Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#995205: jsap: does not correctly initialize the security framework of xstream
160 views
Skip to first unread message
Markus Koschany
Sep 27, 2021, 5:30:04 PM9/27/21
to
Source: jsap
Version: 2.1-4
Severity: normal
X-Debbugs-Cc: a...@debian.org
Dear maintainer,
libxstream-java has been upgraded to version 1.4.18. XStream now uses
a whitelist as the default for its security framework. For instance jsap
will fail when you try to read arguments from a jsap file like
Before
======
# java -cp .:/usr/share/java/xstream.jar com.martiansoftware.jsap.examples.Manual_HelloWorld_9
Security framework of XStream not explicitly initialized, using predefined black list on your own risk.
Hi, World!
Now
===
# java -cp .:/usr/share/java/xstream.jar com.martiansoftware.jsap.examples.Manual_HelloWorld_9
Exception in thread "main" com.thoughtworks.xstream.security.ForbiddenClassException: com.martiansoftware.jsap.xml.JSAPConfig
at com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26)
at com.thoughtworks.xstream.mapper.SecurityMapper.realClass(SecurityMapper.java:74)
at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125)
at com.thoughtworks.xstream.mapper.CachingMapper.realClass(CachingMapper.java:47)
at com.thoughtworks.xstream.core.util.HierarchicalStreams.readClassType(HierarchicalStreams.java:29)
at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:133)
at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1482)
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1462)
at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1333)
at com.martiansoftware.jsap.xml.JSAPConfig.configure(JSAPConfig.java:42)
at com.martiansoftware.jsap.JSAP.<init>(JSAP.java:366)
at com.martiansoftware.jsap.examples.Manual_HelloWorld_9.main(Manual_HelloWorld_9.java:22)
Please find attached a patch that allows all classes from the com.martiansoftware.jsap.xml package
Regards,
Markus
-- System Information:
Debian Release: 11.0
APT prefers stable-security
APT policy: (900, 'stable-security'), (900, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Version: 2.1-4
Severity: normal
X-Debbugs-Cc: a...@debian.org
Dear maintainer,
libxstream-java has been upgraded to version 1.4.18. XStream now uses
a whitelist as the default for its security framework. For instance jsap
will fail when you try to read arguments from a jsap file like
Before
======
# java -cp .:/usr/share/java/xstream.jar com.martiansoftware.jsap.examples.Manual_HelloWorld_9
Security framework of XStream not explicitly initialized, using predefined black list on your own risk.
Hi, World!
Now
===
# java -cp .:/usr/share/java/xstream.jar com.martiansoftware.jsap.examples.Manual_HelloWorld_9
Exception in thread "main" com.thoughtworks.xstream.security.ForbiddenClassException: com.martiansoftware.jsap.xml.JSAPConfig
at com.thoughtworks.xstream.security.NoTypePermission.allows(NoTypePermission.java:26)
at com.thoughtworks.xstream.mapper.SecurityMapper.realClass(SecurityMapper.java:74)
at com.thoughtworks.xstream.mapper.MapperWrapper.realClass(MapperWrapper.java:125)
at com.thoughtworks.xstream.mapper.CachingMapper.realClass(CachingMapper.java:47)
at com.thoughtworks.xstream.core.util.HierarchicalStreams.readClassType(HierarchicalStreams.java:29)
at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:133)
at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1482)
at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1462)
at com.thoughtworks.xstream.XStream.fromXML(XStream.java:1333)
at com.martiansoftware.jsap.xml.JSAPConfig.configure(JSAPConfig.java:42)
at com.martiansoftware.jsap.JSAP.<init>(JSAP.java:366)
at com.martiansoftware.jsap.examples.Manual_HelloWorld_9.main(Manual_HelloWorld_9.java:22)
Please find attached a patch that allows all classes from the com.martiansoftware.jsap.xml package
Regards,
Markus
-- System Information:
Debian Release: 11.0
APT prefers stable-security
APT policy: (900, 'stable-security'), (900, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
0 new messages