Fix CVE-2024-47072

(cherry picked from commit b4167a832287908d3c9ca5f5ed3a954f457a2211)
2024-11-11 17:44:16 +08:00 · 2024-11-11 17:44:16 +08:00 · 5588818069
commit 5588818069
parent ee69b18d27
3 changed files with 293 additions and 4 deletions
--- a/backport-0001-CVE-2024-47072.patch
+++ b/backport-0001-CVE-2024-47072.patch
@ -0,0 +1,105 @@
+From fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a Mon Sep 17 00:00:00 2001
+From: joehni <joerg.schaible@gmx.de>
+Date: Wed, 18 Sep 2024 20:19:13 +0200
+Subject: [PATCH] Detect input manipulation in
+ c.t.x.io.binary.BinaryStreamReader.
+
+Origin:
+https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a
+---
+ .../xstream/io/binary/BinaryStreamReader.java  | 18 ++++++++++++------
+ .../xstream/io/binary/BinaryStreamTest.java    | 17 ++++++++++++++++-
+ 2 files changed, 28 insertions(+), 7 deletions(-)
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+index 2839651..cd870cd 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+++ b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+@@ -1,6 +1,6 @@
+ /*
+  * Copyright (C) 2006 Joe Walnes.
+- * Copyright (C) 2006, 2007, 2011, 2013 XStream Committers.
+ * Copyright (C) 2006, 2007, 2011, 2013, 2024 XStream Committers.
+  * All rights reserved.
+  *
+  * The software in this package is published under the terms of the BSD
+@@ -15,6 +15,7 @@ import com.thoughtworks.xstream.converters.ErrorWriter;
+ import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.StreamException;
+import com.thoughtworks.xstream.security.InputManipulationException;
+ 
+ import java.io.DataInputStream;
+ import java.io.IOException;
+@@ -150,15 +151,20 @@ public class BinaryStreamReader implements ExtendedHierarchicalStreamReader {
+     private Token readToken() {
+         if (pushback == null) {
+             try {
+-                Token token = tokenFormatter.read(in);
+-                switch (token.getType()) {
+                boolean mapping = false;
+                do {
+                    final Token token = tokenFormatter.read(in);
+                    switch (token.getType()) {
+                     case Token.TYPE_MAP_ID_TO_VALUE:
+                         idRegistry.put(token.getId(), token.getValue());
+-                        return readToken(); // Next one please.
+                        mapping ^= true;
+                        continue; // Next one please.
+                     default:
+                         return token;
+-                }
+-            } catch (IOException e) {
+                    }
+                } while (mapping);
+                throw new InputManipulationException("Binary stream will never have two mapping tokens in sequence");
+            } catch (final IOException e) {
+                 throw new StreamException(e);
+             }
+         } else {
+diff --git a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
+index a01065a..d93954f 100644
+--- a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
+@@ -1,6 +1,6 @@
+ /*
+  * Copyright (C) 2006 Joe Walnes.
+- * Copyright (C) 2006, 2007, 2011, 2015, 2016, 2021 XStream Committers.
+ * Copyright (C) 2006, 2007, 2011, 2015, 2016, 2021, 2024 XStream Committers.
+  * All rights reserved.
+  *
+  * The software in this package is published under the terms of the BSD
+@@ -17,10 +17,12 @@ import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+ import com.thoughtworks.xstream.io.copy.HierarchicalStreamCopier;
+ import com.thoughtworks.xstream.io.xml.AbstractXMLReaderTest;
+ import com.thoughtworks.xstream.io.xml.MXParserDriver;
+import com.thoughtworks.xstream.security.InputManipulationException;
+ 
+ import java.io.ByteArrayOutputStream;
+ import java.io.StringReader;
+ import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+ 
+ public class BinaryStreamTest extends AbstractXMLReaderTest {
+ 
+@@ -89,4 +91,17 @@ public class BinaryStreamTest extends AbstractXMLReaderTest {
+         }
+     }
+ 
+    public void testHandleMaliciousInputsOfIdMappingTokens() {
+        // Insert two successive id mapping tokens into the stream
+        final byte[] byteArray = new byte[8];
+        byteArray[0] = byteArray[4] = 10;
+        byteArray[1] = byteArray[5] = -127;
+
+        final InputStream in = new ByteArrayInputStream(byteArray);
+        try {
+            new BinaryStreamReader(in);
+            fail("Thrown " + InputManipulationException.class.getName() + " expected");
+        } catch (final InputManipulationException e) {
+        }
+    }
+ }
+-- 
+2.47.0
+
--- a/backport-0002-CVE-2024-47072.patch
+++ b/backport-0002-CVE-2024-47072.patch
@ -0,0 +1,174 @@
+From bb838ce2269cac47433e31c77b2b236466e9f266 Mon Sep 17 00:00:00 2001
+From: joehni <joerg.schaible@gmx.de>
+Date: Fri, 18 Oct 2024 11:33:48 +0200
+Subject: [PATCH] Document CVE-2024-47072 and add test case.
+
+Origin:
+https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266
+---
+ .../src/content/CVE-2024-47072.html           | 68 +++++++++++++++++++
+ .../src/content/security.html                 | 11 ++-
+ xstream-distribution/src/content/website.xml  |  3 +-
+ .../acceptance/SecurityVulnerabilityTest.java | 19 ++++++
+ 4 files changed, 99 insertions(+), 2 deletions(-)
+ create mode 100644 xstream-distribution/src/content/CVE-2024-47072.html
+
+diff --git a/xstream-distribution/src/content/CVE-2024-47072.html b/xstream-distribution/src/content/CVE-2024-47072.html
+new file mode 100644
+index 000000000..9e021709b
+--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2024-47072.html
+@@ -0,0 +1,68 @@
+<html>
+<!--
+ Copyright (C) 2024 XStream committers.
+ All rights reserved.
+ 
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+ 
+ Created on 19. September 2024 by Joerg Schaible
+ -->
+  <head>
+    <title>CVE-2024-47072</title>
+  </head>
+  <body>
+
+    <h2 id="vulnerability">Vulnerability</h2>
+    
+    <p>CVE-2024-47072: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated
+	binary input stream.</p>
+    
+    <h2 id="affected_versions">Affected Versions</h2>
+    
+    <p>All versions until and including version 1.4.20 are affected, if using XStream's BinaryStreamDriver.</p>
+
+    <h2 id="description">Description</h2>
+    
+    <p>XStream provides a BinaryStreamDriver with an own optimized serialization format.  The format uses ids for
+	string values as deduplication.  The mapping for these ids are created on-the-fly at marshalling time.  At
+	unmarshalling time the reader's implementation simply used a simple one-time recursion after reading a mapping
+	token to process the next normal token of the data stream.  However, an endless recursion could be triggered with
+	manipulated input data resulting in a stack overflow causing a denial of service.</p>
+
+    <h2 id="reproduction">Steps to Reproduce</h2>
+
+    <p>Prepare the manipulated data and provide it as input for a XStream instance using the BinaryDriver:</p>
+<div class="Source Java"><pre>final byte[] byteArray = new byte[36000];
+for (int i = 0; i &lt; byteArray.length / 4; i++) {
+      byteArray[i * 4] = 10;
+      byteArray[i * 4 + 1] = -127;
+      byteArray[i * 4 + 2] = 0;
+      byteArray[i * 4 + 3] = 0;
+}
+
+XStream xstream = new XStream(new BinaryStreamDriver());
+xstream.fromXML(new ByteArrayInputStream(byteArray));
+</pre></div>
+
+    <p>As soon as the data gets unmarshalled, the endless recursion is entered and the executing thread is aborted with
+	a stack overflow error.</p>
+
+    <h2 id="impact">Impact</h2>
+
+    <p>The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting
+    in a denial of service only by manipulating the processed input stream if the instance is setup with a
+	BinaryStreamDriver.</p>
+
+    <h2 id="workarounds">Workarounds</h2>
+
+	<p>A simple solution is to catch the StackOverflowError in the client code calling XStream.  There's no other known
+	workaround when using the BinaryStreamDriver.</p>
+
+    <h2 id="credits">Credits</h2>
+    
+    <p>Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.</p>
+    
+      </body>
+ </html>
+diff --git a/xstream-distribution/src/content/security.html b/xstream-distribution/src/content/security.html
+index f121ec273..1a68de0a8 100644
+--- a/xstream-distribution/src/content/security.html
+++ b/xstream-distribution/src/content/security.html
+@@ -1,6 +1,6 @@
+ <html>
+ <!--
+- Copyright (C) 2014, 2015, 2017, 2019, 2020, 2021, 2022 XStream committers.
+ Copyright (C) 2014, 2015, 2017, 2019, 2020, 2021, 2022, 2024 XStream committers.
+  All rights reserved.
+  
+  The software in this package is published under the terms of the BSD
+@@ -49,6 +49,15 @@ <h2 id="CVEs">Documented Vulnerabilities</h2>
+         <th>CVE</th>
+         <th>Description</th>
+       </tr>
+	  <tr>
+	    <th>Version 1.4.21</th>
+	    <td></td>
+	  </tr>
+	  <tr>
+	    <th><a href="/x-stream/xstream/commit/CVE-2024-47072.html">CVE-2024-47072</a></th>
+	    <td>XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input
+		stream.</td>
+	  </tr>
+       <tr>
+         <th>Version 1.4.19</th>
+         <td></td>
+diff --git a/xstream-distribution/src/content/website.xml b/xstream-distribution/src/content/website.xml
+index d89179184..c6b253fb3 100644
+--- a/xstream-distribution/src/content/website.xml
+++ b/xstream-distribution/src/content/website.xml
+@@ -1,6 +1,6 @@
+ <!--
+  Copyright (C) 2005, 2006 Joe Walnes.
+- Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016, 2017, 2020, 2021, 2022 XStream committers.
+ Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016, 2017, 2020, 2021, 2022, 2024 XStream committers.
+  All rights reserved.
+  
+  The software in this package is published under the terms of the BSD
+@@ -63,6 +63,7 @@
+     </section>
+     <section>
+         <name>!Vulnerabilities</name>
+        <page>CVE-2024-47072.html</page>
+         <page>CVE-2022-41966.html</page>
+         <page>CVE-2022-40151.html</page>
+         <page>CVE-2021-21341.html</page>
+diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+index 7bf2d38ed..49281fd06 100644
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -26,8 +26,10 @@
+ import java.util.Map;
+ import java.util.Set;
+ 
+import com.thoughtworks.xstream.XStream;
+ import com.thoughtworks.xstream.converters.ConversionException;
+ import com.thoughtworks.xstream.core.JVM;
+import com.thoughtworks.xstream.io.binary.BinaryStreamDriver;
+ import com.thoughtworks.xstream.security.AnyTypePermission;
+ import com.thoughtworks.xstream.security.ForbiddenClassException;
+ import com.thoughtworks.xstream.security.InputManipulationException;
+@@ -545,4 +547,21 @@ public void testStackOverflowWithDeeplyNestedStructure() {
+             assertTrue(e.getMessage().indexOf("Stack Overflow") >= 0);
+         }
+     }
+
+    public void testStackOverflowInBinaryStreamReaderWithManipulatedInputData() {
+        final byte[] byteArray = new byte[36000];
+        for (int i = 0; i < byteArray.length / 4; i++) {
+            byteArray[i * 4] = 10;
+            byteArray[i * 4 + 1] = -127;
+            byteArray[i * 4 + 2] = 0;
+            byteArray[i * 4 + 3] = 0;
+        }
+
+        try {
+            xstream = new XStream(new BinaryStreamDriver());
+            xstream.fromXML(new ByteArrayInputStream(byteArray));
+        } catch (final InputManipulationException e) {
+            assertTrue(e.getMessage().indexOf("two mapping tokens") >= 0);
+        }
+    }
+ }
--- a/xstream.spec
+++ b/xstream.spec
@ -1,12 +1,16 @@
 %bcond_with jp_minimal
 Name:                xstream
 Version:             1.4.20
-Release:             1
+Release:             2
 Summary:             Java XML serialization library
-License:             BSD
+License:             BSD-3-Clause
 URL:                 http://x-stream.github.io/
 BuildArch:           noarch
-Source0:             http://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/%{version}/xstream-distribution-%{version}-src.zip
+Source0:             https://repo.maven.apache.org/maven2/com/thoughtworks/xstream/xstream-distribution/%{version}/xstream-distribution-%{version}-src.zip
+
+# Security fixes
+Patch3000:           backport-0001-CVE-2024-47072.patch
+Patch3001:           backport-0002-CVE-2024-47072.patch

 BuildRequires:       maven-local mvn(cglib:cglib) mvn(dom4j:dom4j) mvn(javax.xml.bind:jaxb-api)
 BuildRequires:       mvn(joda-time:joda-time) mvn(net.sf.kxml:kxml2-min)
@ -129,9 +133,15 @@ rm xstream-benchmark/src/java/com/thoughtworks/xstream/tools/benchmark/products/
 %license LICENSE.txt

 %changelog
-* Mon Dec 11 2023 yaoxin <yao_xin001@hoperun.com> - 1.4.20-1
+* Mon Nov 11 2024 yaoxin <yao_xin001@hoperun.com> - 1.4.20-2
+- Fix CVE-2024-47072
+
+* Tue Dec 12 2023 yaoxin <yao_xin001@hoperun.com> - 1.4.20-1
 - Upgrade to 1.4.20 for fix CVE-2022-40151 and CVE-2022-41966

+* Thu Nov 10 2022 liyanan <liyanan32@h-partners.com>  - 1.4.18-3
+- Change source
+
 * Mon Feb 7 2022 wangkai <wangkai385@huawei.com> - 1.4.18-2
 - Fix CVE-2021-43859