From 817a21eacce8d805c3fa5dad095d502a04c7ccb4 Mon Sep 17 00:00:00 2001 From: Mat Booth Date: Wed, 6 Feb 2019 12:41:32 +0000 Subject: [PATCH] Update to latest upstream release, fixes CVE-2018-14718 CVE-2018-147189 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2018-12022 CVE-2018-12023 CVE-2018-14720 CVE-2018-14721 --- CVE-2018-7489.patch | 58 ------------------------------------------- jackson-databind.spec | 14 +++++------ sources | 2 +- 3 files changed, 8 insertions(+), 66 deletions(-) delete mode 100644 CVE-2018-7489.patch diff --git a/CVE-2018-7489.patch b/CVE-2018-7489.patch deleted file mode 100644 index b8a9803..0000000 --- a/CVE-2018-7489.patch +++ /dev/null @@ -1,58 +0,0 @@ -diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java -index 164ab3454..bdd3b2f4e 100644 ---- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java -+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java -@@ -19,7 +19,10 @@ import com.fasterxml.jackson.databind.JsonMappingException; - */ - public class SubTypeValidator - { -- protected final static String PREFIX_STRING = "org.springframework."; -+ protected final static String PREFIX_SPRING = "org.springframework."; -+ -+ protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0."; -+ - /** - * Set of well-known "nasty classes", deserialization of which is considered dangerous - * and should (and is) prevented by default. -@@ -46,8 +49,9 @@ public class SubTypeValidator - // [databind#1737]; 3rd party - //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855] - s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); -- s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); -- s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); -+ -+// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931] -+// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" - - // [databind#1855]: more 3rd party - s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); - s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); -@@ -86,8 +90,10 @@ public class SubTypeValidator - // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling - // for some Spring framework types - // 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces -- if (!raw.isInterface() && full.startsWith(PREFIX_STRING)) { -- for (Class cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()) { -+ if (raw.isInterface()) { -+ ; -+ } else if (full.startsWith(PREFIX_SPRING)) { -+ for (Class cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()){ - String name = cls.getSimpleName(); - // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there? - if ("AbstractPointcutAdvisor".equals(name) -@@ -96,6 +102,16 @@ public class SubTypeValidator - break main_check; - } - } -+ } else if (full.startsWith(PREFIX_C3P0)) { -+ // [databind#1737]; more 3rd party -+ // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); -+ // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); -+ // [databind#1931]; more 3rd party -+ // com.mchange.v2.c3p0.ComboPooledDataSource -+ // com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource -+ if (full.endsWith("DataSource")) { -+ break main_check; -+ } - } - return; - } while (false); diff --git a/jackson-databind.spec b/jackson-databind.spec index 72e6c22..98a23a2 100644 --- a/jackson-databind.spec +++ b/jackson-databind.spec @@ -1,14 +1,11 @@ Name: jackson-databind -Version: 2.9.4 -Release: 5%{?dist} +Version: 2.9.8 +Release: 1%{?dist} Summary: General data-binding package for Jackson (2.x) License: ASL 2.0 and LGPLv2+ URL: https://github.com/FasterXML/jackson-databind/ Source0: https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz -# Taken from https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2 -Patch0: CVE-2018-7489.patch - BuildRequires: maven-local BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version} BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= %{version} @@ -34,8 +31,6 @@ This package contains API documentation for %{name}. %prep %setup -q -n %{name}-%{name}-%{version} -%patch0 -p1 - # Remove plugins unnecessary for RPM builds %pom_remove_plugin ":maven-enforcer-plugin" @@ -72,6 +67,11 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest %license LICENSE NOTICE %changelog +* Wed Feb 06 2019 Mat Booth - 2.9.8-1 +- Update to latest upstream release, fixes CVE-2018-14718 CVE-2018-147189 + CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2018-12022 CVE-2018-12023 + CVE-2018-14720 CVE-2018-14721 + * Fri Feb 01 2019 Fedora Release Engineering - 2.9.4-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild diff --git a/sources b/sources index 976c4b4..24903b4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (jackson-databind-2.9.4.tar.gz) = a867f985177deea0d9eaec3a32ea14d7b367c4b34765b413a13540f165b429335613c60fd11fd05ea4c6d676fb0d4f33043477ffce975369c4113a7ad841f1b6 +SHA512 (jackson-databind-2.9.8.tar.gz) = 201b2d6cbc875898536904358bc6634ea66e0f624cbee0185ab33d144f2710001ef9f58b26b0d4b412cd48ee866ef2ba728ab60d09c6b1072c2fa9a9d7427d8d