!64 Fix CVE-2024-47072

From: @starlet-dx 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge

backport-0001-CVE-2024-47072.patch

@@ -0,0 +1,105 @@
+From fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a Mon Sep 17 00:00:00 2001
+From: joehni <joerg.schaible@gmx.de>
+Date: Wed, 18 Sep 2024 20:19:13 +0200
+Subject: [PATCH] Detect input manipulation in
+ c.t.x.io.binary.BinaryStreamReader.
+
+Origin:
+https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a
+---
+ .../xstream/io/binary/BinaryStreamReader.java  | 18 ++++++++++++------
+ .../xstream/io/binary/BinaryStreamTest.java    | 17 ++++++++++++++++-
+ 2 files changed, 28 insertions(+), 7 deletions(-)
+
+diff --git a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+index 2839651..cd870cd 100644
+--- a/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
++++ b/xstream/src/java/com/thoughtworks/xstream/io/binary/BinaryStreamReader.java
+@@ -1,6 +1,6 @@
+ /*
+  * Copyright (C) 2006 Joe Walnes.
+- * Copyright (C) 2006, 2007, 2011, 2013 XStream Committers.
++ * Copyright (C) 2006, 2007, 2011, 2013, 2024 XStream Committers.
+  * All rights reserved.
+  *
+  * The software in this package is published under the terms of the BSD
+@@ -15,6 +15,7 @@ import com.thoughtworks.xstream.converters.ErrorWriter;
+ import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+ import com.thoughtworks.xstream.io.StreamException;
++import com.thoughtworks.xstream.security.InputManipulationException;
+ 
+ import java.io.DataInputStream;
+ import java.io.IOException;
+@@ -150,15 +151,20 @@ public class BinaryStreamReader implements ExtendedHierarchicalStreamReader {
+     private Token readToken() {
+         if (pushback == null) {
+             try {
+-                Token token = tokenFormatter.read(in);
+-                switch (token.getType()) {
++                boolean mapping = false;
++                do {
++                    final Token token = tokenFormatter.read(in);
++                    switch (token.getType()) {
+                     case Token.TYPE_MAP_ID_TO_VALUE:
+                         idRegistry.put(token.getId(), token.getValue());
+-                        return readToken(); // Next one please.
++                        mapping ^= true;
++                        continue; // Next one please.
+                     default:
+                         return token;
+-                }
+-            } catch (IOException e) {
++                    }
++                } while (mapping);
++                throw new InputManipulationException("Binary stream will never have two mapping tokens in sequence");
++            } catch (final IOException e) {
+                 throw new StreamException(e);
+             }
+         } else {
+diff --git a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
+index a01065a..d93954f 100644
+--- a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
++++ b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
+@@ -1,6 +1,6 @@
+ /*
+  * Copyright (C) 2006 Joe Walnes.
+- * Copyright (C) 2006, 2007, 2011, 2015, 2016, 2021 XStream Committers.
++ * Copyright (C) 2006, 2007, 2011, 2015, 2016, 2021, 2024 XStream Committers.
+  * All rights reserved.
+  *
+  * The software in this package is published under the terms of the BSD
+@@ -17,10 +17,12 @@ import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
+ import com.thoughtworks.xstream.io.copy.HierarchicalStreamCopier;
+ import com.thoughtworks.xstream.io.xml.AbstractXMLReaderTest;
+ import com.thoughtworks.xstream.io.xml.MXParserDriver;
++import com.thoughtworks.xstream.security.InputManipulationException;
+ 
+ import java.io.ByteArrayOutputStream;
+ import java.io.StringReader;
+ import java.io.ByteArrayInputStream;
++import java.io.InputStream;
+ 
+ public class BinaryStreamTest extends AbstractXMLReaderTest {
+ 
+@@ -89,4 +91,17 @@ public class BinaryStreamTest extends AbstractXMLReaderTest {
+         }
+     }
+ 
++    public void testHandleMaliciousInputsOfIdMappingTokens() {
++        // Insert two successive id mapping tokens into the stream
++        final byte[] byteArray = new byte[8];
++        byteArray[0] = byteArray[4] = 10;
++        byteArray[1] = byteArray[5] = -127;
++
++        final InputStream in = new ByteArrayInputStream(byteArray);
++        try {
++            new BinaryStreamReader(in);
++            fail("Thrown " + InputManipulationException.class.getName() + " expected");
++        } catch (final InputManipulationException e) {
++        }
++    }
+ }
+-- 
+2.47.0
+

backport-0002-CVE-2024-47072.patch

@@ -0,0 +1,174 @@
+From bb838ce2269cac47433e31c77b2b236466e9f266 Mon Sep 17 00:00:00 2001
+From: joehni <joerg.schaible@gmx.de>
+Date: Fri, 18 Oct 2024 11:33:48 +0200
+Subject: [PATCH] Document CVE-2024-47072 and add test case.
+
+Origin:
+https://github.com/x-stream/xstream/commit/bb838ce2269cac47433e31c77b2b236466e9f266
+---
+ .../src/content/CVE-2024-47072.html           | 68 +++++++++++++++++++
+ .../src/content/security.html                 | 11 ++-
+ xstream-distribution/src/content/website.xml  |  3 +-
+ .../acceptance/SecurityVulnerabilityTest.java | 19 ++++++
+ 4 files changed, 99 insertions(+), 2 deletions(-)
+ create mode 100644 xstream-distribution/src/content/CVE-2024-47072.html
+
+diff --git a/xstream-distribution/src/content/CVE-2024-47072.html b/xstream-distribution/src/content/CVE-2024-47072.html
+new file mode 100644
+index 000000000..9e021709b
+--- /dev/null
++++ b/xstream-distribution/src/content/CVE-2024-47072.html
+@@ -0,0 +1,68 @@
++<html>
++<!--
++ Copyright (C) 2024 XStream committers.
++ All rights reserved.
++ 
++ The software in this package is published under the terms of the BSD
++ style license a copy of which has been included with this distribution in
++ the LICENSE.txt file.
++ 
++ Created on 19. September 2024 by Joerg Schaible
++ -->
++  <head>
++    <title>CVE-2024-47072</title>
++  </head>
++  <body>
++
++    <h2 id="vulnerability">Vulnerability</h2>
++    
++    <p>CVE-2024-47072: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated
++	binary input stream.</p>
++    
++    <h2 id="affected_versions">Affected Versions</h2>
++    
++    <p>All versions until and including version 1.4.20 are affected, if using XStream's BinaryStreamDriver.</p>
++
++    <h2 id="description">Description</h2>
++    
++    <p>XStream provides a BinaryStreamDriver with an own optimized serialization format.  The format uses ids for
++	string values as deduplication.  The mapping for these ids are created on-the-fly at marshalling time.  At
++	unmarshalling time the reader's implementation simply used a simple one-time recursion after reading a mapping
++	token to process the next normal token of the data stream.  However, an endless recursion could be triggered with
++	manipulated input data resulting in a stack overflow causing a denial of service.</p>
++
++    <h2 id="reproduction">Steps to Reproduce</h2>
++
++    <p>Prepare the manipulated data and provide it as input for a XStream instance using the BinaryDriver:</p>
++<div class="Source Java"><pre>final byte[] byteArray = new byte[36000];
++for (int i = 0; i &lt; byteArray.length / 4; i++) {
++      byteArray[i * 4] = 10;
++      byteArray[i * 4 + 1] = -127;
++      byteArray[i * 4 + 2] = 0;
++      byteArray[i * 4 + 3] = 0;
++}
++
++XStream xstream = new XStream(new BinaryStreamDriver());
++xstream.fromXML(new ByteArrayInputStream(byteArray));
++</pre></div>
++
++    <p>As soon as the data gets unmarshalled, the endless recursion is entered and the executing thread is aborted with
++	a stack overflow error.</p>
++
++    <h2 id="impact">Impact</h2>
++
++    <p>The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting
++    in a denial of service only by manipulating the processed input stream if the instance is setup with a
++	BinaryStreamDriver.</p>
++
++    <h2 id="workarounds">Workarounds</h2>
++
++	<p>A simple solution is to catch the StackOverflowError in the client code calling XStream.  There's no other known
++	workaround when using the BinaryStreamDriver.</p>
++
++    <h2 id="credits">Credits</h2>
++    
++    <p>Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.</p>
++    
++      </body>
++ </html>
+diff --git a/xstream-distribution/src/content/security.html b/xstream-distribution/src/content/security.html
+index f121ec273..1a68de0a8 100644
+--- a/xstream-distribution/src/content/security.html
++++ b/xstream-distribution/src/content/security.html
+@@ -1,6 +1,6 @@
+ <html>
+ <!--
+- Copyright (C) 2014, 2015, 2017, 2019, 2020, 2021, 2022 XStream committers.
++ Copyright (C) 2014, 2015, 2017, 2019, 2020, 2021, 2022, 2024 XStream committers.
+  All rights reserved.
+  
+  The software in this package is published under the terms of the BSD
+@@ -49,6 +49,15 @@ <h2 id="CVEs">Documented Vulnerabilities</h2>
+         <th>CVE</th>
+         <th>Description</th>
+       </tr>
++	  <tr>
++	    <th>Version 1.4.21</th>
++	    <td></td>
++	  </tr>
++	  <tr>
++	    <th><a href="/x-stream/xstream/commit/CVE-2024-47072.html">CVE-2024-47072</a></th>
++	    <td>XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input
++		stream.</td>
++	  </tr>
+       <tr>
+         <th>Version 1.4.19</th>
+         <td></td>
+diff --git a/xstream-distribution/src/content/website.xml b/xstream-distribution/src/content/website.xml
+index d89179184..c6b253fb3 100644
+--- a/xstream-distribution/src/content/website.xml
++++ b/xstream-distribution/src/content/website.xml
+@@ -1,6 +1,6 @@
+ <!--
+  Copyright (C) 2005, 2006 Joe Walnes.
+- Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016, 2017, 2020, 2021, 2022 XStream committers.
++ Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016, 2017, 2020, 2021, 2022, 2024 XStream committers.
+  All rights reserved.
+  
+  The software in this package is published under the terms of the BSD
+@@ -63,6 +63,7 @@
+     </section>
+     <section>
+         <name>!Vulnerabilities</name>
++        <page>CVE-2024-47072.html</page>
+         <page>CVE-2022-41966.html</page>
+         <page>CVE-2022-40151.html</page>
+         <page>CVE-2021-21341.html</page>
+diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+index 7bf2d38ed..49281fd06 100644
+--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
++++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+@@ -26,8 +26,10 @@
+ import java.util.Map;
+ import java.util.Set;
+ 
++import com.thoughtworks.xstream.XStream;
+ import com.thoughtworks.xstream.converters.ConversionException;
+ import com.thoughtworks.xstream.core.JVM;
++import com.thoughtworks.xstream.io.binary.BinaryStreamDriver;
+ import com.thoughtworks.xstream.security.AnyTypePermission;
+ import com.thoughtworks.xstream.security.ForbiddenClassException;
+ import com.thoughtworks.xstream.security.InputManipulationException;
+@@ -545,4 +547,21 @@ public void testStackOverflowWithDeeplyNestedStructure() {
+             assertTrue(e.getMessage().indexOf("Stack Overflow") >= 0);
+         }
+     }
++
++    public void testStackOverflowInBinaryStreamReaderWithManipulatedInputData() {
++        final byte[] byteArray = new byte[36000];
++        for (int i = 0; i < byteArray.length / 4; i++) {
++            byteArray[i * 4] = 10;
++            byteArray[i * 4 + 1] = -127;
++            byteArray[i * 4 + 2] = 0;
++            byteArray[i * 4 + 3] = 0;
++        }
++
++        try {
++            xstream = new XStream(new BinaryStreamDriver());
++            xstream.fromXML(new ByteArrayInputStream(byteArray));
++        } catch (final InputManipulationException e) {
++            assertTrue(e.getMessage().indexOf("two mapping tokens") >= 0);
++        }
++    }
+ }

settings.xml

@@ -1,13 +0,0 @@
-<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
-  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
-                      http://maven.apache.org/xsd/settings-1.0.0.xsd">
-  <mirrors>
-    <mirror>
-      <id>aliyun-central</id>
-      <mirrorOf>*</mirrorOf>
-      <name>aliyun central</name>
-      <url>https://maven.aliyun.com/repository/central</url>
-    </mirror>
-    </mirrors>
- </settings>

xstream.spec

@@ -1,13 +1,16 @@
 %bcond_with jp_minimal
 Name:                xstream
-Version:             1.4.17
-Release:             1
+Version:             1.4.20
+Release:             2
 Summary:             Java XML serialization library
-License:             BSD
+License:             BSD-3-Clause
 URL:                 http://x-stream.github.io/
 BuildArch:           noarch
-Source0:             http://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/%{version}/xstream-distribution-%{version}-src.zip
-Source1:             settings.xml
+Source0:             https://repo.maven.apache.org/maven2/com/thoughtworks/xstream/xstream-distribution/%{version}/xstream-distribution-%{version}-src.zip
+
+# Security fixes
+Patch3000:           backport-0001-CVE-2024-47072.patch
+Patch3001:           backport-0002-CVE-2024-47072.patch
 
 BuildRequires:       maven-local mvn(cglib:cglib) mvn(dom4j:dom4j) mvn(javax.xml.bind:jaxb-api)
 BuildRequires:       mvn(joda-time:joda-time) mvn(net.sf.kxml:kxml2-min)
@@ -16,7 +19,7 @@ BuildRequires:       mvn(org.apache.maven.plugins:maven-enforcer-plugin)
 BuildRequires:       mvn(org.codehaus.mojo:build-helper-maven-plugin)
 BuildRequires:       mvn(org.codehaus.woodstox:woodstox-core-asl) mvn(org.jdom:jdom)
 BuildRequires:       mvn(org.jdom:jdom2) mvn(stax:stax) mvn(stax:stax-api) mvn(xpp3:xpp3)
-BuildRequires:       mvn(xpp3:xpp3_min) maven
+BuildRequires:       mvn(xpp3:xpp3_min) maven mvn(org.codehaus.mojo:build-helper-maven-plugin)
 %if %{without jp_minimal}
 BuildRequires:       mvn(javassist:javassist) mvn(org.codehaus.jettison:jettison)
 BuildRequires:       mvn(org.hibernate:hibernate-core) mvn(org.hibernate:hibernate-envers)
@@ -68,7 +71,7 @@ Requires:       xstream = %{version}-%{release}
 Parent POM for xstream.
 
 %prep
-%setup -qn xstream-%{version}
+%autosetup -n xstream-%{version} -p1
 
 sed -i "s/3.2.7/4.0.0/g" pom.xml
 find . -name "*.class" -print -delete
@@ -107,10 +110,8 @@ rm xstream-benchmark/src/java/com/thoughtworks/xstream/tools/benchmark/products/
 %mvn_file :xstream xstream/xstream xstream
 %mvn_file :xstream-benchmark xstream/xstream-benchmark xstream-benchmark
 %mvn_package :xstream
-cp -a %{_sourcedir}/settings.xml .
 
 %build
-mvn install --settings ./settings.xml -Dmaven.test.skip=true
 %mvn_build -f -s -- -Dversion.java.source=8
 
 %install
@@ -132,6 +133,24 @@ mvn install --settings ./settings.xml -Dmaven.test.skip=true
 %license LICENSE.txt
 
 %changelog
+* Mon Nov 11 2024 yaoxin <yao_xin001@hoperun.com> - 1.4.20-2
+- Fix CVE-2024-47072
+
+* Tue Dec 12 2023 yaoxin <yao_xin001@hoperun.com> - 1.4.20-1
+- Upgrade to 1.4.20 for fix CVE-2022-40151 and CVE-2022-41966
+
+* Thu Nov 10 2022 liyanan <liyanan32@h-partners.com>  - 1.4.18-3
+- Change source
+
+* Mon Feb 7 2022 wangkai <wangkai385@huawei.com> - 1.4.18-2
+- Fix CVE-2021-43859
+
+* Sat Sep 4 2021 houyingchao <houyingchao@huawei.com> - 1.4.18-1
+- Upgrade 1.4.18 to fix cves
+
+* Thu 22 Jul 2021 sunguoshuai <sunguoshuai@huawei.com> - 1.4.17-2
+- Change setting.xml to huaweicloud
+
 * Thu May 27 2021 wutao <wutao61@huawei.com> - 1.4.17-1
 - upgrade to 1.4.17 to fix CVE-2021-29505