Document CVE-2024-47072 and add test case.

xstream-distribution/src/content/CVE-2024-47072.html

@@ -0,0 +1,68 @@
+<html>
+<!--
+ Copyright (C) 2024 XStream committers.
+ All rights reserved.
+ 
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+ 
+ Created on 19. September 2024 by Joerg Schaible
+ -->
+  <head>
+    <title>CVE-2024-47072</title>
+  </head>
+  <body>
+
+    <h2 id="vulnerability">Vulnerability</h2>
+
+    <p>CVE-2024-47072: XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated
+	binary input stream.</p>
+
+    <h2 id="affected_versions">Affected Versions</h2>
+
+    <p>All versions until and including version 1.4.20 are affected, if using XStream's BinaryStreamDriver.</p>
+
+    <h2 id="description">Description</h2>
+
+    <p>XStream provides a BinaryStreamDriver with an own optimized serialization format.  The format uses ids for
+	string values as deduplication.  The mapping for these ids are created on-the-fly at marshalling time.  At
+	unmarshalling time the reader's implementation simply used a simple one-time recursion after reading a mapping
+	token to process the next normal token of the data stream.  However, an endless recursion could be triggered with
+	manipulated input data resulting in a stack overflow causing a denial of service.</p>
+
+    <h2 id="reproduction">Steps to Reproduce</h2>
+
+    <p>Prepare the manipulated data and provide it as input for a XStream instance using the BinaryDriver:</p>
+<div class="Source Java"><pre>final byte[] byteArray = new byte[36000];
+for (int i = 0; i &lt; byteArray.length / 4; i++) {
+      byteArray[i * 4] = 10;
+      byteArray[i * 4 + 1] = -127;
+      byteArray[i * 4 + 2] = 0;
+      byteArray[i * 4 + 3] = 0;
+}
+
+XStream xstream = new XStream(new BinaryStreamDriver());
+xstream.fromXML(new ByteArrayInputStream(byteArray));
+</pre></div>
+
+    <p>As soon as the data gets unmarshalled, the endless recursion is entered and the executing thread is aborted with
+	a stack overflow error.</p>
+
+    <h2 id="impact">Impact</h2>
+
+    <p>The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting
+    in a denial of service only by manipulating the processed input stream if the instance is setup with a
+	BinaryStreamDriver.</p>
+
+    <h2 id="workarounds">Workarounds</h2>
+
+	<p>A simple solution is to catch the StackOverflowError in the client code calling XStream.  There's no other known
+	workaround when using the BinaryStreamDriver.</p>
+
+    <h2 id="credits">Credits</h2>
+
+    <p>Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+      </body>
+ </html>

xstream-distribution/src/content/security.html

@@ -1,6 +1,6 @@
 <html>
 <!--
- Copyright (C) 2014, 2015, 2017, 2019, 2020, 2021, 2022 XStream committers.
+ Copyright (C) 2014, 2015, 2017, 2019, 2020, 2021, 2022, 2024 XStream committers.
  All rights reserved.
  
  The software in this package is published under the terms of the BSD
@@ -49,6 +49,15 @@ <h2 id="CVEs">Documented Vulnerabilities</h2>
         <th>CVE</th>
         <th>Description</th>
       </tr>
+	  <tr>
+	    <th>Version 1.4.21</th>
+	    <td></td>
+	  </tr>
+	  <tr>
+	    <th><a href="CVE-2024-47072.html">CVE-2024-47072</a></th>
+	    <td>XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input
+		stream.</td>
+	  </tr>
       <tr>
         <th>Version 1.4.19</th>
         <td></td>

xstream-distribution/src/content/website.xml

@@ -1,6 +1,6 @@
 <!--
  Copyright (C) 2005, 2006 Joe Walnes.
- Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016, 2017, 2020, 2021, 2022 XStream committers.
+ Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016, 2017, 2020, 2021, 2022, 2024 XStream committers.
  All rights reserved.
  
  The software in this package is published under the terms of the BSD
@@ -63,6 +63,7 @@
     </section>
     <section>
         <name>!Vulnerabilities</name>
+        <page>CVE-2024-47072.html</page>
         <page>CVE-2022-41966.html</page>
         <page>CVE-2022-40151.html</page>
         <page>CVE-2021-21341.html</page>

xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java

@@ -26,8 +26,10 @@
 import java.util.Map;
 import java.util.Set;
 
+import com.thoughtworks.xstream.XStream;
 import com.thoughtworks.xstream.converters.ConversionException;
 import com.thoughtworks.xstream.core.JVM;
+import com.thoughtworks.xstream.io.binary.BinaryStreamDriver;
 import com.thoughtworks.xstream.security.AnyTypePermission;
 import com.thoughtworks.xstream.security.ForbiddenClassException;
 import com.thoughtworks.xstream.security.InputManipulationException;
@@ -533,4 +535,21 @@ public void testStackOverflowWithDeeplyNestedStructure() {
             assertTrue(e.getMessage().contains("Stack Overflow"));
         }
     }
+
+    public void testStackOverflowInBinaryStreamReaderWithManipulatedInputData() {
+        final byte[] byteArray = new byte[36000];
+        for (int i = 0; i < byteArray.length / 4; i++) {
+            byteArray[i * 4] = 10;
+            byteArray[i * 4 + 1] = -127;
+            byteArray[i * 4 + 2] = 0;
+            byteArray[i * 4 + 3] = 0;
+        }
+
+        try {
+            xstream = new XStream(new BinaryStreamDriver());
+            xstream.fromXML(new ByteArrayInputStream(byteArray));
+        } catch (final InputManipulationException e) {
+            assertTrue(e.getMessage().indexOf("two mapping tokens") >= 0);
+        }
+    }
 }