Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 622428 (CVE-2017-7957) - dev-java/xstream: DoS when unmarshalling void type (CVE-2017-7957)
Summary: dev-java/xstream: DoS when unmarshalling void type (CVE-2017-7957)
Status: RESOLVED FIXED
Alias: CVE-2017-7957
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-21 22:08 UTC by Volkan
Modified: 2019-09-15 02:28 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Volkan 2017-06-21 22:08:34 UTC
A vulnerability was found in XStream. Parsing a maliciously crafted file could cause the application to crash.

The processed stream at unmarshalling type contains type information to  recreate the formerly written objects. XStream creates therefore new instances based on these type information. The crash occurrs if this information advices XStream to create an instance of the primitive type 'void'. This situation can only happen if an attacker was able to manipulate the incoming data, since such an instance does not exist.

References:

http://seclists.org/oss-sec/2017/q2/9
http://x-stream.github.io/CVE-2017-7957.html

Unsure if upstream will release a fix, currently a workaround is suggested.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-01 18:21:47 UTC
Reference with description

http://x-stream.github.io/CVE-2017-7957.html

Gentoo Security Padawan
ChrisADR
Comment 2 D'juan McDonald (domhnall) 2018-09-08 00:38:19 UTC
Update: Fixed in 1.4.10 release, see: https://x-stream.github.io/changes.html

Summary:

"Fix PrimitiveTypePermission to reject type void to prevent CVE-2017-7957 with an initialized security framework."
Comment 3 Larry the Git Cow gentoo-dev 2019-09-14 15:48:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3c11959755d652106860a3c9aa8ac271832fe89

commit c3c11959755d652106860a3c9aa8ac271832fe89
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2019-09-14 15:41:21 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-09-14 15:41:21 +0000

    dev-java/xstream: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/622428
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-java/xstream/Manifest                |  1 -
 dev-java/xstream/metadata.xml            |  8 -----
 dev-java/xstream/xstream-1.4.8-r2.ebuild | 56 --------------------------------
 profiles/package.mask                    |  5 ---
 4 files changed, 70 deletions(-)
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2019-09-15 02:28:15 UTC
buh bye