java-xstream@1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351

  • Done
  • quality assurance status badge
Details
3 participants
  • Julien Lepiller
  • Leo Famulari
  • Léo Le Bouter
Owner
unassigned
Submitted by
Léo Le Bouter
Severity
normal
L
L
Léo Le Bouter wrote on 23 Mar 2021 15:33
(address . bug-guix@gnu.org)
4b90a1518c9453ca529a5a6c4e12728cd0f2fbc7.camel@zaclys.net
Upstream has made a release: 1.4.16 - which fixes all the issues,
following is an unfinished patchset that fixes the issues, java-
mxparser package does not build and help from some more experienced
Java packagers is welcome to fix and push this patchset.
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBZ/DYACgkQRaix6GvN
EKajtw//bUSSuk7gRJEqw37hETabwiag6UIltEmX+Dwid9H+C/7GQPEh2zZMmCU5
wmrwgd2Fnlb/HyKTPqv+9QNkyI/lUdYW8TTOxXnHtczbBlBgBnTBygG4TfRp/a3O
bdgWEEM/sRes3vofrRL6NjTRz274oe6WB+hOQolJknCDFdUo9DSlnbiOAMK/DCDy
UraHF5rhLSbifnrKa9AkBeHhiUZ/BuziGTEUM/whEU008vvvQmS6na14tEnJaD43
0d8r0yTcRU60TZtIMpxp/uL2Op7nDCCCLMn6Up2YmYyPnEklRl/sTcXO8vpaoWJv
C3dSZ4bvDTNaUevfdhdLvKOinvM6WWwSjwMRhtjdf7NtXY1OE/hB+YpUTDNHGewi
+2ciFH9Xk+E0yYo2SdiLvdJoU1Vx2Tg993WyhDWKy/C9uoaeIWrinSw9cV6DXEDP
2SW0MWQRrFK9ChAwBh7Wdt+JRenEUHVqbcM20QzgF+sRF1+rNttdRi8cl5JIr52D
KUmWyU1ySrEyZdnW6VR7qUhoXVB+RBMWXchwFxLyas3FM4gIvR4OpY8CtvDSLGU+
HGvoyfr5BrBY0ziXf5aFdKTO6aLUXRqiuBtnINPtQdvkzlWdDZbLkCxEwnr7zNPy
EJQT/3/K4rjg80bkKO20xq8cFhOP7aoG3r8vsKY/XzFi/sM44e8=
=KXxi
-----END PGP SIGNATURE-----


L
L
Léo Le Bouter wrote on 23 Mar 2021 15:38
[PATCH 2/2] gnu: java-xstream: Update to 1.4.16 [security fixes].
(address . 47342@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210323143840.22600-2-lle-bout@zaclys.net
Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,
CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,
CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.

* gnu/packages/xml.scm (java-xstream): Update to 1.4.16.
[inputs]: Replace java-xpp3 with java-mxparser, the latter being a fork of the
former made by upstream.
---
gnu/packages/xml.scm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

Toggle diff (33 lines)
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 96287b3174..fdb8bff601 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -2217,7 +2217,7 @@ outputting XML data from Java code.")
(define-public java-xstream
(package
(name "java-xstream")
- (version "1.4.15")
+ (version "1.4.16")
(source
(origin
(method git-fetch)
@@ -2229,7 +2229,7 @@ outputting XML data from Java code.")
version)))))
(file-name (git-file-name name version))
(sha256
- (base32 "1178qryrjwjp44439pi5dxzd32896r5zs429z1qhlc09951r7mi9"))))
+ (base32 "16k2mc63h2fw7lxv74qmhg4p8q9hfrw114daa6nxwnpv08cnq755"))))
(build-system ant-build-system)
(arguments
`(#:jar-name "xstream.jar"
@@ -2244,7 +2244,7 @@ outputting XML data from Java code.")
("java-joda-time" ,java-joda-time)
("java-jettison" ,java-jettison)
("java-xom" ,java-xom)
- ("java-xpp3" ,java-xpp3)
+ ("java-mxparser" ,java-mxparser)
("java-dom4j" ,java-dom4j)
("java-stax2-api" ,java-stax2-api)
("java-woodstox-core" ,java-woodstox-core)
--
2.31.0
L
L
Léo Le Bouter wrote on 23 Mar 2021 15:38
[PATCH 1/2] gnu: Add java-mxparser.
(address . 47342@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210323143840.22600-1-lle-bout@zaclys.net
* gnu/packages/xml.scm (java-mxparser): New variable.
---
gnu/packages/xml.scm | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)

Toggle diff (41 lines)
diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm
index 2a72fc6ad2..96287b3174 100644
--- a/gnu/packages/xml.scm
+++ b/gnu/packages/xml.scm
@@ -2256,6 +2256,34 @@ outputting XML data from Java code.")
and back again.")
(license license:bsd-3)))
+(define-public java-mxparser
+ (package
+ (name "java-mxparser")
+ (version "1.2.1")
+ (source (origin
+ (method url-fetch)
+ (uri
+ (string-append
+ "https://repo1.maven.org/maven2/io/github/x-stream/mxparser/"
+ version "/mxparser-" version "-sources.jar"))
+ (sha256
+ (base32
+ "0mly55qbs2109wwbiz890n87r54iz7cykazl0rlsih6sg5lx8kdl"))))
+ (build-system ant-build-system)
+ (home-page "https://github.com/x-stream/mxparser")
+ (synopsis "Streaming pull XML parser forked from @code{java-xpp3}")
+ (description "Xml Pull Parser (in short XPP) is a streaming pull XML
+parser and should be used when there is a need to process quickly and
+efficiently all input elements (for example in SOAP processors). This
+package is a stable XmlPull parsing engine that is based on ideas from XPP
+and in particular XPP2 but completely revised and rewritten to take the best
+advantage of JIT JVMs.
+
+MXParser is a fork of xpp3_min 1.1.7 containing only the parser with merged
+changes of the Plexus fork. It is an implementation of the XMLPULL V1 API
+(parser only).")
+ (license (license:non-copyleft "file://LICENSE.txt"))))
+
(define-public xmlrpc-c
(package
(name "xmlrpc-c")
--
2.31.0
L
L
Léo Le Bouter wrote on 23 Mar 2021 16:09
(address . control@debbugs.gnu.org)
328943c9d39ff41c168bf290955a321c4e306493.camel@zaclys.net
tags 47342 + security
quit
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBaBJMACgkQRaix6GvN
EKZ0MBAAu/oZ8JHWxTy9NDcsKSj1aiJeAMrM7nTPO4sWzcCCu6fy0d/p71h6xDpO
8tSXvt8yXqdRXWDaTOYnWDeYHm1VyxG8jztB3p190pZ7CwNSe2sI9lbspAZTbbV5
1hY6PM1K6lszQgrM1q4C2KKxImKbmoDGvzRnplZbmN5L3tNxjUcpG24KYAs484Ws
lNR6ShBRIRfd80srMstQRbyAw5kxDUB59i8sMqCHrbLd4emnwjVw32w1i5zwRLCJ
m3DIBnnUoHct7PMml2m1rp8Rzxbow+SNUWqOuloGabnUaWq3jSKYXQsYE4DpbRkl
ODzb4B+x8+xiB0P4QEhfAeH7M4si5N0RrII2yJza1bC1kLYHQl6BTKQ6P2i7Ek94
c99Gd90QYZAg3QmDKaQYFQ1w7nJmLyM1PB9TWXxR84l0NxEKLZinJWp9sAMhoCG8
LEqUbotuVM/2yPKfGDyhZ6jRIrtfaQ9qEVgdbUs5mDYQM0ShPaHEapLEvpiRQjKQ
l1HSYueVc7qxqw9DdjPiWjje63tq0akjhnlKlxjrL84RrvyhjXQVBZFRvUnjS08o
COInTBJvQ5WVVKk28RK/wifNZnT6AiHfaNScNi4RfHRpnxyNv0fWom/dwFgM4XpD
Y4zNh0bsRN5eqSjqsaliEVeNsfxtLx+CZzkpxKACdSKbgnwKS0Y=
=Z5lD
-----END PGP SIGNATURE-----


L
L
Leo Famulari wrote on 23 Mar 2021 18:33
(name . Léo Le Bouter via Bug reports for GNU Guix)(address . bug-guix@gnu.org)
YFomec62TsA1v9tT@jasmine.lan
On Tue, Mar 23, 2021 at 03:38:40PM +0100, L�o Le Bouter via Bug reports for GNU Guix wrote:
Toggle quote (8 lines)
> Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,
> CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,
> CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.
>
> * gnu/packages/xml.scm (java-xstream): Update to 1.4.16.
> [inputs]: Replace java-xpp3 with java-mxparser, the latter being a fork of the
> former made by upstream.

Thanks for the patch!

Pinging Julien...
J
J
Julien Lepiller wrote on 23 Mar 2021 18:42
(name . Leo Famulari)(address . leo@famulari.name)
E106A45C-5393-4692-80DB-348BF9FC0DBF@lepiller.eu
So, mxparser seems to be pretty easy to package, but it depends on xmlpull v1. Unfortunately, it was developped at Extreme! Lab at Indiana University, but their website has recently been "deprecated" and redirects to the internet archive.

This is an issue as we have xmlpull v2 and xpp3 whose sources have also disappeared. Not sure what to do about them?

I asked upstseam (xstream) for guidance on where to find the sources on https://github.com/x-stream/mxparser/issues/3.

Once we have that information, I can take care of the xstream update.

Le 23 mars 2021 13:33:45 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
Toggle quote (14 lines)
>On Tue, Mar 23, 2021 at 03:38:40PM +0100, Léo Le Bouter via Bug reports
>for GNU Guix wrote:
>> Fixes CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344,
>> CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348,
>> CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351.
>>
>> * gnu/packages/xml.scm (java-xstream): Update to 1.4.16.
>> [inputs]: Replace java-xpp3 with java-mxparser, the latter being a
>fork of the
>> former made by upstream.
>
>Thanks for the patch!
>
>Pinging Julien...
Attachment: file
J
J
Julien Lepiller wrote on 23 Mar 2021 23:31
Re: bug#47342: java-xstream@1.4.15 is vulnerable to CVE-2021-21341, CVE-2021-21342, CVE-2021-21343, CVE-2021-21344, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21348, CVE-2021-21349, CVE-2021-21350 and CVE-2021-21351
(address . 47342-done@debbugs.gnu.org)(name . Léo Le Bouter)(address . lle-bout@zaclys.net)
20210323233132.63d67c9b@tachikoma.lepiller.eu
Le Tue, 23 Mar 2021 15:33:26 +0100,
Léo Le Bouter via Bug reports for GNU Guix <bug-guix@gnu.org> a écrit :

Toggle quote (5 lines)
> Upstream has made a release: 1.4.16 - which fixes all the issues,
> following is an unfinished patchset that fixes the issues, java-
> mxparser package does not build and help from some more experienced
> Java packagers is welcome to fix and push this patchset.

Pushed as 4490dff98c6979a77f3982716239b526e0ef1337 to
8b2b5463963d5d4dee480b0cf73fa4a9eca414ba to master,
with changes discussed on IRC.

Thanks a lot for noticing it!
Closed
?