From 8b5c3e3167b83a8abdc51291833da7b4c9e76083 Mon Sep 17 00:00:00 2001
From: DistroBaker <osci-list@redhat.com>
Date: Mon, 30 Nov 2020 15:05:39 +0000
Subject: [PATCH] Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/resteasy.git#dd38accbc59b1e4b51fef9fd14896228d4565711
---
 .gitignore                                    |  1 +
 ...proper-validation-of-response-header.patch | 47 +++++++++++++++++++
 resteasy.spec                                 |  8 +++-
 3 files changed, 55 insertions(+), 1 deletion(-)
 create mode 100644 0001-RESTEASY-2559-Improper-validation-of-response-header.patch

diff --git a/.gitignore b/.gitignore
index d204f60..ace4ecc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@
 /3.0.17.Final.tar.gz
 /resteasy-3.0.19.Final.tar.gz
 /resteasy-3.0.26.Final.tar.gz
+Resteasy-3.0.26.Final
diff --git a/0001-RESTEASY-2559-Improper-validation-of-response-header.patch b/0001-RESTEASY-2559-Improper-validation-of-response-header.patch
new file mode 100644
index 0000000..9048abd
--- /dev/null
+++ b/0001-RESTEASY-2559-Improper-validation-of-response-header.patch
@@ -0,0 +1,47 @@
+From f58a22382e31c0c4b92e519fa84f701a606981ac Mon Sep 17 00:00:00 2001
+From: Bartosz Spyrko-Smietanko <bspyrkos@redhat.com>
+Date: Thu, 16 Apr 2020 14:01:17 +0100
+Subject: [PATCH] [RESTEASY-2559] Improper validation of response header in
+ MediaTypeHeaderDelegate.java class
+
+---
+ .../plugins/delegates/MediaTypeHeaderDelegate.java |  1 +
+ .../test/mediatype/MediaTypeHeaderTest.java        | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+)
+ create mode 100644 testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java
+
+diff --git a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java b/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java
+index db0b4d588..b31d4376e 100755
+--- a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java
++++ b/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java
+@@ -89,6 +89,7 @@ public class MediaTypeHeaderDelegate implements RuntimeDelegate.HeaderDelegate
+             case '[':
+             case ']':
+             case '=':
++            case '\n':
+                return false;
+             default:
+                break;
+diff --git a/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java b/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java
+new file mode 100644
+index 000000000..e46f018f7
+--- /dev/null
++++ b/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java
+@@ -0,0 +1,14 @@
++package org.jboss.resteasy.test.mediatype;
++
++import org.jboss.resteasy.plugins.delegates.MediaTypeHeaderDelegate;
++import org.junit.Test;
++
++public class MediaTypeHeaderTest {
++
++   @Test(expected = IllegalArgumentException.class)
++   public void testNewLineInHeaderValueIsRejected() {
++      MediaTypeHeaderDelegate delegate = new MediaTypeHeaderDelegate();
++
++      delegate.fromString("foo/bar\n");
++   }
++}
+-- 
+2.26.2
+
diff --git a/resteasy.spec b/resteasy.spec
index 1653258..979dc2f 100644
--- a/resteasy.spec
+++ b/resteasy.spec
@@ -3,11 +3,12 @@
 
 Name:           resteasy
 Version:        3.0.26
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        Framework for RESTful Web services and Java applications
 License:        ASL 2.0 and CDDL
 URL:            http://resteasy.jboss.org/
 Source0:        https://github.com/resteasy/Resteasy/archive/%{namedversion}/%{name}-%{namedversion}.tar.gz
+Patch1:         0001-RESTEASY-2559-Improper-validation-of-response-header.patch
 
 BuildArch:      noarch
 
@@ -101,6 +102,7 @@ Summary:        Client for %{name}
 
 %prep
 %setup -q -n Resteasy-%{namedversion}
+%patch1 -p1
 
 %pom_disable_module arquillian
 %pom_disable_module eagledns
@@ -209,6 +211,10 @@ find -name '*.jar' -print -delete
 %license License.html
 
 %changelog
+* Mon Nov 30 2020 Alexander Scheel <ascheel@redhat.com> - 3.0.26-6
+- CVE-2020-1695: Improper validation of response header in MediaTypeHeaderDelegate.java class
+  Resolves: rh-bz#1845547
+
 * Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 3.0.26-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild