Package: bsh / 2.0b4-19

CVE-2016-2510.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
From: Markus Koschany <apo@debian.org>
Date: Fri, 26 Feb 2016 14:24:31 +0100
Subject: CVE-2016-2510

An application that includes BeanShell on the classpath may be vulnerable if
another part of the application uses Java serialization or XStream to
deserialize data from an untrusted source.

A vulnerable application could be exploited for remote code execution,
including executing arbitrary shell commands.

https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49
https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced
---
 src/bsh/XThis.java | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/bsh/XThis.java b/src/bsh/XThis.java
index 3f05974..94bcc22 100644
--- a/src/bsh/XThis.java
+++ b/src/bsh/XThis.java
@@ -65,7 +65,7 @@ public class XThis extends This
 	*/
 	Hashtable interfaces;
 
-	InvocationHandler invocationHandler = new Handler();
+	transient InvocationHandler invocationHandler = new Handler();
 
 	public XThis( NameSpace namespace, Interpreter declaringInterp ) { 
 		super( namespace, declaringInterp ); 
@@ -122,8 +122,12 @@ public class XThis extends This
 		classes aren't there (doesn't it?)  This class shouldn't be loaded
 		if an XThis isn't instantiated in NameSpace.java, should it?
 	*/
-	class Handler implements InvocationHandler, java.io.Serializable 
+	class Handler implements InvocationHandler
 	{
+		private Object readResolve() throws java.io.ObjectStreamException {
+			throw new java.io.NotSerializableException();
+		}
+
 		public Object invoke( Object proxy, Method method, Object[] args ) 
 			throws Throwable
 		{