Merged update from upstream sources

This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/resteasy.git#dd38accbc59b1e4b51fef9fd14896228d4565711
2020-11-30 15:05:39 +00:00 · 2020-11-30 15:05:39 +00:00 · 8b5c3e3167
commit 8b5c3e3167
parent 962a862a58
3 changed files with 55 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -4,3 +4,4 @@
 /3.0.17.Final.tar.gz
 /resteasy-3.0.19.Final.tar.gz
 /resteasy-3.0.26.Final.tar.gz
+Resteasy-3.0.26.Final
--- a/0001-RESTEASY-2559-Improper-validation-of-response-header.patch
+++ b/0001-RESTEASY-2559-Improper-validation-of-response-header.patch
@ -0,0 +1,47 @@
+From f58a22382e31c0c4b92e519fa84f701a606981ac Mon Sep 17 00:00:00 2001
+From: Bartosz Spyrko-Smietanko <bspyrkos@redhat.com>
+Date: Thu, 16 Apr 2020 14:01:17 +0100
+Subject: [PATCH] [RESTEASY-2559] Improper validation of response header in
+ MediaTypeHeaderDelegate.java class
+
+---
+ .../plugins/delegates/MediaTypeHeaderDelegate.java |  1 +
+ .../test/mediatype/MediaTypeHeaderTest.java        | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+)
+ create mode 100644 testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java
+
+diff --git a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java b/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java
+index db0b4d588..b31d4376e 100755
+--- a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java
+++ b/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java
+@@ -89,6 +89,7 @@ public class MediaTypeHeaderDelegate implements RuntimeDelegate.HeaderDelegate
+             case '[':
+             case ']':
+             case '=':
+            case '\n':
+                return false;
+             default:
+                break;
+diff --git a/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java b/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java
+new file mode 100644
+index 000000000..e46f018f7
+--- /dev/null
+++ b/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java
+@@ -0,0 +1,14 @@
+package org.jboss.resteasy.test.mediatype;
+
+import org.jboss.resteasy.plugins.delegates.MediaTypeHeaderDelegate;
+import org.junit.Test;
+
+public class MediaTypeHeaderTest {
+
+   @Test(expected = IllegalArgumentException.class)
+   public void testNewLineInHeaderValueIsRejected() {
+      MediaTypeHeaderDelegate delegate = new MediaTypeHeaderDelegate();
+
+      delegate.fromString("foo/bar\n");
+   }
+}
+-- 
+2.26.2
+
--- a/resteasy.spec
+++ b/resteasy.spec
@ -3,11 +3,12 @@

 Name:           resteasy
 Version:        3.0.26
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Framework for RESTful Web services and Java applications
 License:        ASL 2.0 and CDDL
 URL:            http://resteasy.jboss.org/
 Source0:        https://github.com/resteasy/Resteasy/archive/%{namedversion}/%{name}-%{namedversion}.tar.gz
+Patch1:         0001-RESTEASY-2559-Improper-validation-of-response-header.patch

 BuildArch:      noarch

@ -101,6 +102,7 @@ Summary:        Client for %{name}

 %prep
 %setup -q -n Resteasy-%{namedversion}
+%patch1 -p1

 %pom_disable_module arquillian
 %pom_disable_module eagledns
@ -209,6 +211,10 @@ find -name '*.jar' -print -delete
 %license License.html

 %changelog
+* Mon Nov 30 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.26-6
+- CVE-2020-1695: Improper validation of response header in MediaTypeHeaderDelegate.java class
+  Resolves: rh-bz#1845547
+
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.26-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild