From 8e98b28cc4387ab12cb7dc7aa87fe34b08b04246 Mon Sep 17 00:00:00 2001 From: Bhaskara Ram <39507881+bhaskarvilles@users.noreply.github.com> Date: Thu, 23 Dec 2021 22:08:40 +0530 Subject: [PATCH 1/3] Deserialization of Untrusted Data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit introduced through: unknown:unknown@0.0.0 › com.google.code.gson:gson@2.8.6 Fix: Upgrade to com.google.code.gson:gson@2.8.9 Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks. --- GhidraBuild/BuildFiles/JsonDoclet/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GhidraBuild/BuildFiles/JsonDoclet/build.gradle b/GhidraBuild/BuildFiles/JsonDoclet/build.gradle index 22f9dfd764..338f9868b9 100644 --- a/GhidraBuild/BuildFiles/JsonDoclet/build.gradle +++ b/GhidraBuild/BuildFiles/JsonDoclet/build.gradle @@ -19,7 +19,7 @@ eclipse.project.name = '_JsonDoclet' apply plugin: 'java-library' dependencies { - api "com.google.code.gson:gson:2.8.6" + api "com.google.code.gson:gson@2.8.9" } rootProject.createJsondocs.dependsOn jar From e077f51b9965ffcd71a4add8ee0063d9ad146854 Mon Sep 17 00:00:00 2001 From: Bhaskara Ram <39507881+bhaskarvilles@users.noreply.github.com> Date: Wed, 29 Dec 2021 19:50:57 +0530 Subject: [PATCH 2/3] Update build.gradle --- GhidraBuild/BuildFiles/JsonDoclet/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GhidraBuild/BuildFiles/JsonDoclet/build.gradle b/GhidraBuild/BuildFiles/JsonDoclet/build.gradle index 338f9868b9..b7b782545d 100644 --- a/GhidraBuild/BuildFiles/JsonDoclet/build.gradle +++ b/GhidraBuild/BuildFiles/JsonDoclet/build.gradle @@ -19,7 +19,7 @@ eclipse.project.name = '_JsonDoclet' apply plugin: 'java-library' dependencies { - api "com.google.code.gson:gson@2.8.9" + api "com.google.code.gson:gson:2.8.9" } rootProject.createJsondocs.dependsOn jar From 522d896215511f1c3eaf1fcf94519605a5a1a01d Mon Sep 17 00:00:00 2001 From: Ryan Kurtz Date: Wed, 29 Dec 2021 13:35:55 -0500 Subject: [PATCH 3/3] GP-1632: Upgrading Gson to 2.8.9 --- Ghidra/Framework/Generic/Module.manifest | 2 +- Ghidra/Framework/Generic/build.gradle | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Ghidra/Framework/Generic/Module.manifest b/Ghidra/Framework/Generic/Module.manifest index 2f96a05370..920378145b 100644 --- a/Ghidra/Framework/Generic/Module.manifest +++ b/Ghidra/Framework/Generic/Module.manifest @@ -7,7 +7,7 @@ MODULE FILE LICENSE: lib/commons-collections4-4.1.jar Apache License 2.0 MODULE FILE LICENSE: lib/commons-lang3-3.9.jar Apache License 2.0 MODULE FILE LICENSE: lib/commons-io-2.6.jar Apache License 2.0 MODULE FILE LICENSE: lib/commons-text-1.6.jar Apache License 2.0 -MODULE FILE LICENSE: lib/gson-2.8.6.jar Apache License 2.0 +MODULE FILE LICENSE: lib/gson-2.8.9.jar Apache License 2.0 MODULE FILE LICENSE: lib/bcpkix-jdk15on-1.69.jar Bouncy Castle License MODULE FILE LICENSE: lib/bcprov-jdk15on-1.69.jar Bouncy Castle License MODULE FILE LICENSE: lib/bcutil-jdk15on-1.69.jar Bouncy Castle License diff --git a/Ghidra/Framework/Generic/build.gradle b/Ghidra/Framework/Generic/build.gradle index ee89c14527..8ef6f8d064 100644 --- a/Ghidra/Framework/Generic/build.gradle +++ b/Ghidra/Framework/Generic/build.gradle @@ -35,7 +35,7 @@ dependencies { api "org.apache.commons:commons-lang3:3.9" api "org.apache.commons:commons-text:1.6" api "commons-io:commons-io:2.6" - api "com.google.code.gson:gson:2.8.6" + api "com.google.code.gson:gson:2.8.9" api 'org.bouncycastle:bcpkix-jdk15on:1.69' // requires bcutil and bcprov api 'org.bouncycastle:bcprov-jdk15on:1.69' api 'org.bouncycastle:bcutil-jdk15on:1.69'