From 9c81caf9bc581104ed9daccafbb9b2fd9fa04441 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 18 May 2021 02:42:22 -0400 Subject: [PATCH] import resteasy-3.0.26-6.module+el8.4.0+8891+bb8828ef --- ...proper-validation-of-response-header.patch | 47 +++++++++++++++++++ SPECS/resteasy.spec | 11 +++-- 2 files changed, 55 insertions(+), 3 deletions(-) create mode 100644 SOURCES/0001-RESTEASY-2559-Improper-validation-of-response-header.patch diff --git a/SOURCES/0001-RESTEASY-2559-Improper-validation-of-response-header.patch b/SOURCES/0001-RESTEASY-2559-Improper-validation-of-response-header.patch new file mode 100644 index 0000000..9048abd --- /dev/null +++ b/SOURCES/0001-RESTEASY-2559-Improper-validation-of-response-header.patch @@ -0,0 +1,47 @@ +From f58a22382e31c0c4b92e519fa84f701a606981ac Mon Sep 17 00:00:00 2001 +From: Bartosz Spyrko-Smietanko +Date: Thu, 16 Apr 2020 14:01:17 +0100 +Subject: [PATCH] [RESTEASY-2559] Improper validation of response header in + MediaTypeHeaderDelegate.java class + +--- + .../plugins/delegates/MediaTypeHeaderDelegate.java | 1 + + .../test/mediatype/MediaTypeHeaderTest.java | 14 ++++++++++++++ + 2 files changed, 15 insertions(+) + create mode 100644 testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java + +diff --git a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java b/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java +index db0b4d588..b31d4376e 100755 +--- a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java ++++ b/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/delegates/MediaTypeHeaderDelegate.java +@@ -89,6 +89,7 @@ public class MediaTypeHeaderDelegate implements RuntimeDelegate.HeaderDelegate + case '[': + case ']': + case '=': ++ case '\n': + return false; + default: + break; +diff --git a/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java b/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java +new file mode 100644 +index 000000000..e46f018f7 +--- /dev/null ++++ b/testsuite/unit-tests/src/test/java/org/jboss/resteasy/test/mediatype/MediaTypeHeaderTest.java +@@ -0,0 +1,14 @@ ++package org.jboss.resteasy.test.mediatype; ++ ++import org.jboss.resteasy.plugins.delegates.MediaTypeHeaderDelegate; ++import org.junit.Test; ++ ++public class MediaTypeHeaderTest { ++ ++ @Test(expected = IllegalArgumentException.class) ++ public void testNewLineInHeaderValueIsRejected() { ++ MediaTypeHeaderDelegate delegate = new MediaTypeHeaderDelegate(); ++ ++ delegate.fromString("foo/bar\n"); ++ } ++} +-- +2.26.2 + diff --git a/SPECS/resteasy.spec b/SPECS/resteasy.spec index 512ed19..9678b9a 100644 --- a/SPECS/resteasy.spec +++ b/SPECS/resteasy.spec @@ -3,11 +3,12 @@ Name: resteasy Version: 3.0.26 -Release: 3%{?dist} +Release: 6%{?dist} Summary: Framework for RESTful Web services and Java applications -License: ASL 2.0 and CDDL +License: ASL 2.0 URL: http://resteasy.jboss.org/ Source0: https://github.com/resteasy/Resteasy/archive/%{namedversion}/%{name}-%{namedversion}.tar.gz +Patch1: 0001-RESTEASY-2559-Improper-validation-of-response-header.patch BuildArch: noarch @@ -61,7 +62,7 @@ This package contains the API documentation for %{name}. %prep %setup -q -n resteasy-jaxrs-all-%{namedversion}-redhat-1 - +%patch1 -p1 %pom_disable_module arquillian %pom_disable_module eagledns @@ -181,6 +182,10 @@ done %files javadoc -f .mfiles-javadoc %changelog +* Mon Nov 30 2020 Alexander Scheel - 3.0.26-6 +- CVE-2020-1695: Improper validation of response header in MediaTypeHeaderDelegate.java class + Resolves: rh-bz#1845548 + * Tue Aug 07 2018 Fraser Tweedale 3.5.1-3 - Avoid redundant jcip-annotations dependency