From bb838ce2269cac47433e31c77b2b236466e9f266 Mon Sep 17 00:00:00 2001
From: joehni <joerg.schaible@gmx.de>
Date: Fri, 18 Oct 2024 11:33:48 +0200
Subject: [PATCH] Document CVE-2024-47072 and add test case.

Origin:
https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266
---
 .../src/content/CVE-2024-47072.html           | 68 +++++++++++++++++++
 .../src/content/security.html                 | 11 ++-
 xstream-distribution/src/content/website.xml  |  3 +-
 .../acceptance/SecurityVulnerabilityTest.java | 19 ++++++
 4 files changed, 99 insertions(+), 2 deletions(-)
 create mode 100644 xstream-distribution/src/content/CVE-2024-47072.html

diff --git a/xstream-distribution/src/content/CVE-2024-47072.html b/xstream-distribution/src/content/CVE-2024-47072.html
new file mode 100644
index 000000000..9e021709b
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2024-47072.html
@@ -0,0 +1,68 @@
+<html>
+<!--
+ Copyright (C) 2024 XStream committers.
+ All rights reserved.
+ 
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+ 
+ Created on 19. September 2024 by Joerg Schaible
+ -->
+  <head>
+    <title>CVE-2024-47072</title>
+  </head>
+  <body>
+
+    <h2 id="vulnerability">Vulnerability</h2>
+    
+    <p>CVE-2024-47072: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated
+	binary input stream.</p>
+    
+    <h2 id="affected_versions">Affected Versions</h2>
+    
+    <p>All versions until and including version 1.4.20 are affected, if using XStream's BinaryStreamDriver.</p>
+
+    <h2 id="description">Description</h2>
+    
+    <p>XStream provides a BinaryStreamDriver with an own optimized serialization format.  The format uses ids for
+	string values as deduplication.  The mapping for these ids are created on-the-fly at marshalling time.  At
+	unmarshalling time the reader's implementation simply used a simple one-time recursion after reading a mapping
+	token to process the next normal token of the data stream.  However, an endless recursion could be triggered with
+	manipulated input data resulting in a stack overflow causing a denial of service.</p>
+
+    <h2 id="reproduction">Steps to Reproduce</h2>
+
+    <p>Prepare the manipulated data and provide it as input for a XStream instance using the BinaryDriver:</p>
+<div class="Source Java"><pre>final byte[] byteArray = new byte[36000];
+for (int i = 0; i &lt; byteArray.length / 4; i++) {
+      byteArray[i * 4] = 10;
+      byteArray[i * 4 + 1] = -127;
+      byteArray[i * 4 + 2] = 0;
+      byteArray[i * 4 + 3] = 0;
+}
+
+XStream xstream = new XStream(new BinaryStreamDriver());
+xstream.fromXML(new ByteArrayInputStream(byteArray));
+</pre></div>
+
+    <p>As soon as the data gets unmarshalled, the endless recursion is entered and the executing thread is aborted with
+	a stack overflow error.</p>
+
+    <h2 id="impact">Impact</h2>
+
+    <p>The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting
+    in a denial of service only by manipulating the processed input stream if the instance is setup with a
+	BinaryStreamDriver.</p>
+
+    <h2 id="workarounds">Workarounds</h2>
+
+	<p>A simple solution is to catch the StackOverflowError in the client code calling XStream.  There's no other known
+	workaround when using the BinaryStreamDriver.</p>
+
+    <h2 id="credits">Credits</h2>
+    
+    <p>Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.</p>
+    
+      </body>
+ </html>
diff --git a/xstream-distribution/src/content/security.html b/xstream-distribution/src/content/security.html
index f121ec273..1a68de0a8 100644
--- a/xstream-distribution/src/content/security.html
+++ b/xstream-distribution/src/content/security.html
@@ -1,6 +1,6 @@
 <html>
 <!--
- Copyright (C) 2014, 2015, 2017, 2019, 2020, 2021, 2022 XStream committers.
+ Copyright (C) 2014, 2015, 2017, 2019, 2020, 2021, 2022, 2024 XStream committers.
  All rights reserved.
  
  The software in this package is published under the terms of the BSD
@@ -49,6 +49,15 @@ <h2 id="CVEs">Documented Vulnerabilities</h2>
         <th>CVE</th>
         <th>Description</th>
       </tr>
+	  <tr>
+	    <th>Version 1.4.21</th>
+	    <td></td>
+	  </tr>
+	  <tr>
+	    <th><a href="/x-stream/xstream/commit/CVE-2024-47072.html">CVE-2024-47072</a></th>
+	    <td>XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input
+		stream.</td>
+	  </tr>
       <tr>
         <th>Version 1.4.19</th>
         <td></td>
diff --git a/xstream-distribution/src/content/website.xml b/xstream-distribution/src/content/website.xml
index d89179184..c6b253fb3 100644
--- a/xstream-distribution/src/content/website.xml
+++ b/xstream-distribution/src/content/website.xml
@@ -1,6 +1,6 @@
 <!--
  Copyright (C) 2005, 2006 Joe Walnes.
- Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016, 2017, 2020, 2021, 2022 XStream committers.
+ Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016, 2017, 2020, 2021, 2022, 2024 XStream committers.
  All rights reserved.
  
  The software in this package is published under the terms of the BSD
@@ -63,6 +63,7 @@
     </section>
     <section>
         <name>!Vulnerabilities</name>
+        <page>CVE-2024-47072.html</page>
         <page>CVE-2022-41966.html</page>
         <page>CVE-2022-40151.html</page>
         <page>CVE-2021-21341.html</page>
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
index 7bf2d38ed..49281fd06 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -26,8 +26,10 @@
 import java.util.Map;
 import java.util.Set;
 
+import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.converters.ConversionException;
 import com.thoughtworks.xstream.core.JVM;
+import com.thoughtworks.xstream.io.binary.BinaryStreamDriver;
 import com.thoughtworks.xstream.security.AnyTypePermission;
 import com.thoughtworks.xstream.security.ForbiddenClassException;
 import com.thoughtworks.xstream.security.InputManipulationException;
@@ -545,4 +547,21 @@ public void testStackOverflowWithDeeplyNestedStructure() {
             assertTrue(e.getMessage().indexOf("Stack Overflow") >= 0);
         }
     }
+
+    public void testStackOverflowInBinaryStreamReaderWithManipulatedInputData() {
+        final byte[] byteArray = new byte[36000];
+        for (int i = 0; i < byteArray.length / 4; i++) {
+            byteArray[i * 4] = 10;
+            byteArray[i * 4 + 1] = -127;
+            byteArray[i * 4 + 2] = 0;
+            byteArray[i * 4 + 3] = 0;
+        }
+
+        try {
+            xstream = new XStream(new BinaryStreamDriver());
+            xstream.fromXML(new ByteArrayInputStream(byteArray));
+        } catch (final InputManipulationException e) {
+            assertTrue(e.getMessage().indexOf("two mapping tokens") >= 0);
+        }
+    }
 }