Compare commits

..

No commits in common. "c8-stream-3.6" and "c8-stream-201801" have entirely different histories.

4 changed files with 75 additions and 32 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/slf4j-1.7.28.tar.gz SOURCES/slf4j-1.7.25.tar.gz

View File

@ -1 +1 @@
f57e8e97d434bdcd8ba87ab9933d8de64bafb071 SOURCES/slf4j-1.7.28.tar.gz f564e3825b62172e81874ec73fafcc2747fb3d3b SOURCES/slf4j-1.7.25.tar.gz

View File

@ -0,0 +1,44 @@
From b1c0ca75ca38a7a8b50bfdfdf2c324169a6ddf02 Mon Sep 17 00:00:00 2001
From: Michael Simacek <msimacek@redhat.com>
Date: Mon, 19 Mar 2018 16:01:57 +0100
Subject: [PATCH] Disallow EventData deserialization by default
---
.../src/main/java/org/slf4j/ext/EventData.java | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
index dc5b502..fa5c125 100644
--- a/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
+++ b/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
@@ -76,12 +76,21 @@ public class EventData implements Serializable {
*/
@SuppressWarnings("unchecked")
public EventData(String xml) {
- ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
- try {
- XMLDecoder decoder = new XMLDecoder(bais);
- this.eventData = (Map<String, Object>) decoder.readObject();
- } catch (Exception e) {
- throw new EventException("Error decoding " + xml, e);
+ if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) {
+ ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
+ try {
+ XMLDecoder decoder = new XMLDecoder(bais);
+ this.eventData = (Map<String, Object>) decoder.readObject();
+ } catch (Exception e) {
+ throw new EventException("Error decoding " + xml, e);
+ }
+ } else {
+ throw new UnsupportedOperationException(
+ "Constructing EventData from XML is vulnerable to remote " +
+ "excution and is not allowed by default. If you're " +
+ "completely sure the source data is trusted, you can enable " +
+ "it by setting org.slf4j.ext.allowInsecureDeserialization " +
+ "JVM property to 1");
}
}
--
2.14.3

View File

@ -29,18 +29,23 @@
# #
Name: slf4j Name: slf4j
Version: 1.7.28 Version: 1.7.25
Release: 3%{?dist} Release: 4%{?dist}
Epoch: 0
Summary: Simple Logging Facade for Java Summary: Simple Logging Facade for Java
# the log4j-over-slf4j and jcl-over-slf4j submodules are ASL 2.0, rest is MIT # the log4j-over-slf4j and jcl-over-slf4j submodules are ASL 2.0, rest is MIT
License: MIT and ASL 2.0 License: MIT and ASL 2.0
URL: http://www.slf4j.org/ URL: http://www.slf4j.org/
Source0: http://www.slf4j.org/dist/%{name}-%{version}.tar.gz Source0: http://www.slf4j.org/dist/%{name}-%{version}.tar.gz
Source1: http://www.apache.org/licenses/LICENSE-2.0.txt Source1: http://www.apache.org/licenses/LICENSE-2.0.txt
Patch0: 0001-Disallow-EventData-deserialization-by-default.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: maven-local-openjdk8 BuildRequires: maven-local
BuildRequires: mvn(ch.qos.cal10n:cal10n-api)
BuildRequires: mvn(commons-lang:commons-lang)
BuildRequires: mvn(commons-logging:commons-logging) BuildRequires: mvn(commons-logging:commons-logging)
BuildRequires: mvn(javassist:javassist)
BuildRequires: mvn(log4j:log4j:1.2.17) BuildRequires: mvn(log4j:log4j:1.2.17)
BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin) BuildRequires: mvn(org.apache.maven.plugins:maven-antrun-plugin)
BuildRequires: mvn(org.apache.maven.plugins:maven-source-plugin) BuildRequires: mvn(org.apache.maven.plugins:maven-source-plugin)
@ -58,8 +63,11 @@ SLF4J interfaces directly, e.g. NLOG4J or SimpleLogger. Alternatively,
it is possible (and rather easy) to write SLF4J adapters for the given it is possible (and rather easy) to write SLF4J adapters for the given
API implementation, e.g. Log4jLoggerAdapter or JDK14LoggerAdapter.. API implementation, e.g. Log4jLoggerAdapter or JDK14LoggerAdapter..
%{?module_package} %package javadoc
%{?javadoc_package} Summary: API documentation for %{name}
%description javadoc
This package provides %{summary}.
%package manual %package manual
Summary: Manual for %{name} Summary: Manual for %{name}
@ -85,10 +93,16 @@ Summary: SLF4J JCL Binding
%description jcl %description jcl
SLF4J JCL Binding. SLF4J JCL Binding.
%package -n %{?module_prefix}jcl-over-slf4j %package ext
Summary: SLF4J Extensions Module
%description ext
Extensions to the SLF4J API.
%package -n jcl-over-slf4j
Summary: JCL 1.1.1 implemented over SLF4J Summary: JCL 1.1.1 implemented over SLF4J
%description -n %{?module_prefix}jcl-over-slf4j %description -n jcl-over-slf4j
JCL 1.1.1 implemented over SLF4J. JCL 1.1.1 implemented over SLF4J.
%package -n log4j-over-slf4j %package -n log4j-over-slf4j
@ -111,13 +125,13 @@ SLF4J Source JARs.
%prep %prep
%setup -q %setup -q
%patch0 -p1
find . -name "*.jar" | xargs rm find . -name "*.jar" | xargs rm
cp -p %{SOURCE1} APACHE-LICENSE cp -p %{SOURCE1} APACHE-LICENSE
%pom_disable_module integration %pom_disable_module integration
%pom_disable_module osgi-over-slf4j %pom_disable_module osgi-over-slf4j
%pom_disable_module slf4j-android %pom_disable_module slf4j-android
%pom_disable_module slf4j-ext
%pom_disable_module slf4j-migrator %pom_disable_module slf4j-migrator
# Because of a non-ASCII comment in slf4j-api/src/main/java/org/slf4j/helpers/MessageFormatter.java # Because of a non-ASCII comment in slf4j-api/src/main/java/org/slf4j/helpers/MessageFormatter.java
@ -165,7 +179,7 @@ sed -i "/Import-Package/s/.$/;resolution:=optional&/" slf4j-api/src/main/resourc
%mvn_package :%{name}-nop %mvn_package :%{name}-nop
%build %build
%mvn_build -f -s -- -Drequired.jdk.version=1.6 %mvn_build -f -s
%install %install
# Compat symlinks # Compat symlinks
@ -178,43 +192,28 @@ install -d -m 0755 $RPM_BUILD_ROOT%{_defaultdocdir}/%{name}-manual
rm -rf target/site/{.htaccess,apidocs} rm -rf target/site/{.htaccess,apidocs}
cp -pr target/site/* $RPM_BUILD_ROOT%{_defaultdocdir}/%{name}-manual cp -pr target/site/* $RPM_BUILD_ROOT%{_defaultdocdir}/%{name}-manual
%files -n %{?module_prefix}%{name} -f .mfiles %files -f .mfiles
%license LICENSE.txt APACHE-LICENSE %license LICENSE.txt APACHE-LICENSE
%files jdk14 -f .mfiles-%{name}-jdk14 %files jdk14 -f .mfiles-%{name}-jdk14
%files log4j12 -f .mfiles-%{name}-log4j12 %files log4j12 -f .mfiles-%{name}-log4j12
%files jcl -f .mfiles-%{name}-jcl %files jcl -f .mfiles-%{name}-jcl
%files -n %{?module_prefix}jcl-over-slf4j -f .mfiles-jcl-over-slf4j %files ext -f .mfiles-%{name}-ext
%files -n jcl-over-slf4j -f .mfiles-jcl-over-slf4j
%files -n log4j-over-slf4j -f .mfiles-log4j-over-slf4j %files -n log4j-over-slf4j -f .mfiles-log4j-over-slf4j
%files -n jul-to-slf4j -f .mfiles-jul-to-slf4j %files -n jul-to-slf4j -f .mfiles-jul-to-slf4j
%files sources -f .mfiles-sources %files sources -f .mfiles-sources
%license LICENSE.txt APACHE-LICENSE %license LICENSE.txt APACHE-LICENSE
%files javadoc -f .mfiles-javadoc
%license LICENSE.txt APACHE-LICENSE
%files manual %files manual
%license LICENSE.txt APACHE-LICENSE %license LICENSE.txt APACHE-LICENSE
%{_defaultdocdir}/%{name}-manual %{_defaultdocdir}/%{name}-manual
%changelog %changelog
* Sat Jan 25 2020 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.7.28-3
- Build with OpenJDK 8
* Tue Nov 05 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.7.28-2
- Mass rebuild for javapackages-tools 201902
* Tue Aug 13 2019 Marian Koncek <mkoncek@redhat.com> - 1.7.28-1
- Update to upstream version 1.7.28
* Fri May 24 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.7.26-3
- Mass rebuild for javapackages-tools 201901
* Fri May 24 2019 Mikolaj Izdebski <mizdebsk@redhat.com> - 1.7.26-2
- Disable slf4j-ext module
* Wed Feb 27 2019 Marian Koncek <mkoncek@redhat.com> - 0:1.7.26-1
- Update to upstream version 1.7.26
- Fixes: RHBZ #1678877
* Mon Mar 19 2018 Michael Simacek <msimacek@redhat.com> - 0:1.7.25-4 * Mon Mar 19 2018 Michael Simacek <msimacek@redhat.com> - 0:1.7.25-4
- Disallow EventData deserialization by default (CVE-2018-8088) - Disallow EventData deserialization by default (CVE-2018-8088)
- Resolves rhbz#1549928 - Resolves rhbz#1549928