ (define-public xmlrpc-c (package (name "xmlrpc-c")-- 2.31.0
L
L
Léo Le Bouter wrote on 23 Mar 16:09 +0100
(address . control@debbugs.gnu.org)
328943c9d39ff41c168bf290955a321c4e306493.camel@zaclys.net
tags 47342 + securityquit
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBaBJMACgkQRaix6GvNEKZ0MBAAu/oZ8JHWxTy9NDcsKSj1aiJeAMrM7nTPO4sWzcCCu6fy0d/p71h6xDpO8tSXvt8yXqdRXWDaTOYnWDeYHm1VyxG8jztB3p190pZ7CwNSe2sI9lbspAZTbbV51hY6PM1K6lszQgrM1q4C2KKxImKbmoDGvzRnplZbmN5L3tNxjUcpG24KYAs484WslNR6ShBRIRfd80srMstQRbyAw5kxDUB59i8sMqCHrbLd4emnwjVw32w1i5zwRLCJm3DIBnnUoHct7PMml2m1rp8Rzxbow+SNUWqOuloGabnUaWq3jSKYXQsYE4DpbRklODzb4B+x8+xiB0P4QEhfAeH7M4si5N0RrII2yJza1bC1kLYHQl6BTKQ6P2i7Ek94c99Gd90QYZAg3QmDKaQYFQ1w7nJmLyM1PB9TWXxR84l0NxEKLZinJWp9sAMhoCG8LEqUbotuVM/2yPKfGDyhZ6jRIrtfaQ9qEVgdbUs5mDYQM0ShPaHEapLEvpiRQjKQl1HSYueVc7qxqw9DdjPiWjje63tq0akjhnlKlxjrL84RrvyhjXQVBZFRvUnjS08oCOInTBJvQ5WVVKk28RK/wifNZnT6AiHfaNScNi4RfHRpnxyNv0fWom/dwFgM4XpDY4zNh0bsRN5eqSjqsaliEVeNsfxtLx+CZzkpxKACdSKbgnwKS0Y==Z5lD-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 23 Mar 18:33 +0100
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)
YFomec62TsA1v9tT@jasmine.lan
On Tue, Mar 23, 2021 at 03:38:40PM +0100, L�o Le Bouter via Bug reports for GNU Guix wrote:
Toggle quote (8 lines)> Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,> CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,> CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.> > * gnu/packages/xml.scm (java-xstream): Update to 1.4.16.> [inputs]: Replace java-xpp3 with java-mxparser, the latter being a fork of the> former made by upstream.
Thanks for the patch!
Pinging Julien...
J
J
Julien Lepiller wrote on 23 Mar 18:42 +0100
(name . Leo Famulari)(address . leo@famulari.name)
E106A45C-5393-4692-80DB-348BF9FC0DBF@lepiller.eu
So, mxparser seems to be pretty easy to package, but it depends on xmlpull v1. Unfortunately, it was developped at Extreme! Lab at Indiana University, but their website has recently been "deprecated" and redirects to the internet archive.
This is an issue as we have xmlpull v2 and xpp3 whose sources have also disappeared. Not sure what to do about them?
I asked upstseam (xstream) for guidance on where to find the sources on https://github.com/x-stream/mxparser/issues/3.
Once we have that information, I can take care of the xstream update.
Le 23 mars 2021 13:33:45 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
Toggle quote (14 lines)>On Tue, Mar 23, 2021 at 03:38:40PM +0100, Léo Le Bouter via Bug reports>for GNU Guix wrote:>> Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,>> CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,>> CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.>> >> * gnu/packages/xml.scm (java-xstream): Update to 1.4.16.>> [inputs]: Replace java-xpp3 with java-mxparser, the latter being a>fork of the>> former made by upstream.>>Thanks for the patch!>>Pinging Julien...
Attachment: file
J
J
Julien Lepiller wrote on 23 Mar 23:31 +0100
Re: bug#47342: java-xstream@1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351
(address . 47342-done@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210323233132.63d67c9b@tachikoma.lepiller.eu
Le Tue, 23 Mar 2021 15:33:26 +0100,Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> a écrit :
Toggle quote (5 lines)> Upstream has made a release: 1.4.16 - which fixes all the issues,> following is an unfinished patchset that fixes the issues, java-> mxparser package does not build and help from some more experienced> Java packagers is welcome to fix and push this patchset.
Pushed as 4490dff98c6979a77f3982716239b526e0ef1337 to8b2b5463963d5d4dee480b0cf73fa4a9eca414ba to master,with changes discussed on IRC.
Thanks a lot for noticing it!
Closed
?