CVE-2017-7957: XStream through 1.4.9 mishandles attempts to create an instance of the primitive type 'void'

Bug #1780844 reported by Dan Streetman
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libxstream-java (Ubuntu)
Fix Released
Undecided
Unassigned
Trusty
Fix Released
Medium
Unassigned
Xenial
Fix Released
Medium
Unassigned
Artful
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Cosmic
Fix Released
Undecided
Unassigned

Bug Description

[impact]

XStream through 1.4.9, when a certain denyTypes workaround is not used,
mishandles attempts to create an instance of the primitive type 'void'
during unmarshalling, leading to a remote application crash, as
demonstrated by an xstream.fromXML("<void/>") call.

[test case]

install java jdk (e.g. openjdk-8-jdk) and libxstream-java on a xenial (or trusty) system. Then create a file named TestCVE.java with this content:

import com.thoughtworks.xstream.XStream;

public class TestCVE {

 public static void main(String[] args) {
  XStream xstream = new XStream();
  xstream.fromXML("<void/>");
 }

}

then run this (from the same directory as the file) to compile it, noting to replace the version number if needed (1.4.8 is X version, if on trusty use 1.4.7):

$ javac -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE.java

then test it (again correcting version if needed):

$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE

failure is a JVM segfault, e.g.:

#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007f6546a6f9d2, pid=9279, tid=0x00007f654816c700

success is a normal java exception with backtrace, e.g.:

Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance

[regression potential]

regressions could include failing to parse the stream, or otherwise cause exceptions or segfaults.

[other info]

http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7957.html
https://x-stream.github.io/CVE-2017-7957.html
https://github.com/x-stream/xstream/commit/b3570be

Tags: patch

CVE References

Revision history for this message
Dan Streetman (ddstreet) wrote :

CVE already included in version 1.4.10 and later, which covers A/B/C.

Changed in libxstream-java (Ubuntu Cosmic):
status: New → Fix Released
Changed in libxstream-java (Ubuntu Bionic):
status: New → Fix Released
Changed in libxstream-java (Ubuntu Artful):
status: New → Fix Released
Changed in libxstream-java (Ubuntu Xenial):
status: New → In Progress
Changed in libxstream-java (Ubuntu Trusty):
status: New → In Progress
importance: Undecided → Low
Changed in libxstream-java (Ubuntu Xenial):
importance: Undecided → Low
Changed in libxstream-java (Ubuntu Trusty):
assignee: nobody → Dan Streetman (ddstreet)
Changed in libxstream-java (Ubuntu Xenial):
assignee: nobody → Dan Streetman (ddstreet)
Changed in libxstream-java (Ubuntu Trusty):
importance: Low → Medium
Changed in libxstream-java (Ubuntu Xenial):
importance: Low → Medium
Dan Streetman (ddstreet)
description: updated
Dan Streetman (ddstreet)
description: updated
Revision history for this message
Robie Basak (racb) wrote :

Thank you for preparing this. Rather than use the SRU process, this should go through the security sponsorship process. Then it can be delivered into the security pocket and will need a security sponsor. Please see https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue for details.

Revision history for this message
Dan Streetman (ddstreet) wrote :
Changed in libxstream-java (Ubuntu Xenial):
assignee: Dan Streetman (ddstreet) → nobody
Changed in libxstream-java (Ubuntu Trusty):
assignee: Dan Streetman (ddstreet) → nobody
Revision history for this message
Dan Streetman (ddstreet) wrote :
tags: added: patch
Dan Streetman (ddstreet)
Changed in libxstream-java (Ubuntu Trusty):
status: In Progress → Confirmed
Changed in libxstream-java (Ubuntu Xenial):
status: In Progress → Confirmed
Revision history for this message
Emily Ratliff (emilyr) wrote :

Thanks for providing the debdiffs to fix the CVE in this package for trusty and xenial. I have uploaded the updated packages to security-proposed. Please note that there are errors and warnings in the build but they do not differ before/after applying the patch. The packages are currently building and will soon be available for testing. Please let me know if you test them.
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa

Revision history for this message
Dan Streetman (ddstreet) wrote :

Xenial:

ubuntu@lp1780844-x:~$ dpkg -l | grep libxstream-java
ii libxstream-java 1.4.8-1 all Java library to serialize objects to XML and back again
ubuntu@lp1780844-x:~$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007fcba3ec99d2, pid=12644, tid=0x00007fcba55c6700

ubuntu@lp1780844-x:~$ sudo apt-add-repository ppa:ubuntu-security-proposed/ppa
 Pre-release Ubuntu Security Updates that need additional work or testing.
...

ubuntu@lp1780844-x:~$ dpkg -l | grep libxstream-java
ii libxstream-java 1.4.8-1ubuntu0.1 all Java library to serialize objects to XML and back again
ubuntu@lp1780844-x:~$ java -cp /usr/share/java/xstream-1.4.8.jar:. TestCVE
Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance

Trusty:

ubuntu@lp1780844-t:~$ dpkg -l | grep libxstream-java
ii libxstream-java 1.4.7-1 all Java library to serialize objects to XML and back again
ubuntu@lp1780844-t:~$ java -cp /usr/share/java/xstream-1.4.7.jar:. TestCVE
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007f89d9429a32, pid=11183, tid=140230055626496

ubuntu@lp1780844-t:~$ sudo apt-add-repository ppa:ubuntu-security-proposed/ppa
 Pre-release Ubuntu Security Updates that need additional work or testing.
...

ubuntu@lp1780844-t:~$ dpkg -l | grep libxstream-java
ii libxstream-java 1.4.7-1ubuntu0.1 all Java library to serialize objects to XML and back again
ubuntu@lp1780844-t:~$ java -cp /usr/share/java/xstream-1.4.7.jar:. TestCVE
Exception in thread "main" com.thoughtworks.xstream.converters.ConversionException: Type void cannot have an instance

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libxstream-java - 1.4.7-1ubuntu0.1

---------------
libxstream-java (1.4.7-1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: handle void type class (LP: #1780844)
    - d/p/CVE-2017-7957.patch: Prevent deserialization of void.
    - CVE-2017-7957

 -- Dan Streetman <email address hidden> Mon, 09 Jul 2018 15:29:05 -0400

Changed in libxstream-java (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libxstream-java - 1.4.8-1ubuntu0.1

---------------
libxstream-java (1.4.8-1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: handle void type class (LP: #1780844)
    - d/p/CVE-2017-7957.patch: Prevent deserialization of void.
    - CVE-2017-7957

 -- Dan Streetman <email address hidden> Mon, 09 Jul 2018 15:21:51 -0400

Changed in libxstream-java (Ubuntu Xenial):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.