Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 2EA27200B79 for ; Tue, 23 Aug 2016 19:30:29 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 2D602160A81; Tue, 23 Aug 2016 17:30:29 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 73884160AAD for ; Tue, 23 Aug 2016 19:30:28 +0200 (CEST) Received: (qmail 16440 invoked by uid 500); 23 Aug 2016 17:30:22 -0000 Mailing-List: contact issues-help@karaf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@karaf.apache.org Delivered-To: mailing list issues@karaf.apache.org Received: (qmail 16297 invoked by uid 99); 23 Aug 2016 17:30:22 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 23 Aug 2016 17:30:22 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 3C7082C0158 for ; Tue, 23 Aug 2016 17:30:22 +0000 (UTC) Date: Tue, 23 Aug 2016 17:30:22 +0000 (UTC) From: =?utf-8?Q?Jean-Baptiste_Onofr=C3=A9_=28JIRA=29?= To: issues@karaf.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (KARAF-4214) Deserialization of Untrusted Data MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 23 Aug 2016 17:30:29 -0000 [ https://issues.apache.org/jira/browse/KARAF-4214?page=3Dcom.atlassia= n.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Baptiste Onofr=C3=A9 updated KARAF-4214: ---------------------------------------- Fix Version/s: (was: 4.0.6) 4.0.7 > Deserialization of Untrusted Data > --------------------------------- > > Key: KARAF-4214 > URL: https://issues.apache.org/jira/browse/KARAF-4214 > Project: Karaf > Issue Type: Bug > Affects Versions: 4.0.3 > Reporter: Eduardo Aguinaga > Fix For: 4.1.0, 4.0.7 > > > HP Fortify SCA and SciTools Understand were used to perform an applicatio= n security analysis on the karaf source code. > The application deserializes untrusted data without sufficiently verifyin= g that the resulting data will be valid. An adversary could attack the appl= ication by tampering with the resource "karaf.key".=20 > File: client\src\main\java\org\apache\karaf\client\Main.java > Line: 297 > Main.java, lines 291-313: > {code} > 291 private static SshAgent startAgent(String user, URL privateKeyUrl, St= ring keyFile) { > 292 InputStream is =3D null; > 293 try { > 294 SshAgent agent =3D new AgentImpl(); > 295 is =3D privateKeyUrl.openStream(); > 296 ObjectInputStream r =3D new ObjectInputStream(is); > 297 KeyPair keyPair =3D (KeyPair) r.readObject(); > 298 is.close(); > 299 agent.addIdentity(keyPair, user); > 300 if (keyFile !=3D null) { > 301 String[] keyFiles =3D new String[]{keyFile}; > 302 FileKeyPairProvider fileKeyPairProvider =3D new FileKeyPa= irProvider(keyFiles); > 303 for (KeyPair key : fileKeyPairProvider.loadKeys()) { > 304 agent.addIdentity(key, user); =20 > 305 } > 306 } > 307 return agent; > 308 } catch (Throwable e) { > 309 close(is); > 310 System.err.println("Error starting ssh agent for: " + e.getMe= ssage()); > 311 return null; > 312 } > 313 } > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)