From 777ccfb563b9daec2deb4ac0ddc60306425d826b Mon Sep 17 00:00:00 2001 From: James Antill Date: Mon, 27 Feb 2023 15:03:11 -0500 Subject: [PATCH] Import rpm: c8s --- .gitignore | 2 + 0001-Fix-CVE-2017-18640-and-add-a-test.patch | 123 +++++++++++ 0001-Fix-CVE-2022-1471-and-add-a-test.patch | 219 +++++++++++++++++++ prometheus-jmx-exporter.spec | 155 +++++++++++++ properly_rewrite_namespace.patch | 28 +++ sources | 1 + 6 files changed, 528 insertions(+) create mode 100644 .gitignore create mode 100644 0001-Fix-CVE-2017-18640-and-add-a-test.patch create mode 100644 0001-Fix-CVE-2022-1471-and-add-a-test.patch create mode 100644 prometheus-jmx-exporter.spec create mode 100644 properly_rewrite_namespace.patch create mode 100644 sources diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..da85ce7 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/parent-0.12.0.tar.gz +/parent-0.12.0.tar.gz diff --git a/0001-Fix-CVE-2017-18640-and-add-a-test.patch b/0001-Fix-CVE-2017-18640-and-add-a-test.patch new file mode 100644 index 0000000..d85eb7d --- /dev/null +++ b/0001-Fix-CVE-2017-18640-and-add-a-test.patch @@ -0,0 +1,123 @@ +From 8cbe3bee31e605d535783431bfb74c3e2867ee37 Mon Sep 17 00:00:00 2001 +From: Severin Gehwolf +Date: Wed, 15 Apr 2020 17:41:17 +0200 +Subject: [PATCH] Fix CVE-2017-18640 and add a test + +--- + collector/pom.xml | 2 +- + .../java/io/prometheus/jmx/JmxCollector.java | 12 ++++++++- + .../io/prometheus/jmx/JmxCollectorTest.java | 26 ++++++++++++++++--- + collector/src/test/resources/testyaml.config | 9 +++++++ + 4 files changed, 44 insertions(+), 5 deletions(-) + create mode 100644 collector/src/test/resources/testyaml.config + +diff --git a/collector/pom.xml b/collector/pom.xml +index 8e90d58..b58d94a 100644 +--- a/collector/pom.xml ++++ b/collector/pom.xml +@@ -29,7 +29,7 @@ + + org.yaml + snakeyaml +- 1.16 ++ 1.26 + + + +diff --git a/collector/src/main/java/io/prometheus/jmx/JmxCollector.java b/collector/src/main/java/io/prometheus/jmx/JmxCollector.java +index f06d3ef..a5fc96f 100644 +--- a/collector/src/main/java/io/prometheus/jmx/JmxCollector.java ++++ b/collector/src/main/java/io/prometheus/jmx/JmxCollector.java +@@ -3,6 +3,7 @@ package io.prometheus.jmx; + import io.prometheus.client.Collector; + import io.prometheus.client.Counter; + import org.yaml.snakeyaml.Yaml; ++import org.yaml.snakeyaml.error.YAMLException; + + import javax.management.MalformedObjectNameException; + import javax.management.ObjectName; +@@ -71,7 +72,16 @@ public class JmxCollector extends Collector implements Collector.Describable { + + public JmxCollector(File in) throws IOException, MalformedObjectNameException { + configFile = in; +- config = loadConfig((Map)new Yaml().load(new FileReader(in))); ++ // Be defensive about loading yaml from a user. In some cases YAMLException ++ // will be thrown for bad configs ++ Map yamlConfig = null; ++ try { ++ yamlConfig = (Map)new Yaml().load(new FileReader(in)); ++ } catch (YAMLException e) { ++ System.err.println("YAML configuration error: " + e.getMessage()); ++ throw new IllegalArgumentException(e); ++ } ++ config = loadConfig(yamlConfig); + config.lastUpdate = configFile.lastModified(); + } + +diff --git a/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java b/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java +index dc35734..3d4ecf0 100644 +--- a/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java ++++ b/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java +@@ -3,15 +3,21 @@ package io.prometheus.jmx; + import static org.junit.Assert.assertEquals; + import static org.junit.Assert.assertNotNull; + import static org.junit.Assert.assertNull; ++import static org.junit.Assert.assertTrue; + import static org.junit.Assert.fail; + +-import io.prometheus.client.Collector; +-import io.prometheus.client.CollectorRegistry; ++import java.io.File; + import java.lang.management.ManagementFactory; ++ + import javax.management.MBeanServer; +-import org.junit.Test; ++ + import org.junit.Before; + import org.junit.BeforeClass; ++import org.junit.Test; ++import org.yaml.snakeyaml.error.YAMLException; ++ ++import io.prometheus.client.Collector; ++import io.prometheus.client.CollectorRegistry; + + + public class JmxCollectorTest { +@@ -252,4 +258,18 @@ public class JmxCollectorTest { + Thread.sleep(2000); + assertEquals(1.0, registry.getSampleValue("boolean_Test_True", new String[]{}, new String[]{}), .001); + } ++ ++ @Test ++ public void testBillionLaughs() throws Exception { ++ File configFile = new File(getClass().getResource("/testyaml.config").getPath()); ++ assertTrue(configFile.exists()); ++ try { ++ JmxCollector jc = new JmxCollector(configFile); ++ fail("Excected yaml exception due to billion laughs"); ++ } catch (IllegalArgumentException e) { ++ Throwable ex = e.getCause(); ++ String prefix = YAMLException.class.getName() + ": "; ++ assertEquals(prefix + "Number of aliases for non-scalar nodes exceeds the specified max=50", e.getMessage()); ++ } ++ } + } +diff --git a/collector/src/test/resources/testyaml.config b/collector/src/test/resources/testyaml.config +new file mode 100644 +index 0000000..4a3ed69 +--- /dev/null ++++ b/collector/src/test/resources/testyaml.config +@@ -0,0 +1,9 @@ ++a: &a ["lol","lol","lol","lol","lol","lol","lol","lol","lol"] ++b: &b [*a,*a,*a,*a,*a,*a,*a,*a,*a] ++c: &c [*b,*b,*b,*b,*b,*b,*b,*b,*b] ++d: &d [*c,*c,*c,*c,*c,*c,*c,*c,*c] ++e: &e [*d,*d,*d,*d,*d,*d,*d,*d,*d] ++f: &f [*e,*e,*e,*e,*e,*e,*e,*e,*e] ++g: &g [*f,*f,*f,*f,*f,*f,*f,*f,*f] ++h: &h [*g,*g,*g,*g,*g,*g,*g,*g,*g] ++i: &i [*h,*h,*h,*h,*h,*h,*h,*h,*h] +\ No newline at end of file +-- +2.21.1 + diff --git a/0001-Fix-CVE-2022-1471-and-add-a-test.patch b/0001-Fix-CVE-2022-1471-and-add-a-test.patch new file mode 100644 index 0000000..decbfd7 --- /dev/null +++ b/0001-Fix-CVE-2022-1471-and-add-a-test.patch @@ -0,0 +1,219 @@ +From fa99814967c44e654aae64802947209e2817359f Mon Sep 17 00:00:00 2001 +From: Severin Gehwolf +Date: Tue, 6 Dec 2022 17:32:30 +0100 +Subject: [PATCH] Fix CVE-2022-1471 and add a test + +--- + .../java/io/prometheus/jmx/JmxCollector.java | 34 +++++++++---- + .../io/prometheus/jmx/JmxCollectorTest.java | 51 +++++++++++++++++++ + .../test/java/io/prometheus/jmx/Person.java | 38 ++++++++++++++ + .../test/resources/testyaml_javabean.config | 6 +++ + 4 files changed, 119 insertions(+), 10 deletions(-) + create mode 100644 collector/src/test/java/io/prometheus/jmx/Person.java + create mode 100644 collector/src/test/resources/testyaml_javabean.config + +diff --git a/collector/src/main/java/io/prometheus/jmx/JmxCollector.java b/collector/src/main/java/io/prometheus/jmx/JmxCollector.java +index a5fc96f..38f13ed 100644 +--- a/collector/src/main/java/io/prometheus/jmx/JmxCollector.java ++++ b/collector/src/main/java/io/prometheus/jmx/JmxCollector.java +@@ -1,12 +1,7 @@ + package io.prometheus.jmx; + +-import io.prometheus.client.Collector; +-import io.prometheus.client.Counter; +-import org.yaml.snakeyaml.Yaml; +-import org.yaml.snakeyaml.error.YAMLException; ++import static java.lang.String.format; + +-import javax.management.MalformedObjectNameException; +-import javax.management.ObjectName; + import java.io.File; + import java.io.FileReader; + import java.io.IOException; +@@ -25,7 +20,19 @@ import java.util.logging.Logger; + import java.util.regex.Matcher; + import java.util.regex.Pattern; + +-import static java.lang.String.format; ++import javax.management.MalformedObjectNameException; ++import javax.management.ObjectName; ++ ++import org.yaml.snakeyaml.DumperOptions; ++import org.yaml.snakeyaml.LoaderOptions; ++import org.yaml.snakeyaml.Yaml; ++import org.yaml.snakeyaml.constructor.SafeConstructor; ++import org.yaml.snakeyaml.error.YAMLException; ++import org.yaml.snakeyaml.representer.Representer; ++import org.yaml.snakeyaml.resolver.Resolver; ++ ++import io.prometheus.client.Collector; ++import io.prometheus.client.Counter; + + public class JmxCollector extends Collector implements Collector.Describable { + static final Counter configReloadSuccess = Counter.build() +@@ -76,7 +83,7 @@ public class JmxCollector extends Collector implements Collector.Describable { + // will be thrown for bad configs + Map yamlConfig = null; + try { +- yamlConfig = (Map)new Yaml().load(new FileReader(in)); ++ yamlConfig = (Map)createYamlInstance().load(new FileReader(in)); + } catch (YAMLException e) { + System.err.println("YAML configuration error: " + e.getMessage()); + throw new IllegalArgumentException(e); +@@ -86,7 +93,14 @@ public class JmxCollector extends Collector implements Collector.Describable { + } + + public JmxCollector(String yamlConfig) throws MalformedObjectNameException { +- config = loadConfig((Map)new Yaml().load(yamlConfig)); ++ config = loadConfig((Map)createYamlInstance().load(yamlConfig)); ++ } ++ ++ private static Yaml createYamlInstance() { ++ // Equivalent to default Yaml() constructor but using SafeConstructor() ++ // over Constructor(); ++ return new Yaml(new SafeConstructor(), new Representer(), new DumperOptions(), new LoaderOptions(), ++ new Resolver()); + } + + private void reloadConfig() { +@@ -94,7 +108,7 @@ public class JmxCollector extends Collector implements Collector.Describable { + FileReader fr = new FileReader(configFile); + + try { +- Map newYamlConfig = (Map)new Yaml().load(fr); ++ Map newYamlConfig = (Map)createYamlInstance().load(fr); + config = loadConfig(newYamlConfig); + config.lastUpdate = configFile.lastModified(); + configReloadSuccess.inc(); +diff --git a/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java b/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java +index 3d4ecf0..f499fb3 100644 +--- a/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java ++++ b/collector/src/test/java/io/prometheus/jmx/JmxCollectorTest.java +@@ -8,12 +8,15 @@ import static org.junit.Assert.fail; + + import java.io.File; + import java.lang.management.ManagementFactory; ++import java.nio.file.Files; ++import java.util.stream.Collectors; + + import javax.management.MBeanServer; + + import org.junit.Before; + import org.junit.BeforeClass; + import org.junit.Test; ++import org.yaml.snakeyaml.constructor.ConstructorException; + import org.yaml.snakeyaml.error.YAMLException; + + import io.prometheus.client.Collector; +@@ -272,4 +275,52 @@ public class JmxCollectorTest { + assertEquals(prefix + "Number of aliases for non-scalar nodes exceeds the specified max=50", e.getMessage()); + } + } ++ ++ @Test ++ public void javaBeanLoadTestFile() throws Exception { ++ try { ++ File configFile = new File(getClass().getResource("/testyaml_javabean.config").getPath()); ++ doJavaBeanLoadTest(configFile, false); ++ } finally { ++ Person.fixtureReset(); ++ } ++ } ++ ++ @Test ++ public void javaBeanLoadTestString() throws Exception { ++ try { ++ File configFile = new File(getClass().getResource("/testyaml_javabean.config").getPath()); ++ doJavaBeanLoadTest(configFile, true); ++ } finally { ++ Person.fixtureReset(); ++ } ++ } ++ ++ private void doJavaBeanLoadTest(File configFile, boolean passAsString) throws Exception { ++ assertTrue(configFile.exists()); ++ assertEquals(0, Person.loadCount.get()); ++ try { ++ if (passAsString) { ++ String config = Files.readAllLines(configFile.toPath()).stream().collect(Collectors.joining("\n")); ++ new JmxCollector(config); ++ } else { ++ new JmxCollector(configFile); ++ } ++ assertEquals("Expected Person class to not be instantiated", 0, Person.loadCount.get()); ++ } catch (ConstructorException e) { ++ String problem = e.getProblem(); ++ assertTrue(problem.contains(Person.class.getName())); ++ assertTrue(problem.contains("could not determine a constructor")); ++ } catch (IllegalArgumentException e) { ++ Throwable cause = e.getCause(); ++ if (cause instanceof ConstructorException) { ++ ConstructorException ce = (ConstructorException) cause; ++ String problem = ce.getProblem(); ++ assertTrue(problem.contains(Person.class.getName())); ++ assertTrue(problem.contains("could not determine a constructor")); ++ } else { ++ fail("Expected ConstructorException as cause!"); ++ } ++ } ++ } + } +diff --git a/collector/src/test/java/io/prometheus/jmx/Person.java b/collector/src/test/java/io/prometheus/jmx/Person.java +new file mode 100644 +index 0000000..e3b339a +--- /dev/null ++++ b/collector/src/test/java/io/prometheus/jmx/Person.java +@@ -0,0 +1,38 @@ ++package io.prometheus.jmx; ++ ++import java.util.concurrent.atomic.AtomicInteger; ++ ++/** ++ * Simple java bean (used by yaml load test) ++ * ++ */ ++public class Person { ++ ++ public static final AtomicInteger loadCount = new AtomicInteger(0); ++ ++ private String firstName; ++ private String lastName; ++ ++ public String getFirstName() { ++ return firstName; ++ } ++ ++ public void setFirstName(String firstName) { ++ loadCount.incrementAndGet(); ++ this.firstName = firstName; ++ } ++ ++ public String getLastName() { ++ return lastName; ++ } ++ ++ public void setLastName(String lastName) { ++ loadCount.incrementAndGet(); ++ this.lastName = lastName; ++ } ++ ++ public static void fixtureReset() { ++ loadCount.set(0); ++ } ++ ++} +diff --git a/collector/src/test/resources/testyaml_javabean.config b/collector/src/test/resources/testyaml_javabean.config +new file mode 100644 +index 0000000..6552d83 +--- /dev/null ++++ b/collector/src/test/resources/testyaml_javabean.config +@@ -0,0 +1,6 @@ ++lowercaseOutputName: true ++lowercaseOutputLabelNames: true ++blacklistObjectNames: ++# handled by agent's default exporter ++- "java.lang:*" ++other: !!io.prometheus.jmx.Person { firstName: Andrey, lastName: Tool } +-- +2.38.1 + diff --git a/prometheus-jmx-exporter.spec b/prometheus-jmx-exporter.spec new file mode 100644 index 0000000..286f3a6 --- /dev/null +++ b/prometheus-jmx-exporter.spec @@ -0,0 +1,155 @@ +%global version_id parent +%global upstream_name jmx_exporter +%global simple_client_version 0.6.0 + +# Filter requires for the Java Agent as deps are shaded within. +%global jmx_or_client io\\.prometheus\\.jmx:.*|io\\.prometheus:simpleclient.*|org\\.yaml:snakeyaml.* +%global mvn_requires_filter .*mvn\\(%{jmx_or_client}\\) +%global java_headless_filter \\(?.*java-headless.*\\)? +%global __requires_exclude ^%{java_headless_filter}|%{mvn_requires_filter}$ + +Name: prometheus-jmx-exporter +Version: 0.12.0 +Release: 10%{?dist} +Summary: Prometheus JMX Exporter + +License: ASL 2.0 +URL: https://github.com/prometheus/jmx_exporter/ + +Source0: https://github.com/prometheus/jmx_exporter/archive/%{version_id}-%{version}.tar.gz +Patch1: properly_rewrite_namespace.patch +Patch2: 0001-Fix-CVE-2017-18640-and-add-a-test.patch +Patch3: 0001-Fix-CVE-2022-1471-and-add-a-test.patch + +BuildArch: noarch +Requires: %{name}-jdk-binding +Suggests: %{name}-openjdk11 = %{version}-%{release} + +BuildRequires: maven-local +BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) +BuildRequires: mvn(org.apache.maven.plugins:maven-assembly-plugin) +BuildRequires: mvn(org.apache.maven.plugins:maven-shade-plugin) +BuildRequires: mvn(org.yaml:snakeyaml) +BuildRequires: mvn(io.prometheus:simpleclient) +BuildRequires: mvn(io.prometheus:simpleclient_hotspot) +BuildRequires: mvn(io.prometheus:simpleclient_common) +BuildRequires: mvn(io.prometheus:simpleclient_httpserver) + +Provides: bundled(io.prometheus.jmx:collector) = %{version} +Provides: bundled(io.prometheus:simpleclient) = %{simple_client_version} +Provides: bundled(org.yaml:snakeyaml) = 1.32 +Provides: bundled(biz.source_code:base64coder) = 2010.12.19 +Provides: bundled(commons-codec:commons-codec) = 1.11 +Provides: bundled(io.prometheus:simpleclient_hotspot) = %{simple_client_version} +Provides: bundled(io.prometheus:simpleclient_httpserver) = %{simple_client_version} +Provides: bundled(io.prometheus:simpleclient_common) = %{simple_client_version} + +%description +JMX to Prometheus exporter: a collector that can be configured to scrape +and expose MBeans of a JMX target. This exporter is intended to be run as +a Java Agent, exposing a HTTP server and serving metrics of the local JVM. + +%package openjdk8 +Summary: OpenJDK 1.8.0 binding for %{name} +Provides: %{name}-jdk-binding = %{version}-%{release} +Conflicts: %{name}-jdk-binding +Requires: %{name} = %{version}-%{release} +Requires: java-1.8.0-headless + +%description openjdk8 +OpenJDK 1.8.0 binding package for %{name} + +%package openjdk11 +Summary: OpenJDK 11 binding for %{name} +Provides: %{name}-jdk-binding = %{version}-%{release} +Conflicts: %{name}-jdk-binding +Requires: %{name} = %{version}-%{release} +Requires: java-11-headless + +%description openjdk11 +OpenJDK 11 binding package for %{name} + +%package openjdk17 +Summary: OpenJDK 17 binding for %{name} +Provides: %{name}-jdk-binding = %{version}-%{release} +Conflicts: %{name}-jdk-binding +Requires: %{name} = %{version}-%{release} +Requires: java-17-headless + +%description openjdk17 +OpenJDK 17 binding package for %{name} + +%prep +%setup -q -n %{upstream_name}-%{version_id}-%{version} + +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 + +%pom_remove_plugin org.vafer:jdeb jmx_prometheus_httpserver +%pom_remove_plugin org.apache.maven.plugins:maven-failsafe-plugin jmx_prometheus_javaagent +%pom_remove_plugin org.codehaus.mojo:build-helper-maven-plugin jmx_prometheus_javaagent + +# Don't install artefacts from the reactor but the java agent itself. This is because +# the agent needs deps from the reactor but shades them. +%mvn_package "io.prometheus.jmx:jmx_prometheus_httpserver" __noinstall +%mvn_package "io.prometheus.jmx:parent" __noinstall + +# Don't depend on obsolete sonatype-oss-parent +# See: https://github.com/prometheus/jmx_exporter/issues/420 +%pom_xpath_remove pom:project/pom:parent + +%build +# ignore spurious test errors with: -Dmaven.test.failure.ignore=true +%mvn_build -j + +%install +%mvn_install + +%files -f .mfiles +%license LICENSE +%doc NOTICE + +%files openjdk8 +# empty files for the binding package + +%files openjdk11 +# empty files for the binding package + +%files openjdk17 +# empty files for the binding package + +%changelog +* Wed Dec 07 2022 Severin Gehwolf - 0.12.0-10 +- Bump release. + +* Wed Dec 07 2022 Severin Gehwolf - 0.12.0-9 +- Fix CVE-2022-1471 by using SafeConstructor. + +* Mon Sep 26 2022 Jonathan Dowland - 0.12.0-8 +- Bump snakeyaml version to 1.32 to collect fix for CVE-2022-25857 + (BZ 2126789) + +* Tue Aug 31 2021 Severin Gehwolf - 0.12.0-7 +- Add JDK binding sub-packages so that the package + can be used with either JDK 11 or JDK 17. +- Add requirement on base package for the JDK binding packages. + +* Mon Apr 20 2020 Severin Gehwolf - 0.12.0-6 +- Fix CVE-2017-18640 by using updated snakeyaml. + +* Wed Oct 09 2019 Severin Gehwolf - 0.12.0-5 +- rebuilt + +* Wed Oct 09 2019 Severin Gehwolf - 0.12.0-4 +- rebuilt + +* Wed Oct 09 2019 Severin Gehwolf - 0.12.0-3 +- Advertise correct bundled snakeyaml version (1.25) + +* Tue Sep 03 2019 Severin Gehwolf - 0.12.0-2 +- Add patch to properly name-space included dependencies + +* Mon Aug 12 2019 Severin Gehwolf - 0.12.0-1 +- Initial package. + diff --git a/properly_rewrite_namespace.patch b/properly_rewrite_namespace.patch new file mode 100644 index 0000000..76da45f --- /dev/null +++ b/properly_rewrite_namespace.patch @@ -0,0 +1,28 @@ +diff --git a/jmx_prometheus_javaagent/pom.xml b/jmx_prometheus_javaagent/pom.xml +index 5a14679..fb47a94 100644 +--- a/jmx_prometheus_javaagent/pom.xml ++++ b/jmx_prometheus_javaagent/pom.xml +@@ -62,9 +62,11 @@ + javax.servlet.** + org.eclipse.** + org.yaml.** ++ biz.source_code.** ++ org.apache.** + + +- io.prometheus.jmx.shaded.** ++ io.prometheus.jmx.** + + + +@@ -81,8 +83,8 @@ + + + +- io.prometheus.jmx.shaded.io.prometheus.jmx.JavaAgent +- io.prometheus.jmx.shaded.io.prometheus.jmx.JavaAgent ++ io.prometheus.jmx.JavaAgent ++ io.prometheus.jmx.JavaAgent + ${project.version} + ${project.artifactId} + diff --git a/sources b/sources new file mode 100644 index 0000000..5cab402 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (parent-0.12.0.tar.gz) = e6674a59a87428d04700bc855eb87bd74d757e51e6a8c9d324647793c8489f26c0924d007ff0ba1de5e781cfb062b2401ff158a4affc3f9ad2e6780742cff0e7