diff -Nru libslf4j-java-1.7.25/debian/changelog libslf4j-java-1.7.25/debian/changelog --- libslf4j-java-1.7.25/debian/changelog 2017-11-20 08:23:49.000000000 +0000 +++ libslf4j-java-1.7.25/debian/changelog 2018-03-28 09:48:23.000000000 +0000 @@ -1,3 +1,16 @@ +libslf4j-java (1.7.25-3) unstable; urgency=medium + + * Team upload. + * Fix CVE-2018-8088: Deserialisation vulnerability in EventData constructor + can allow for arbitrary code execution. The EventData class was completely + removed due to security concerns. (Closes: #893684) + * Use compat level 11. + * Remove Damien Raude-Morvan from Uploaders. (Closes: #889393) + * Use https for Format field. + * Declare compliance with Debian Policy 4.1.3. + + -- Markus Koschany Wed, 28 Mar 2018 11:48:23 +0200 + libslf4j-java (1.7.25-2) unstable; urgency=medium * Ignore the dependency on wagon-ssh @@ -155,12 +168,12 @@ * New upstream release. * Merge changes from Ubuntu, thanks to James Page (Closes: #646092) : + Enable test suite: - - d/ant.properties, d/build.xml: Define new targets to compile and + - d/ant.properties, d/build.xml: Define new targets to compile and execute test suites for all jar files. - d/control: Add ant-optional and junit to B-D's. - d/rules: Define DEB_ANT_CHECK_TARGET to execute test suite and add ant-junit and junit to DEB_JARS. - + d/control: Remove surplus dependencies - libjavassist-java, + + d/control: Remove surplus dependencies - libjavassist-java, libcommons-lang-java -- Damien Raude-Morvan Tue, 01 Nov 2011 23:48:41 +0100 @@ -230,7 +243,7 @@ * Add a Build-Depends-Indep dependency on maven-repo-helper * Use mh_installpom and mh_installjar to install the POM and the jar to the Maven repository - * Fix Lintian warning: license for the Debian packaging is GPL version 2, + * Fix Lintian warning: license for the Debian packaging is GPL version 2, according to Varun Hiremath. * Use default-jdk instead of default-jdk-builddep for Build-Depends as no components are built with gcj. diff -Nru libslf4j-java-1.7.25/debian/compat libslf4j-java-1.7.25/debian/compat --- libslf4j-java-1.7.25/debian/compat 2017-05-16 13:56:07.000000000 +0000 +++ libslf4j-java-1.7.25/debian/compat 2018-03-28 09:46:12.000000000 +0000 @@ -1 +1 @@ -10 +11 diff -Nru libslf4j-java-1.7.25/debian/control libslf4j-java-1.7.25/debian/control --- libslf4j-java-1.7.25/debian/control 2017-11-20 08:23:30.000000000 +0000 +++ libslf4j-java-1.7.25/debian/control 2018-03-28 09:48:10.000000000 +0000 @@ -4,11 +4,10 @@ Maintainer: Debian Java Maintainers Uploaders: Varun Hiremath , - Damien Raude-Morvan , Emmanuel Bourg , Jakub Adam Build-Depends: - debhelper (>= 10), + debhelper (>= 11), default-jdk, junit4, libbuild-helper-maven-plugin-java, @@ -17,7 +16,7 @@ libmaven-antrun-plugin-java, libmaven-install-plugin-java, maven-debian-helper (>= 2.2~) -Standards-Version: 4.1.1 +Standards-Version: 4.1.3 Vcs-Git: https://anonscm.debian.org/git/pkg-java/libslf4j-java.git Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/libslf4j-java.git Homepage: http://www.slf4j.org diff -Nru libslf4j-java-1.7.25/debian/copyright libslf4j-java-1.7.25/debian/copyright --- libslf4j-java-1.7.25/debian/copyright 2017-11-20 08:23:22.000000000 +0000 +++ libslf4j-java-1.7.25/debian/copyright 2018-03-28 09:47:18.000000000 +0000 @@ -1,4 +1,4 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: Simple Logging Facade for Java (SLF4J) Source: http://www.slf4j.org/dist/ Comment: diff -Nru libslf4j-java-1.7.25/debian/patches/CVE-2018-8088.patch libslf4j-java-1.7.25/debian/patches/CVE-2018-8088.patch --- libslf4j-java-1.7.25/debian/patches/CVE-2018-8088.patch 1970-01-01 00:00:00.000000000 +0000 +++ libslf4j-java-1.7.25/debian/patches/CVE-2018-8088.patch 2018-03-28 09:46:00.000000000 +0000 @@ -0,0 +1,324 @@ +From: Markus Koschany +Date: Sun, 25 Mar 2018 20:14:24 +0200 +Subject: CVE-2018-8088 + +Bug-Upstream: https://jira.qos.ch/browse/SLF4J-430 +Bug-Debian: https://bugs.debian.org/893684 +Forwarded: not-needed +--- + .../src/main/java/org/slf4j/ext/EventData.java | 305 --------------------- + 1 file changed, 305 deletions(-) + delete mode 100644 slf4j-ext/src/main/java/org/slf4j/ext/EventData.java + +diff --git a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java +deleted file mode 100644 +index dc5b502..0000000 +--- a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java ++++ /dev/null +@@ -1,305 +0,0 @@ +-/** +- * Copyright (c) 2004-2011 QOS.ch +- * All rights reserved. +- * +- * Permission is hereby granted, free of charge, to any person obtaining +- * a copy of this software and associated documentation files (the +- * "Software"), to deal in the Software without restriction, including +- * without limitation the rights to use, copy, modify, merge, publish, +- * distribute, sublicense, and/or sell copies of the Software, and to +- * permit persons to whom the Software is furnished to do so, subject to +- * the following conditions: +- * +- * The above copyright notice and this permission notice shall be +- * included in all copies or substantial portions of the Software. +- * +- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +- * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +- * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +- * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +- * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +- * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +- * +- */ +-package org.slf4j.ext; +- +-import java.io.Serializable; +-import java.io.ByteArrayInputStream; +-import java.io.ByteArrayOutputStream; +-import java.util.Date; +-import java.util.HashMap; +-import java.util.Iterator; +-import java.util.Map; +-import java.beans.XMLDecoder; +-import java.beans.XMLEncoder; +-import java.beans.ExceptionListener; +- +-/** +- * Base class for Event Data. Event Data contains data to be logged about an +- * event. Users may extend this class for each EventType they want to log. +- * +- * @author Ralph Goers +- */ +-public class EventData implements Serializable { +- +- private static final long serialVersionUID = 153270778642103985L; +- +- private Map eventData = new HashMap(); +- public static final String EVENT_MESSAGE = "EventMessage"; +- public static final String EVENT_TYPE = "EventType"; +- public static final String EVENT_DATETIME = "EventDateTime"; +- public static final String EVENT_ID = "EventId"; +- +- /** +- * Default Constructor +- */ +- public EventData() { +- } +- +- /** +- * Constructor to create event data from a Map. +- * +- * @param map +- * The event data. +- */ +- public EventData(Map map) { +- eventData.putAll(map); +- } +- +- /** +- * Construct from a serialized form of the Map containing the RequestInfo +- * elements +- * +- * @param xml +- * The serialized form of the RequestInfo Map. +- */ +- @SuppressWarnings("unchecked") +- public EventData(String xml) { +- ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); +- try { +- XMLDecoder decoder = new XMLDecoder(bais); +- this.eventData = (Map) decoder.readObject(); +- } catch (Exception e) { +- throw new EventException("Error decoding " + xml, e); +- } +- } +- +- /** +- * Serialize all the EventData items into an XML representation. +- * +- * @return an XML String containing all the EventData items. +- */ +- public String toXML() { +- return toXML(eventData); +- } +- +- /** +- * Serialize all the EventData items into an XML representation. +- * +- * @param map the Map to transform +- * @return an XML String containing all the EventData items. +- */ +- public static String toXML(Map map) { +- ByteArrayOutputStream baos = new ByteArrayOutputStream(); +- try { +- XMLEncoder encoder = new XMLEncoder(baos); +- encoder.setExceptionListener(new ExceptionListener() { +- public void exceptionThrown(Exception exception) { +- exception.printStackTrace(); +- } +- }); +- encoder.writeObject(map); +- encoder.close(); +- return baos.toString(); +- } catch (Exception e) { +- e.printStackTrace(); +- return null; +- } +- } +- +- /** +- * Retrieve the event identifier. +- * +- * @return The event identifier +- */ +- public String getEventId() { +- return (String) this.eventData.get(EVENT_ID); +- } +- +- /** +- * Set the event identifier. +- * +- * @param eventId +- * The event identifier. +- */ +- public void setEventId(String eventId) { +- if (eventId == null) { +- throw new IllegalArgumentException("eventId cannot be null"); +- } +- this.eventData.put(EVENT_ID, eventId); +- } +- +- /** +- * Retrieve the message text associated with this event, if any. +- * +- * @return The message text associated with this event or null if there is +- * none. +- */ +- public String getMessage() { +- return (String) this.eventData.get(EVENT_MESSAGE); +- } +- +- /** +- * Set the message text associated with this event. +- * +- * @param message +- * The message text. +- */ +- public void setMessage(String message) { +- this.eventData.put(EVENT_MESSAGE, message); +- } +- +- /** +- * Retrieve the date and time the event occurred. +- * +- * @return The Date associated with the event. +- */ +- public Date getEventDateTime() { +- return (Date) this.eventData.get(EVENT_DATETIME); +- } +- +- /** +- * Set the date and time the event occurred in case it is not the same as when +- * the event was logged. +- * +- * @param eventDateTime +- * The event Date. +- */ +- public void setEventDateTime(Date eventDateTime) { +- this.eventData.put(EVENT_DATETIME, eventDateTime); +- } +- +- /** +- * Set the type of event that occurred. +- * +- * @param eventType +- * The type of the event. +- */ +- public void setEventType(String eventType) { +- this.eventData.put(EVENT_TYPE, eventType); +- } +- +- /** +- * Retrieve the type of the event. +- * +- * @return The event type. +- */ +- public String getEventType() { +- return (String) this.eventData.get(EVENT_TYPE); +- } +- +- /** +- * Add arbitrary attributes about the event. +- * +- * @param name +- * The attribute's key. +- * @param obj +- * The data associated with the key. +- */ +- public void put(String name, Serializable obj) { +- this.eventData.put(name, obj); +- } +- +- /** +- * Retrieve an event attribute. +- * +- * @param name +- * The attribute's key. +- * @return The value associated with the key or null if the key is not +- * present. +- */ +- public Serializable get(String name) { +- return (Serializable) this.eventData.get(name); +- } +- +- /** +- * Populate the event data from a Map. +- * +- * @param data +- * The Map to copy. +- */ +- public void putAll(Map data) { +- this.eventData.putAll(data); +- } +- +- /** +- * Returns the number of attributes in the EventData. +- * +- * @return the number of attributes in the EventData. +- */ +- public int getSize() { +- return this.eventData.size(); +- } +- +- /** +- * Returns an Iterator over all the entries in the EventData. +- * +- * @return an Iterator that can be used to access all the event attributes. +- */ +- public Iterator> getEntrySetIterator() { +- return this.eventData.entrySet().iterator(); +- } +- +- /** +- * Retrieve all the attributes in the EventData as a Map. Changes to this map +- * will be reflected in the EventData. +- * +- * @return The Map of attributes in this EventData instance. +- */ +- public Map getEventMap() { +- return this.eventData; +- } +- +- /** +- * Convert the EventData to a String. +- * +- * @return The EventData as a String. +- */ +- @Override +- public String toString() { +- return toXML(); +- } +- +- /** +- * Compare two EventData objects for equality. +- * +- * @param o +- * The Object to compare. +- * @return true if the objects are the same instance or contain all the same +- * keys and their values. +- */ +- @SuppressWarnings("unchecked") +- @Override +- public boolean equals(Object o) { +- if (this == o) { +- return true; +- } +- if (!(o instanceof EventData || o instanceof Map)) { +- return false; +- } +- Map map = (o instanceof EventData) ? ((EventData) o).getEventMap() : (Map) o; +- +- return this.eventData.equals(map); +- } +- +- /** +- * Compute the hashCode for this EventData instance. +- * +- * @return The hashcode for this EventData instance. +- */ +- @Override +- public int hashCode() { +- return this.eventData.hashCode(); +- } +-} +\ No newline at end of file diff -Nru libslf4j-java-1.7.25/debian/patches/series libslf4j-java-1.7.25/debian/patches/series --- libslf4j-java-1.7.25/debian/patches/series 2017-05-16 13:56:07.000000000 +0000 +++ libslf4j-java-1.7.25/debian/patches/series 2018-03-25 18:16:38.000000000 +0000 @@ -1,2 +1,3 @@ slf4j-api-MANIFEST.patch disable-MultithreadedInitializationTest.patch +CVE-2018-8088.patch diff -Nru libslf4j-java-1.7.25/debian/patches/slf4j-api-MANIFEST.patch libslf4j-java-1.7.25/debian/patches/slf4j-api-MANIFEST.patch --- libslf4j-java-1.7.25/debian/patches/slf4j-api-MANIFEST.patch 2017-05-16 13:56:07.000000000 +0000 +++ libslf4j-java-1.7.25/debian/patches/slf4j-api-MANIFEST.patch 2018-03-25 18:14:38.000000000 +0000 @@ -10,9 +10,11 @@ slf4j-api/src/main/resources/META-INF/MANIFEST.MF | 1 - 1 file changed, 1 deletion(-) +diff --git a/slf4j-api/src/main/resources/META-INF/MANIFEST.MF b/slf4j-api/src/main/resources/META-INF/MANIFEST.MF +index def3812..765a0ce 100644 --- a/slf4j-api/src/main/resources/META-INF/MANIFEST.MF +++ b/slf4j-api/src/main/resources/META-INF/MANIFEST.MF -@@ -8,4 +8,3 @@ +@@ -8,4 +8,3 @@ Export-Package: org.slf4j;version=${parsedVersion.osgiVersion}, org.slf4j.spi;version=${parsedVersion.osgiVersion}, org.slf4j.helpers;version=${parsedVersion.osgiVersion}, org.slf4j.event;version=${parsedVersion.osgiVersion}