Update to latest upstream release, fixes CVE-2018-14718 CVE-2018-147189

CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2018-12022 CVE-2018-12023 CVE-2018-14720 CVE-2018-14721
2019-02-06 12:41:32 +00:00 · 2019-02-06 12:41:32 +00:00 · 817a21eacc
commit 817a21eacc
parent f95cb6040f
3 changed files with 8 additions and 66 deletions
--- a/CVE-2018-7489.patch
+++ b/CVE-2018-7489.patch
@ -1,58 +0,0 @@
-diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-index 164ab3454..bdd3b2f4e 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-@@ -19,7 +19,10 @@ import com.fasterxml.jackson.databind.JsonMappingException;
-  */
- public class SubTypeValidator
- {
-    protected final static String PREFIX_STRING = "org.springframework.";
-+    protected final static String PREFIX_SPRING = "org.springframework.";
-+
-+    protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0.";
-+
-     /**
-      * Set of well-known "nasty classes", deserialization of which is considered dangerous
-      * and should (and is) prevented by default.
-@@ -46,8 +49,9 @@ public class SubTypeValidator
-         // [databind#1737]; 3rd party
- //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
-         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
-        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
-        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
-+
-+// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
-+// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
-         // [databind#1855]: more 3rd party
-         s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
-         s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
-@@ -86,8 +90,10 @@ public class SubTypeValidator
-             // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
-             //    for some Spring framework types
-             // 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces
-            if (!raw.isInterface() && full.startsWith(PREFIX_STRING)) {
-                for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()) {
-+            if (raw.isInterface()) {
-+                ;
-+            } else if (full.startsWith(PREFIX_SPRING)) {
-+                for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()){
-                     String name = cls.getSimpleName();
-                     // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
-                     if ("AbstractPointcutAdvisor".equals(name)
-@@ -96,6 +102,16 @@ public class SubTypeValidator
-                         break main_check;
-                     }
-                 }
-+            } else if (full.startsWith(PREFIX_C3P0)) {
-+                // [databind#1737]; more 3rd party
-+                // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
-+                // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
-+                // [databind#1931]; more 3rd party
-+                // com.mchange.v2.c3p0.ComboPooledDataSource
-+                // com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource 
-+                if (full.endsWith("DataSource")) {
-+                    break main_check;
-+                }
-             }
-             return;
-         } while (false);
--- a/jackson-databind.spec
+++ b/jackson-databind.spec
@ -1,14 +1,11 @@
 Name:          jackson-databind
-Version:       2.9.4
-Release:       5%{?dist}
+Version:       2.9.8
+Release:       1%{?dist}
 Summary:       General data-binding package for Jackson (2.x)
 License:       ASL 2.0 and LGPLv2+
 URL:           https://github.com/FasterXML/jackson-databind/
 Source0:       https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz

-# Taken from https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2
-Patch0: CVE-2018-7489.patch
-
 BuildRequires:  maven-local
 BuildRequires:  mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version}
 BuildRequires:  mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
@ -34,8 +31,6 @@ This package contains API documentation for %{name}.
 %prep
 %setup -q -n %{name}-%{name}-%{version}

-%patch0 -p1
-
 # Remove plugins unnecessary for RPM builds
 %pom_remove_plugin ":maven-enforcer-plugin"

@ -72,6 +67,11 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest
 %license LICENSE NOTICE

 %changelog
+* Wed Feb 06 2019 Mat Booth <mat.booth@redhat.com> - 2.9.8-1
+- Update to latest upstream release, fixes CVE-2018-14718 CVE-2018-147189
+  CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2018-12022 CVE-2018-12023
+  CVE-2018-14720 CVE-2018-14721
+
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.4-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (jackson-databind-2.9.4.tar.gz) = a867f985177deea0d9eaec3a32ea14d7b367c4b34765b413a13540f165b429335613c60fd11fd05ea4c6d676fb0d4f33043477ffce975369c4113a7ad841f1b6
+SHA512 (jackson-databind-2.9.8.tar.gz) = 201b2d6cbc875898536904358bc6634ea66e0f624cbee0185ab33d144f2710001ef9f58b26b0d4b412cd48ee866ef2ba728ab60d09c6b1072c2fa9a9d7427d8d