diff -Nru libjackson-json-java-1.9.13/debian/changelog libjackson-json-java-1.9.13/debian/changelog --- libjackson-json-java-1.9.13/debian/changelog 2018-12-30 22:28:06.000000000 +0000 +++ libjackson-json-java-1.9.13/debian/changelog 2020-09-19 19:20:21.000000000 +0000 @@ -1,3 +1,19 @@ +libjackson-json-java (1.9.13-2) unstable; urgency=medium + + * Team upload. + * Add upstream fixes. + - Serializing types for deeply nested Maps. + - Set Secure Processing flag on DocumentBuilderFactory. + - Set setExpandEntityReferences(false). (Fixes: CVE-2019-10172) + - WriteRawValue surrogate pair fix. + - Fix deserialization. + - All known security fixes. (Fixes: CVE-2017-15095 and CVE-2017-7525) + * Update Standards-Version to 4.5.0 + * Use debhelper-compat. + - Update compat level to 13. + + -- Sudip Mukherjee Sat, 19 Sep 2020 20:20:21 +0100 + libjackson-json-java (1.9.13-1) unstable; urgency=medium * Team upload. diff -Nru libjackson-json-java-1.9.13/debian/compat libjackson-json-java-1.9.13/debian/compat --- libjackson-json-java-1.9.13/debian/compat 2018-12-30 22:15:15.000000000 +0000 +++ libjackson-json-java-1.9.13/debian/compat 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -11 diff -Nru libjackson-json-java-1.9.13/debian/control libjackson-json-java-1.9.13/debian/control --- libjackson-json-java-1.9.13/debian/control 2018-12-30 22:15:15.000000000 +0000 +++ libjackson-json-java-1.9.13/debian/control 2020-09-18 18:20:42.000000000 +0000 @@ -6,7 +6,7 @@ Build-Depends: ant (>= 1.6.0), bnd (>= 2.1.0), - debhelper (>= 11), + debhelper-compat (= 13), default-jdk, default-jdk-doc, javahelper (>= 0.30), @@ -18,7 +18,7 @@ libjoda-time-java, maven-repo-helper (>= 1.5~), libnet-luminis-build-plugin-java (>= 0.2.0-3) -Standards-Version: 4.3.0 +Standards-Version: 4.5.0 Vcs-Git: https://salsa.debian.org/java-team/libjackson-json-java.git Vcs-Browser: https://salsa.debian.org/java-team/libjackson-json-java Homepage: https://github.com/FasterXML/jackson diff -Nru libjackson-json-java-1.9.13/debian/patches/0001-fixed-234.patch libjackson-json-java-1.9.13/debian/patches/0001-fixed-234.patch --- libjackson-json-java-1.9.13/debian/patches/0001-fixed-234.patch 1970-01-01 00:00:00.000000000 +0000 +++ libjackson-json-java-1.9.13/debian/patches/0001-fixed-234.patch 2020-09-18 16:10:06.000000000 +0000 @@ -0,0 +1,113 @@ +From 8404cf0b1fb700e5a179abd71137f3057846b80f Mon Sep 17 00:00:00 2001 +From: cowtowncoder +Date: Tue, 13 Aug 2013 04:26:38 +0000 +Subject: [PATCH] fixed #234 + +--- + +upstream link: https://github.com/FasterXML/jackson-1/commit/8404cf0b1fb700e5a179abd71137f3057846b80f + +diff --git a/src/mapper/java/org/codehaus/jackson/map/ser/std/MapSerializer.java b/src/mapper/java/org/codehaus/jackson/map/ser/std/MapSerializer.java +index c2c447cb..041da2f4 100644 +--- a/src/mapper/java/org/codehaus/jackson/map/ser/std/MapSerializer.java ++++ b/src/mapper/java/org/codehaus/jackson/map/ser/std/MapSerializer.java +@@ -344,7 +344,11 @@ public class MapSerializer + if (cc == prevValueClass) { + currSerializer = prevValueSerializer; + } else { +- currSerializer = provider.findValueSerializer(cc, _property); ++ if (_valueType.hasGenericTypes()) { ++ currSerializer = provider.findValueSerializer(provider.constructSpecializedType(_valueType, cc), _property); ++ } else { ++ currSerializer = provider.findValueSerializer(cc, _property); ++ } + prevValueSerializer = currSerializer; + prevValueClass = cc; + } +@@ -417,6 +421,5 @@ public class MapSerializer + } + return result.serializer; + } +- + } + +diff --git a/src/test/org/codehaus/jackson/map/jsontype/TestDefaultForMaps.java b/src/test/org/codehaus/jackson/map/jsontype/TestDefaultForMaps.java +index 15be85e4..97741a35 100644 +--- a/src/test/org/codehaus/jackson/map/jsontype/TestDefaultForMaps.java ++++ b/src/test/org/codehaus/jackson/map/jsontype/TestDefaultForMaps.java +@@ -39,6 +39,33 @@ public class TestDefaultForMaps + public Map> map; + } + ++ // // For #234 ++ ++ static class ItemList { ++ public String value; ++ public List childItems = new LinkedList(); ++ ++ public void addChildItem(ItemList l) { childItems.add(l); } ++ } ++ ++ static class ItemMap ++ { ++ public String value; ++ ++ public Map> childItems = new HashMap>(); ++ ++ public void addChildItem(String key, ItemMap childItem) { ++ List items; ++ if (childItems.containsKey(key)) { ++ items = childItems.get(key); ++ } else { ++ items = new ArrayList(); ++ } ++ items.add(childItem); ++ childItems.put(key, items); ++ } ++ } ++ + /* + /********************************************************** + /* Unit tests +@@ -94,4 +121,38 @@ public class TestDefaultForMaps + return TypeNameIdResolver.construct(mapper.getDeserializationConfig(), + TypeFactory.defaultInstance().constructType(Object.class), subtypes, forSerialization, !forSerialization); + } ++ ++ // // For #234: ++ ++ public void testList() throws Exception ++ { ++ final ObjectMapper mapper = new ObjectMapper(); ++ mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.OBJECT_AND_NON_CONCRETE, JsonTypeInfo.As.PROPERTY); ++ ItemList child = new ItemList(); ++ child.value = "I am child"; ++ ++ ItemList parent = new ItemList(); ++ parent.value = "I am parent"; ++ parent.addChildItem(child); ++ String json = mapper.writerWithDefaultPrettyPrinter().writeValueAsString(parent); ++ ++ Object o = mapper.readValue(json, ItemList.class); ++ assertNotNull(o); ++ } ++ ++ public void testMap() throws Exception ++ { ++ final ObjectMapper mapper = new ObjectMapper(); ++ mapper.enableDefaultTyping(ObjectMapper.DefaultTyping.OBJECT_AND_NON_CONCRETE, JsonTypeInfo.As.PROPERTY); ++ ItemMap child = new ItemMap(); ++ child.value = "I am child"; ++ ++ ItemMap parent = new ItemMap(); ++ parent.value = "I am parent"; ++ parent.addChildItem("child", child); ++ ++ String json = mapper.writerWithDefaultPrettyPrinter().writeValueAsString(parent); ++ Object o = mapper.readValue(json, ItemMap.class); ++ assertNotNull(o); ++ } + } +-- +2.20.1 + diff -Nru libjackson-json-java-1.9.13/debian/patches/0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch libjackson-json-java-1.9.13/debian/patches/0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch --- libjackson-json-java-1.9.13/debian/patches/0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch 1970-01-01 00:00:00.000000000 +0000 +++ libjackson-json-java-1.9.13/debian/patches/0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch 2020-09-18 18:20:41.000000000 +0000 @@ -0,0 +1,54 @@ +From 54c6bc36aa57741ea669ad110ce28acaa1600864 Mon Sep 17 00:00:00 2001 +From: PJ Fanning +Date: Fri, 1 Jul 2016 01:49:46 +0100 +Subject: [PATCH] Set Secure Processing flag on DocumentBuilderFactory + +--- + +unstream link: https://github.com/FasterXML/jackson-1/commit/54c6bc36aa57741ea669ad110ce28acaa1600864 + + .../java/org/codehaus/jackson/map/ext/DOMDeserializer.java | 7 +++++++ + .../codehaus/jackson/xc/DomElementJsonDeserializer.java | 1 + + 2 files changed, 8 insertions(+) + +diff --git a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java +index 50e6016c..3a486b9e 100644 +--- a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java ++++ b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java +@@ -2,7 +2,9 @@ package org.codehaus.jackson.map.ext; + + import java.io.StringReader; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilderFactory; ++import javax.xml.parsers.ParserConfigurationException; + + import org.codehaus.jackson.map.DeserializationContext; + import org.codehaus.jackson.map.deser.std.FromStringDeserializer; +@@ -22,6 +24,11 @@ public abstract class DOMDeserializer extends FromStringDeserializer + _parserFactory = DocumentBuilderFactory.newInstance(); + // yup, only cave men do XML without recognizing namespaces... + _parserFactory.setNamespaceAware(true); ++ try { ++ _parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); ++ } catch(ParserConfigurationException pce) { ++ System.err.println("[DOMDeserializer] Problem setting SECURE_PROCESSING_FEATURE: " + pce.toString()); ++ } + } + + protected DOMDeserializer(Class cls) { super(cls); } +diff --git a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java +index cf9c073d..ccd631aa 100644 +--- a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java ++++ b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java +@@ -30,6 +30,7 @@ public class DomElementJsonDeserializer + try { + DocumentBuilderFactory bf = DocumentBuilderFactory.newInstance(); + bf.setNamespaceAware(true); ++ bf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); + builder = bf.newDocumentBuilder(); + } catch (ParserConfigurationException e) { + throw new RuntimeException(); +-- +2.20.1 + diff -Nru libjackson-json-java-1.9.13/debian/patches/0003-setExpandEntityReferences-false.patch libjackson-json-java-1.9.13/debian/patches/0003-setExpandEntityReferences-false.patch --- libjackson-json-java-1.9.13/debian/patches/0003-setExpandEntityReferences-false.patch 1970-01-01 00:00:00.000000000 +0000 +++ libjackson-json-java-1.9.13/debian/patches/0003-setExpandEntityReferences-false.patch 2020-09-18 18:20:41.000000000 +0000 @@ -0,0 +1,45 @@ +From 2361ec46b5fbf940bafe8247e421e64f9cb7f7b1 Mon Sep 17 00:00:00 2001 +From: PJ Fanning +Date: Fri, 1 Jul 2016 22:57:06 +0100 +Subject: [PATCH] setExpandEntityReferences(false) + +--- + +upstream link: https://github.com/FasterXML/jackson-1/commit/2361ec46b5fbf940bafe8247e421e64f9cb7f7b1 + + .../java/org/codehaus/jackson/map/ext/DOMDeserializer.java | 1 + + .../org/codehaus/jackson/xc/DomElementJsonDeserializer.java | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java +index 3a486b9e..97f76af9 100644 +--- a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java ++++ b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java +@@ -24,6 +24,7 @@ public abstract class DOMDeserializer extends FromStringDeserializer + _parserFactory = DocumentBuilderFactory.newInstance(); + // yup, only cave men do XML without recognizing namespaces... + _parserFactory.setNamespaceAware(true); ++ _parserFactory.setExpandEntityReferences(false); + try { + _parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch(ParserConfigurationException pce) { +diff --git a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java +index ccd631aa..8b1de578 100644 +--- a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java ++++ b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java +@@ -30,10 +30,11 @@ public class DomElementJsonDeserializer + try { + DocumentBuilderFactory bf = DocumentBuilderFactory.newInstance(); + bf.setNamespaceAware(true); ++ bf.setExpandEntityReferences(false); + bf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); + builder = bf.newDocumentBuilder(); + } catch (ParserConfigurationException e) { +- throw new RuntimeException(); ++ throw new RuntimeException("Problem creating DocumentBuilder: " + e.toString()); + } + } + +-- +2.20.1 + diff -Nru libjackson-json-java-1.9.13/debian/patches/0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch libjackson-json-java-1.9.13/debian/patches/0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch --- libjackson-json-java-1.9.13/debian/patches/0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch 1970-01-01 00:00:00.000000000 +0000 +++ libjackson-json-java-1.9.13/debian/patches/0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch 2020-09-18 18:20:41.000000000 +0000 @@ -0,0 +1,90 @@ +From 298849da99b27d86fe581781086fb39809cd83bf Mon Sep 17 00:00:00 2001 +From: Marcin Szczepanski +Date: Mon, 11 Jul 2016 10:33:52 +1000 +Subject: [PATCH] Backport writeRawValue surrogate pair fix from 2.x + +This is a backport of a Jackson 2.x fix: +https://github.com/FasterXML/jackson-core/commit/5e14c461c04f71fc3f35a5ac2e75ed2df0d7c462 +--- + +upstream link: https://github.com/FasterXML/jackson-1/commit/298849da99b27d86fe581781086fb39809cd83bf + + .../codehaus/jackson/impl/Utf8Generator.java | 6 ++--- + .../jackson/impl/TestUtf8Generator.java | 24 +++++++++++++++++++ + 2 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/src/java/org/codehaus/jackson/impl/Utf8Generator.java b/src/java/org/codehaus/jackson/impl/Utf8Generator.java +index ccc25cd3..8ac6bd00 100644 +--- a/src/java/org/codehaus/jackson/impl/Utf8Generator.java ++++ b/src/java/org/codehaus/jackson/impl/Utf8Generator.java +@@ -754,7 +754,7 @@ public class Utf8Generator + _outputBuffer[_outputTail++] = (byte) (0xc0 | (ch >> 6)); + _outputBuffer[_outputTail++] = (byte) (0x80 | (ch & 0x3f)); + } else { +- _outputRawMultiByteChar(ch, cbuf, offset, len); ++ offset = _outputRawMultiByteChar(ch, cbuf, offset, len); + } + } + } +@@ -812,7 +812,7 @@ public class Utf8Generator + bbuf[_outputTail++] = (byte) (0xc0 | (ch >> 6)); + bbuf[_outputTail++] = (byte) (0x80 | (ch & 0x3f)); + } else { +- _outputRawMultiByteChar(ch, cbuf, offset, len); ++ offset = _outputRawMultiByteChar(ch, cbuf, offset, len); + } + } + } +@@ -1643,7 +1643,7 @@ public class Utf8Generator + if (ch >= SURR1_FIRST) { + if (ch <= SURR2_LAST) { // yes, outside of BMP + // Do we have second part? +- if (inputOffset >= inputLen) { // nope... have to note down ++ if (inputOffset >= inputLen || cbuf == null) { // nope... have to note down + _reportError("Split surrogate on writeRaw() input (last character)"); + } + _outputSurrogates(ch, cbuf[inputOffset]); +diff --git a/src/test/org/codehaus/jackson/impl/TestUtf8Generator.java b/src/test/org/codehaus/jackson/impl/TestUtf8Generator.java +index c4e12c3a..48461376 100644 +--- a/src/test/org/codehaus/jackson/impl/TestUtf8Generator.java ++++ b/src/test/org/codehaus/jackson/impl/TestUtf8Generator.java +@@ -2,7 +2,10 @@ package org.codehaus.jackson.impl; + + import java.io.ByteArrayOutputStream; + ++import org.codehaus.jackson.JsonFactory; + import org.codehaus.jackson.JsonGenerator; ++import org.codehaus.jackson.JsonParser; ++import org.codehaus.jackson.JsonToken; + import org.codehaus.jackson.io.IOContext; + import org.codehaus.jackson.util.BufferRecycler; + +@@ -25,4 +28,25 @@ public class TestUtf8Generator + gen.writeString(str); + gen.flush(); + } ++ ++ public void testSurrogatesWithRaw() throws Exception ++ { ++ final String VALUE = quote("\uD83C\uDF89"); ++ ByteArrayOutputStream bytes = new ByteArrayOutputStream(); ++ IOContext ioc = new IOContext(new BufferRecycler(), bytes, true); ++ JsonGenerator jgen = new Utf8Generator(ioc, 0, null, bytes); ++ jgen.writeRawValue(VALUE); ++ jgen.close(); ++ ++ final byte[] JSON = bytes.toByteArray(); ++ ++ JsonParser jp = new JsonFactory().createJsonParser(JSON); ++ assertToken(JsonToken.VALUE_STRING, jp.nextToken()); ++ String str = jp.getText(); ++ assertEquals(2, str.length()); ++ assertEquals((char) 0xD83C, str.charAt(0)); ++ assertEquals((char) 0xDF89, str.charAt(1)); ++ System.out.println(str); ++ jp.close(); ++ } + } +-- +2.20.1 + diff -Nru libjackson-json-java-1.9.13/debian/patches/0005-fix-deserialization.patch libjackson-json-java-1.9.13/debian/patches/0005-fix-deserialization.patch --- libjackson-json-java-1.9.13/debian/patches/0005-fix-deserialization.patch 1970-01-01 00:00:00.000000000 +0000 +++ libjackson-json-java-1.9.13/debian/patches/0005-fix-deserialization.patch 2020-09-18 18:20:41.000000000 +0000 @@ -0,0 +1,86 @@ +From b4c841aea501341fb1d7e62fa4f25a57ed990134 Mon Sep 17 00:00:00 2001 +From: Pawel Niegowski +Date: Fri, 21 Apr 2017 14:47:42 +0200 +Subject: [PATCH] fix deserialization + +--- + +Upstream link: https://github.com/FasterXML/jackson-1/commit/b4c841aea501341fb1d7e62fa4f25a57ed990134 + + .../map/deser/BeanDeserializerFactory.java | 48 +++++++++++++++++++ + 1 file changed, 48 insertions(+) + +diff --git a/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java b/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java +index 620c9dce..b8c0c180 100644 +--- a/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java ++++ b/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java +@@ -31,6 +31,37 @@ public class BeanDeserializerFactory + */ + private final static Class[] INIT_CAUSE_PARAMS = new Class[] { Throwable.class }; + ++ /** ++ * Set of well-known "nasty classes", deserialization of which is considered dangerous ++ * and should (and is) prevented by default. ++ * ++ * @since 1.9.13-atlassian-2 ++ */ ++ protected final static Set DEFAULT_NO_DESER_CLASS_NAMES; ++ ++ static ++ { ++ Set s = new HashSet(); ++ // Courtesy of [https://github.com/kantega/notsoserial]: ++ // (and wrt [databind#1599] ++ s.add("org.apache.commons.collections.functors.InvokerTransformer"); ++ s.add("org.apache.commons.collections.functors.InstantiateTransformer"); ++ s.add("org.apache.commons.collections4.functors.InvokerTransformer"); ++ s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); ++ s.add("org.codehaus.groovy.runtime.ConvertedClosure"); ++ s.add("org.codehaus.groovy.runtime.MethodClosure"); ++ s.add("org.springframework.beans.factory.ObjectFactory"); ++ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); ++ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); ++ } ++ ++ /** ++ * Set of class names of types that are never to be deserialized. ++ * ++ * @since 1.9.13-atlassian-2 ++ */ ++ protected Set _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES; ++ + /* + /********************************************************** + /* Config class implementation +@@ -632,6 +663,7 @@ public class BeanDeserializerFactory + if (!isPotentialBeanType(type.getRawClass())) { + return null; + } ++ checkIllegalTypes(type); + // Use generic bean introspection to build deserializer + return buildBeanDeserializer(config, type, beanDesc, property); + } +@@ -1473,4 +1505,20 @@ public class BeanDeserializerFactory + } + return status; + } ++ ++ /** ++ * @since 2.8.9 ++ */ ++ protected void checkIllegalTypes(JavaType type) ++ throws JsonMappingException ++ { ++ // There are certain nasty classes that could cause problems, mostly ++ // via default typing -- catch them here. ++ String full = type.getRawClass().getName(); ++ ++ if (_cfgIllegalClassNames.contains(full)) ++ { ++ throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons"); ++ } ++ } + } +-- +2.20.1 + diff -Nru libjackson-json-java-1.9.13/debian/patches/0006-Backport-all-known-security-fixes-from-2.x-that-were.patch libjackson-json-java-1.9.13/debian/patches/0006-Backport-all-known-security-fixes-from-2.x-that-were.patch --- libjackson-json-java-1.9.13/debian/patches/0006-Backport-all-known-security-fixes-from-2.x-that-were.patch 1970-01-01 00:00:00.000000000 +0000 +++ libjackson-json-java-1.9.13/debian/patches/0006-Backport-all-known-security-fixes-from-2.x-that-were.patch 2020-09-18 18:20:41.000000000 +0000 @@ -0,0 +1,239 @@ +From 9ac68db819bce7b9546bc4bf1c44f82ca910fa31 Mon Sep 17 00:00:00 2001 +From: Tatu Saloranta +Date: Wed, 20 Dec 2017 16:50:14 -0800 +Subject: [PATCH] Backport all known security fixes from 2.x that were missing, related to public CVEs. + +--- + +upstream link: https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31 + +diff --git a/src/java/org/codehaus/jackson/type/JavaType.java b/src/java/org/codehaus/jackson/type/JavaType.java +index 3b216491..871bca4b 100644 +--- a/src/java/org/codehaus/jackson/type/JavaType.java ++++ b/src/java/org/codehaus/jackson/type/JavaType.java +@@ -479,6 +479,11 @@ public abstract class JavaType + /********************************************************** + */ + ++ // since 1.9.14: needed by one of the patches ++ public final boolean isTypeOrSubTypeOf(Class clz) { ++ return (_class == clz) || clz.isAssignableFrom(_class); ++ } ++ + protected void _assertSubclass(Class subclass, Class superClass) + { + if (!_class.isAssignableFrom(subclass)) { +diff --git a/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java b/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java +index b8c0c180..ffeadb12 100644 +--- a/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java ++++ b/src/mapper/java/org/codehaus/jackson/map/deser/BeanDeserializerFactory.java +@@ -9,6 +9,7 @@ import org.codehaus.jackson.map.deser.impl.CreatorProperty; + import org.codehaus.jackson.map.deser.std.StdKeyDeserializers; + import org.codehaus.jackson.map.deser.std.ThrowableDeserializer; + import org.codehaus.jackson.map.introspect.*; ++import org.codehaus.jackson.map.jsontype.impl.SubTypeValidator; + import org.codehaus.jackson.map.type.*; + import org.codehaus.jackson.map.util.ArrayBuilders; + import org.codehaus.jackson.map.util.ClassUtil; +@@ -31,37 +32,6 @@ public class BeanDeserializerFactory + */ + private final static Class[] INIT_CAUSE_PARAMS = new Class[] { Throwable.class }; + +- /** +- * Set of well-known "nasty classes", deserialization of which is considered dangerous +- * and should (and is) prevented by default. +- * +- * @since 1.9.13-atlassian-2 +- */ +- protected final static Set DEFAULT_NO_DESER_CLASS_NAMES; +- +- static +- { +- Set s = new HashSet(); +- // Courtesy of [https://github.com/kantega/notsoserial]: +- // (and wrt [databind#1599] +- s.add("org.apache.commons.collections.functors.InvokerTransformer"); +- s.add("org.apache.commons.collections.functors.InstantiateTransformer"); +- s.add("org.apache.commons.collections4.functors.InvokerTransformer"); +- s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); +- s.add("org.codehaus.groovy.runtime.ConvertedClosure"); +- s.add("org.codehaus.groovy.runtime.MethodClosure"); +- s.add("org.springframework.beans.factory.ObjectFactory"); +- s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); +- DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); +- } +- +- /** +- * Set of class names of types that are never to be deserialized. +- * +- * @since 1.9.13-atlassian-2 +- */ +- protected Set _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES; +- + /* + /********************************************************** + /* Config class implementation +@@ -265,6 +235,12 @@ public class BeanDeserializerFactory + */ + protected final Config _factoryConfig; + ++ /** ++ * ++ * @since 1.9.14 ++ */ ++ protected SubTypeValidator _subtypeValidator = SubTypeValidator.instance(); ++ + @Deprecated + public BeanDeserializerFactory() { + this(null); +@@ -1507,18 +1483,13 @@ public class BeanDeserializerFactory + } + + /** +- * @since 2.8.9 ++ * @since 1.9.14 + */ +- protected void checkIllegalTypes(JavaType type) +- throws JsonMappingException ++ protected void checkIllegalTypes(JavaType type) throws JsonMappingException + { + // There are certain nasty classes that could cause problems, mostly + // via default typing -- catch them here. +- String full = type.getRawClass().getName(); +- +- if (_cfgIllegalClassNames.contains(full)) +- { +- throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons"); +- } ++ _subtypeValidator.validateSubType(type); ++ //throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons"); + } + } +diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/ClassNameIdResolver.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/ClassNameIdResolver.java +index c9fd65e1..c9a00011 100644 +--- a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/ClassNameIdResolver.java ++++ b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/ClassNameIdResolver.java +@@ -46,8 +46,16 @@ public class ClassNameIdResolver + * to do translation when necessary + */ + if (id.indexOf('<') > 0) { +- JavaType t = TypeFactory.fromCanonical(id); + // note: may want to try combining with specialization (esp for EnumMap) ++ // 17-Aug-2017, tatu: As per [databind#1735] need to ensure assignment ++ // compatibility -- needed later anyway, and not doing so may open ++ // security issues. ++ JavaType t = _typeFactory.constructFromCanonical(id); ++ if (!t.isTypeOrSubTypeOf(_baseType.getRawClass())) { ++ // Probably cleaner to have a method in `TypeFactory` but can't add in patch ++ throw new IllegalArgumentException(String.format( ++ "Class %s not subtype of %s", t.getRawClass().getName(), _baseType)); ++ } + return t; + } + try { +diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java +new file mode 100644 +index 00000000..865c20e7 +--- /dev/null ++++ b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java +@@ -0,0 +1,97 @@ ++package org.codehaus.jackson.map.jsontype.impl; ++ ++import java.util.Collections; ++import java.util.HashSet; ++import java.util.Set; ++ ++import org.codehaus.jackson.map.JsonMappingException; ++import org.codehaus.jackson.type.JavaType; ++ ++/** ++ * Helper class used to encapsulate rules that determine subtypes that ++ * are invalid to use, even with default typing, mostly due to security ++ * concerns. ++ * Used by BeanDeserializerFactory ++ * ++ * @since 1.9.14 ++ */ ++public class SubTypeValidator ++{ ++ protected final static String PREFIX_STRING = "org.springframework."; ++ /** ++ * Set of well-known "nasty classes", deserialization of which is considered dangerous ++ * and should (and is) prevented by default. ++ */ ++ protected final static Set DEFAULT_NO_DESER_CLASS_NAMES; ++ static { ++ Set s = new HashSet(); ++ // Courtesy of [https://github.com/kantega/notsoserial]: ++ // (and wrt [databind#1599]) ++ s.add("org.apache.commons.collections.functors.InvokerTransformer"); ++ s.add("org.apache.commons.collections.functors.InstantiateTransformer"); ++ s.add("org.apache.commons.collections4.functors.InvokerTransformer"); ++ s.add("org.apache.commons.collections4.functors.InstantiateTransformer"); ++ s.add("org.codehaus.groovy.runtime.ConvertedClosure"); ++ s.add("org.codehaus.groovy.runtime.MethodClosure"); ++ s.add("org.springframework.beans.factory.ObjectFactory"); ++ s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"); ++ s.add("org.apache.xalan.xsltc.trax.TemplatesImpl"); ++ // [databind#1680]: may or may not be problem, take no chance ++ s.add("com.sun.rowset.JdbcRowSetImpl"); ++ // [databind#1737]; JDK provided ++ s.add("java.util.logging.FileHandler"); ++ s.add("java.rmi.server.UnicastRemoteObject"); ++ // [databind#1737]; 3rd party ++//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855] ++ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); ++ s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); ++ s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); ++ // [databind#1855]: more 3rd party ++ s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); ++ s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); ++ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); ++ } ++ ++ /** ++ * Set of class names of types that are never to be deserialized. ++ */ ++ protected Set _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES; ++ ++ private final static SubTypeValidator instance = new SubTypeValidator(); ++ ++ protected SubTypeValidator() { } ++ ++ public static SubTypeValidator instance() { return instance; } ++ ++ public void validateSubType(JavaType type) throws JsonMappingException ++ { ++ // There are certain nasty classes that could cause problems, mostly ++ // via default typing -- catch them here. ++ final Class raw = type.getRawClass(); ++ String full = raw.getName(); ++ ++ main_check: ++ do { ++ if (_cfgIllegalClassNames.contains(full)) { ++ break; ++ } ++ ++ // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling ++ // for some Spring framework types ++ if (full.startsWith(PREFIX_STRING)) { ++ for (Class cls = raw; cls != Object.class; cls = cls.getSuperclass()) { ++ String name = cls.getSimpleName(); ++ // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there? ++ if ("AbstractPointcutAdvisor".equals(name) ++ // ditto for "FileSystemXmlApplicationContext": block all ApplicationContexts ++ || "AbstractApplicationContext".equals(name)) { ++ break main_check; ++ } ++ } ++ } ++ return; ++ } while (false); ++ ++ throw new JsonMappingException("Illegal type (" + full + ") to deserialize: prevented for security reasons"); ++ } ++} +-- +2.20.1 + diff -Nru libjackson-json-java-1.9.13/debian/patches/series libjackson-json-java-1.9.13/debian/patches/series --- libjackson-json-java-1.9.13/debian/patches/series 2018-12-30 22:15:15.000000000 +0000 +++ libjackson-json-java-1.9.13/debian/patches/series 2020-09-18 16:10:06.000000000 +0000 @@ -1 +1,7 @@ java9.patch +0001-fixed-234.patch +0002-Set-Secure-Processing-flag-on-DocumentBuilderFactory.patch +0003-setExpandEntityReferences-false.patch +0004-Backport-writeRawValue-surrogate-pair-fix-from-2.x.patch +0005-fix-deserialization.patch +0006-Backport-all-known-security-fixes-from-2.x-that-were.patch