A vulnerability was found in XStream. Parsing a maliciously crafted file could cause the application to crash. The processed stream at unmarshalling type contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. The crash occurrs if this information advices XStream to create an instance of the primitive type 'void'. This situation can only happen if an attacker was able to manipulate the incoming data, since such an instance does not exist. References: http://seclists.org/oss-sec/2017/q2/9 http://x-stream.github.io/CVE-2017-7957.html Unsure if upstream will release a fix, currently a workaround is suggested.
Reference with description http://x-stream.github.io/CVE-2017-7957.html Gentoo Security Padawan ChrisADR
Update: Fixed in 1.4.10 release, see: https://x-stream.github.io/changes.html Summary: "Fix PrimitiveTypePermission to reject type void to prevent CVE-2017-7957 with an initialized security framework."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3c11959755d652106860a3c9aa8ac271832fe89 commit c3c11959755d652106860a3c9aa8ac271832fe89 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-09-14 15:41:21 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-09-14 15:41:21 +0000 dev-java/xstream: Remove last-rited pkg Bug: https://bugs.gentoo.org/622428 Signed-off-by: Michał Górny <mgorny@gentoo.org> dev-java/xstream/Manifest | 1 - dev-java/xstream/metadata.xml | 8 ----- dev-java/xstream/xstream-1.4.8-r2.ebuild | 56 -------------------------------- profiles/package.mask | 5 --- 4 files changed, 70 deletions(-)
buh bye