Add patch to fix CVE-2018-7489
This commit is contained in:
parent
c2ea9687b8
commit
9454dfab1a
58
CVE-2018-7489.patch
Normal file
58
CVE-2018-7489.patch
Normal file
@ -0,0 +1,58 @@
|
||||
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
|
||||
index 164ab3454..bdd3b2f4e 100644
|
||||
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
|
||||
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
|
||||
@@ -19,7 +19,10 @@ import com.fasterxml.jackson.databind.JsonMappingException;
|
||||
*/
|
||||
public class SubTypeValidator
|
||||
{
|
||||
- protected final static String PREFIX_STRING = "org.springframework.";
|
||||
+ protected final static String PREFIX_SPRING = "org.springframework.";
|
||||
+
|
||||
+ protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0.";
|
||||
+
|
||||
/**
|
||||
* Set of well-known "nasty classes", deserialization of which is considered dangerous
|
||||
* and should (and is) prevented by default.
|
||||
@@ -46,8 +49,9 @@ public class SubTypeValidator
|
||||
// [databind#1737]; 3rd party
|
||||
//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
|
||||
s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
|
||||
- s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
|
||||
- s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
|
||||
+
|
||||
+// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
|
||||
+// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
|
||||
// [databind#1855]: more 3rd party
|
||||
s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
|
||||
s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
|
||||
@@ -86,8 +90,10 @@ public class SubTypeValidator
|
||||
// 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
|
||||
// for some Spring framework types
|
||||
// 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces
|
||||
- if (!raw.isInterface() && full.startsWith(PREFIX_STRING)) {
|
||||
- for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()) {
|
||||
+ if (raw.isInterface()) {
|
||||
+ ;
|
||||
+ } else if (full.startsWith(PREFIX_SPRING)) {
|
||||
+ for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()){
|
||||
String name = cls.getSimpleName();
|
||||
// looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
|
||||
if ("AbstractPointcutAdvisor".equals(name)
|
||||
@@ -96,6 +102,16 @@ public class SubTypeValidator
|
||||
break main_check;
|
||||
}
|
||||
}
|
||||
+ } else if (full.startsWith(PREFIX_C3P0)) {
|
||||
+ // [databind#1737]; more 3rd party
|
||||
+ // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
|
||||
+ // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
|
||||
+ // [databind#1931]; more 3rd party
|
||||
+ // com.mchange.v2.c3p0.ComboPooledDataSource
|
||||
+ // com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource
|
||||
+ if (full.endsWith("DataSource")) {
|
||||
+ break main_check;
|
||||
+ }
|
||||
}
|
||||
return;
|
||||
} while (false);
|
||||
@ -1,11 +1,14 @@
|
||||
Name: jackson-databind
|
||||
Version: 2.9.4
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
Summary: General data-binding package for Jackson (2.x)
|
||||
License: ASL 2.0 and LGPLv2+
|
||||
URL: https://github.com/FasterXML/jackson-databind/
|
||||
Source0: https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz
|
||||
|
||||
# Taken from https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2
|
||||
Patch0: CVE-2018-7489.patch
|
||||
|
||||
BuildRequires: maven-local
|
||||
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version}
|
||||
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
|
||||
@ -31,6 +34,8 @@ This package contains API documentation for %{name}.
|
||||
%prep
|
||||
%setup -q -n %{name}-%{name}-%{version}
|
||||
|
||||
%patch0 -p1
|
||||
|
||||
# Remove plugins unnecessary for RPM builds
|
||||
%pom_remove_plugin ":maven-enforcer-plugin"
|
||||
|
||||
@ -67,6 +72,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest
|
||||
%license LICENSE NOTICE
|
||||
|
||||
%changelog
|
||||
* Mon Mar 26 2018 Mat Booth <mat.booth@redhat.com> - 2.9.4-3
|
||||
- Add patch to fix CVE-2018-7489
|
||||
|
||||
* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.9.4-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user