From 6af0b4879e1eac48f7eb41b4c077fd56f9486807 Mon Sep 17 00:00:00 2001 From: Alex Miller Date: Mon, 14 Jul 2025 16:05:47 -0500 Subject: [PATCH 1/2] Realize lazy seqs before writing serialized value and dont serialize lazy seq fn --- src/jvm/clojure/lang/LazySeq.java | 12 +++++++++++- test/clojure/test_clojure/serialization.clj | 3 +-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/src/jvm/clojure/lang/LazySeq.java b/src/jvm/clojure/lang/LazySeq.java index 5c243c1ebb..dc26f0b826 100644 --- a/src/jvm/clojure/lang/LazySeq.java +++ b/src/jvm/clojure/lang/LazySeq.java @@ -22,7 +22,7 @@ public final class LazySeq extends Obj implements ISeq, Sequential, List, IPendi private static final long serialVersionUID = -7345643944998411680L; -private IFn fn; +private transient IFn fn; private Object sv; private ISeq s; private Lock lock; @@ -300,5 +300,15 @@ public boolean isRealized(){ } return true; } + +// custom Serializable implementation - ensure seq is fully-realized before writing +private void writeObject(java.io.ObjectOutputStream out) throws IOException { + ISeq s = this; + while(s != null) { + s = s.next(); + } + out.defaultWriteObject(); +} + } diff --git a/test/clojure/test_clojure/serialization.clj b/test/clojure/test_clojure/serialization.clj index c9befc49cd..a793df524d 100644 --- a/test/clojure/test_clojure/serialization.clj +++ b/test/clojure/test_clojure/serialization.clj @@ -182,8 +182,7 @@ (agent nil) ;; stateful seqs - (enumeration-seq (java.util.Collections/enumeration (range 50))) - (iterator-seq (.iterator (range 50))))) + (enumeration-seq (java.util.Collections/enumeration (range 50))))) ;; necessary for CVE-2024-22871 (deftest CLJ-2839 From 7ad35e8b2ac354c284e5e7f408d3e9412621d245 Mon Sep 17 00:00:00 2001 From: Alex Miller Date: Tue, 15 Jul 2025 09:28:15 -0500 Subject: [PATCH 2/2] Set new serialVersionUID for LazySeq, no longer compatible --- src/jvm/clojure/lang/LazySeq.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/jvm/clojure/lang/LazySeq.java b/src/jvm/clojure/lang/LazySeq.java index dc26f0b826..26ad7be198 100644 --- a/src/jvm/clojure/lang/LazySeq.java +++ b/src/jvm/clojure/lang/LazySeq.java @@ -20,7 +20,7 @@ public final class LazySeq extends Obj implements ISeq, Sequential, List, IPending, IHashEq{ -private static final long serialVersionUID = -7345643944998411680L; +private static final long serialVersionUID = -7531333024710395876L; private transient IFn fn; private Object sv;