CVE-2024-47072

@@ -0,0 +1,68 @@
+<html>
+<!--
+ Copyright (C) 2024 XStream committers.
+ All rights reserved.
+ 
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+ 
+ Created on 19. September 2024 by Joerg Schaible
+ -->
+  <head>
+    <title>CVE-2024-47072</title>
+  </head>
+  <body>
+
+    <h2 id="vulnerability">Vulnerability</h2>
+    
+    <p>CVE-2024-47072: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated
+	binary input stream.</p>
+    
+    <h2 id="affected_versions">Affected Versions</h2>
+    
+    <p>All versions until and including version 1.4.20 are affected, if using XStream's BinaryStreamDriver.</p>
+
+    <h2 id="description">Description</h2>
+    
+    <p>XStream provides a BinaryStreamDriver with an own optimized serialization format.  The format uses ids for
+	string values as deduplication.  The mapping for these ids are created on-the-fly at marshalling time.  At
+	unmarshalling time the reader's implementation simply used a simple one-time recursion after reading a mapping
+	token to process the next normal token of the data stream.  However, an endless recursion could be triggered with
+	manipulated input data resulting in a stack overflow causing a denial of service.</p>
+
+    <h2 id="reproduction">Steps to Reproduce</h2>
+
+    <p>Prepare the manipulated data and provide it as input for a XStream instance using the BinaryDriver:</p>
+<div class="Source Java"><pre>final byte[] byteArray = new byte[36000];
+for (int i = 0; i &lt; byteArray.length / 4; i++) {
+      byteArray[i * 4] = 10;
+      byteArray[i * 4 + 1] = -127;
+      byteArray[i * 4 + 2] = 0;
+      byteArray[i * 4 + 3] = 0;
+}
+
+XStream xstream = new XStream(new BinaryStreamDriver());
+xstream.fromXML(new ByteArrayInputStream(byteArray));
+</pre></div>
+
+    <p>As soon as the data gets unmarshalled, the endless recursion is entered and the executing thread is aborted with
+	a stack overflow error.</p>
+
+    <h2 id="impact">Impact</h2>
+
+    <p>The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting
+    in a denial of service only by manipulating the processed input stream if the instance is setup with a
+	BinaryStreamDriver.</p>
+
+    <h2 id="workarounds">Workarounds</h2>
+
+	<p>A simple solution is to catch the StackOverflowError in the client code calling XStream.  There's no other known
+	workaround when using the BinaryStreamDriver.</p>
+
+    <h2 id="credits">Credits</h2>
+    
+    <p>Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.</p>
+    
+      </body>
+ </html>

@@ -1,6 +1,6 @@
 <html>
 <!--
- Copyright (C) 2014, 2015, 2017, 2019, 2020, 2021, 2022 XStream committers.
+ Copyright (C) 2014, 2015, 2017, 2019, 2020, 2021, 2022, 2024 XStream committers.
  All rights reserved.
  
  The software in this package is published under the terms of the BSD
@@ -49,6 +49,15 @@ <h2 id="CVEs">Documented Vulnerabilities</h2>
         <th>CVE</th>
         <th>Description</th>
       </tr>
+	  <tr>
+	    <th>Version 1.4.21</th>
+	    <td></td>
+	  </tr>
+	  <tr>
+	    <th><a href="CVE-2024-47072.html">CVE-2024-47072</a></th>
+	    <td>XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input
+		stream.</td>
+	  </tr>
       <tr>
         <th>Version 1.4.19</th>
         <td></td>

@@ -1,6 +1,6 @@
 <!--
  Copyright (C) 2005, 2006 Joe Walnes.
- Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016, 2017, 2020, 2021, 2022 XStream committers.
+ Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016, 2017, 2020, 2021, 2022, 2024 XStream committers.
  All rights reserved.
  
  The software in this package is published under the terms of the BSD
@@ -63,6 +63,7 @@
     </section>
     <section>
         <name>!Vulnerabilities</name>
+        <page>CVE-2024-47072.html</page>
         <page>CVE-2022-41966.html</page>
         <page>CVE-2022-40151.html</page>
         <page>CVE-2021-21341.html</page>

@@ -26,8 +26,10 @@
 import java.util.Map;
 import java.util.Set;
 
+import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.converters.ConversionException;
 import com.thoughtworks.xstream.core.JVM;
+import com.thoughtworks.xstream.io.binary.BinaryStreamDriver;
 import com.thoughtworks.xstream.security.AnyTypePermission;
 import com.thoughtworks.xstream.security.ForbiddenClassException;
 import com.thoughtworks.xstream.security.InputManipulationException;
@@ -545,4 +547,21 @@ public void testStackOverflowWithDeeplyNestedStructure() {
             assertTrue(e.getMessage().indexOf("Stack Overflow") >= 0);
         }
     }
+
+    public void testStackOverflowInBinaryStreamReaderWithManipulatedInputData() {
+        final byte[] byteArray = new byte[36000];
+        for (int i = 0; i < byteArray.length / 4; i++) {
+            byteArray[i * 4] = 10;
+            byteArray[i * 4 + 1] = -127;
+            byteArray[i * 4 + 2] = 0;
+            byteArray[i * 4 + 3] = 0;
+        }
+
+        try {
+            xstream = new XStream(new BinaryStreamDriver());
+            xstream.fromXML(new ByteArrayInputStream(byteArray));
+        } catch (final InputManipulationException e) {
+            assertTrue(e.getMessage().indexOf("two mapping tokens") >= 0);
+        }
+    }
 }

@@ -1,7 +1,7 @@
 <html>
 <!--
  Copyright (C) 2005, 2006 Joe Walnes.
- Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023 XStream committers.
+ Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023, 2024 XStream committers.
  All rights reserved.
  
  The software in this package is published under the terms of the BSD
@@ -41,6 +41,7 @@ <h2>Minor changes</h2>
 		<li>GHPR:#334: Fix remaining buffer size calculation in QuickWriter (by Higuchi Yuta).</li>
 		<li>GHI:#342: Optimize internal handling of children in DomReader avoiding O(n²) access times for siblings (by Shiang-Yun Yang).</li>
 		<li>GHI:#359: Add KEYS file with public keys to verify signed artifacts.</li>
+		<li>Detect input manipulation in c.t.x.io.binary.BinaryStreamReader.</li>
 	</ul>
 
 	<h2>API changes</h2>

@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2011, 2013 XStream Committers.
+ * Copyright (C) 2006, 2007, 2011, 2013, 2024 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -15,6 +15,7 @@
 import com.thoughtworks.xstream.io.ExtendedHierarchicalStreamReader;
 import com.thoughtworks.xstream.io.HierarchicalStreamReader;
 import com.thoughtworks.xstream.io.StreamException;
+import com.thoughtworks.xstream.security.InputManipulationException;
 
 import java.io.DataInputStream;
 import java.io.IOException;
@@ -150,15 +151,20 @@ public void moveUp() {
     private Token readToken() {
         if (pushback == null) {
             try {
-                Token token = tokenFormatter.read(in);
-                switch (token.getType()) {
+                boolean mapping = false;
+                do {
+                    final Token token = tokenFormatter.read(in);
+                    switch (token.getType()) {
                     case Token.TYPE_MAP_ID_TO_VALUE:
                         idRegistry.put(token.getId(), token.getValue());
-                        return readToken(); // Next one please.
+                        mapping ^= true;
+                        continue; // Next one please.
                     default:
                         return token;
-                }
-            } catch (IOException e) {
+                    }
+                } while (mapping);
+                throw new InputManipulationException("Binary stream will never have two mapping tokens in sequence");
+            } catch (final IOException e) {
                 throw new StreamException(e);
             }
         } else {

@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2011, 2015, 2016, 2021 XStream Committers.
+ * Copyright (C) 2006, 2007, 2011, 2015, 2016, 2021, 2024 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -17,10 +17,12 @@
 import com.thoughtworks.xstream.io.copy.HierarchicalStreamCopier;
 import com.thoughtworks.xstream.io.xml.AbstractXMLReaderTest;
 import com.thoughtworks.xstream.io.xml.MXParserDriver;
+import com.thoughtworks.xstream.security.InputManipulationException;
 
 import java.io.ByteArrayOutputStream;
 import java.io.StringReader;
 import java.io.ByteArrayInputStream;
+import java.io.InputStream;
 
 public class BinaryStreamTest extends AbstractXMLReaderTest {
 
@@ -89,4 +91,17 @@ public void testIsXXEVulnerableWithExternalGeneralEntity() throws Exception {
         }
     }
 
+    public void testHandleMaliciousInputsOfIdMappingTokens() {
+        // Insert two successive id mapping tokens into the stream
+        final byte[] byteArray = new byte[8];
+        byteArray[0] = byteArray[4] = 10;
+        byteArray[1] = byteArray[5] = -127;
+
+        final InputStream in = new ByteArrayInputStream(byteArray);
+        try {
+            new BinaryStreamReader(in);
+            fail("Thrown " + InputManipulationException.class.getName() + " expected");
+        } catch (final InputManipulationException e) {
+        }
+    }
 }