Compare commits

..

No commits in common. "c8-beta-stream-201801" and "c8-stream-3.6" have entirely different histories.

4 changed files with 32 additions and 75 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/slf4j-1.7.25.tar.gz
SOURCES/slf4j-1.7.28.tar.gz

View File

@ -1 +1 @@
f564e3825b62172e81874ec73fafcc2747fb3d3b SOURCES/slf4j-1.7.25.tar.gz
f57e8e97d434bdcd8ba87ab9933d8de64bafb071 SOURCES/slf4j-1.7.28.tar.gz

View File

@ -1,44 +0,0 @@
From b1c0ca75ca38a7a8b50bfdfdf2c324169a6ddf02 Mon Sep 17 00:00:00 2001
From: Michael Simacek <msimacek@redhat.com>
Date: Mon, 19 Mar 2018 16:01:57 +0100
Subject: [PATCH] Disallow EventData deserialization by default
---
.../src/main/java/org/slf4j/ext/EventData.java | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
index dc5b502..fa5c125 100644
--- a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
+++ b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
@@ -76,12 +76,21 @@ public class EventData implements Serializable {
*/
@SuppressWarnings("unchecked")
public EventData(String xml) {
- ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
- try {
- XMLDecoder decoder = new XMLDecoder(bais);
- this.eventData = (Map<String, Object>) decoder.readObject();
- } catch (Exception e) {
- throw new EventException("Error decoding " + xml, e);
+ if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) {
+ ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
+ try {
+ XMLDecoder decoder = new XMLDecoder(bais);
+ this.eventData = (Map<String, Object>) decoder.readObject();
+ } catch (Exception e) {
+ throw new EventException("Error decoding " + xml, e);
+ }
+ } else {
+ throw new UnsupportedOperationException(
+ "Constructing EventData from XML is vulnerable to remote " +
+ "excution and is not allowed by default. If you're " +
+ "completely sure the source data is trusted, you can enable " +
+ "it by setting org.slf4j.ext.allowInsecureDeserialization " +
+ "JVM property to 1");
}
}
--
2.14.3

View File

@ -29,23 +29,18 @@
#
Name: slf4j
Version: 1.7.25
Release: 4%{?dist}
Epoch: 0
Version: 1.7.28
Release: 3%{?dist}
Summary: Simple Logging Facade for Java
# the log4j-over-slf4j and jcl-over-slf4j submodules are ASL 2.0, rest is MIT
License: MIT and ASL 2.0
URL: http://www.slf4j.org/
Source0: http://www.slf4j.org/dist/%{name}-%{version}.tar.gz
Source1: http://www.apache.org/licenses/LICENSE-2.0.txt
Patch0: 0001-Disallow-EventData-deserialization-by-default.patch
BuildArch: noarch
BuildRequires: maven-local
BuildRequires: mvn(ch.qos.cal10n:cal10n-api)
BuildRequires: mvn(commons-lang:commons-lang)
BuildRequires: maven-local-openjdk8
BuildRequires: mvn(commons-logging:commons-logging)
BuildRequires: mvn(javassist:javassist)
BuildRequires: mvn(log4j:log4j:1.2.17)
BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin)
BuildRequires: mvn(org.apache.maven.plugins:maven-source-plugin)
@ -63,11 +58,8 @@ SLF4J interfaces directly, e.g. NLOG4J or SimpleLogger. Alternatively,
it is possible (and rather easy) to write SLF4J adapters for the given
API implementation, e.g. Log4jLoggerAdapter or JDK14LoggerAdapter..
%package javadoc
Summary: API documentation for %{name}
%description javadoc
This package provides %{summary}.
%{?module_package}
%{?javadoc_package}
%package manual
Summary: Manual for %{name}
@ -93,16 +85,10 @@ Summary: SLF4J JCL Binding
%description jcl
SLF4J JCL Binding.
%package ext
Summary: SLF4J Extensions Module
%description ext
Extensions to the SLF4J API.
%package -n jcl-over-slf4j
%package -n %{?module_prefix}jcl-over-slf4j
Summary: JCL 1.1.1 implemented over SLF4J
%description -n jcl-over-slf4j
%description -n %{?module_prefix}jcl-over-slf4j
JCL 1.1.1 implemented over SLF4J.
%package -n log4j-over-slf4j
@ -125,13 +111,13 @@ SLF4J Source JARs.
%prep
%setup -q
%patch0 -p1
find . -name "*.jar" | xargs rm
cp -p %{SOURCE1} APACHE-LICENSE
%pom_disable_module integration
%pom_disable_module osgi-over-slf4j
%pom_disable_module slf4j-android
%pom_disable_module slf4j-ext
%pom_disable_module slf4j-migrator
# Because of a non-ASCII comment in slf4j-api/src/main/java/org/slf4j/helpers/MessageFormatter.java
@ -179,7 +165,7 @@ sed -i "/Import-Package/s/.$/;resolution:=optional&/" slf4j-api/src/main/resourc
%mvn_package :%{name}-nop
%build
%mvn_build -f -s
%mvn_build -f -s -- -Drequired.jdk.version=1.6
%install
# Compat symlinks
@ -192,28 +178,43 @@ install -d -m 0755 $RPM_BUILD_ROOT%{_defaultdocdir}/%{name}-manual
rm -rf target/site/{.htaccess,apidocs}
cp -pr target/site/* $RPM_BUILD_ROOT%{_defaultdocdir}/%{name}-manual
%files -f .mfiles
%files -n %{?module_prefix}%{name} -f .mfiles
%license LICENSE.txt APACHE-LICENSE
%files jdk14 -f .mfiles-%{name}-jdk14
%files log4j12 -f .mfiles-%{name}-log4j12
%files jcl -f .mfiles-%{name}-jcl
%files ext -f .mfiles-%{name}-ext
%files -n jcl-over-slf4j -f .mfiles-jcl-over-slf4j
%files -n %{?module_prefix}jcl-over-slf4j -f .mfiles-jcl-over-slf4j
%files -n log4j-over-slf4j -f .mfiles-log4j-over-slf4j
%files -n jul-to-slf4j -f .mfiles-jul-to-slf4j
%files sources -f .mfiles-sources
%license LICENSE.txt APACHE-LICENSE
%files javadoc -f .mfiles-javadoc
%license LICENSE.txt APACHE-LICENSE
%files manual
%license LICENSE.txt APACHE-LICENSE
%{_defaultdocdir}/%{name}-manual
%changelog
* Sat Jan 25 2020 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.7.28-3
- Build with OpenJDK 8
* Tue Nov 05 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.7.28-2
- Mass rebuild for javapackages-tools 201902
* Tue Aug 13 2019 Marian Koncek <mkoncek@redhat.com> - 1.7.28-1
- Update to upstream version 1.7.28
* Fri May 24 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.7.26-3
- Mass rebuild for javapackages-tools 201901
* Fri May 24 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.7.26-2
- Disable slf4j-ext module
* Wed Feb 27 2019 Marian Koncek <mkoncek@redhat.com> - 0:1.7.26-1
- Update to upstream version 1.7.26
- Fixes: RHBZ #1678877
* Mon Mar 19 2018 Michael Simacek <msimacek@redhat.com> - 0:1.7.25-4
- Disallow EventData deserialization by default (CVE-2018-8088)
- Resolves rhbz#1549928