From a22a8f84a4c2d0fa569d1ec57de7dce8ce32b9af Mon Sep 17 00:00:00 2001 From: Marian Koncek Date: Thu, 11 Mar 2021 17:03:02 +0100 Subject: [PATCH] Fix for CVE-2020-13936 --- 0003-CVE-2020-13936.patch | 77 +++++++++++++++++++++++++++++++++++++++ velocity.spec | 2 + 2 files changed, 79 insertions(+) create mode 100644 0003-CVE-2020-13936.patch diff --git a/0003-CVE-2020-13936.patch b/0003-CVE-2020-13936.patch new file mode 100644 index 0000000..5e9f9b3 --- /dev/null +++ b/0003-CVE-2020-13936.patch @@ -0,0 +1,77 @@ +From 3be84770e7fbe6f000f0c002905e86fe1412d551 Mon Sep 17 00:00:00 2001 +From: Marian Koncek +Date: Thu, 11 Mar 2021 16:22:50 +0100 +Subject: [PATCH] CVE-2020-13936 + +From upstream patches: +https://github.com/apache/velocity-engine/commit/1ba60771d23dae7e6b3138ae6bee09cf6f9d2485 +https://github.com/apache/velocity-engine/commit/15909056fe51f5d39d49e101d706d3075876dde4 +https://github.com/apache/velocity-engine/commit/3f5d477bb4f4397bed2d2926c35dcef7de3aae3e + +--- + .../velocity/runtime/defaults/velocity.properties | 15 ++++++++++----- + .../introspection/SecureIntrospectorImpl.java | 9 +++++++++ + 2 files changed, 19 insertions(+), 5 deletions(-) + +diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties +index 855118b..a8a9231 100644 +--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties ++++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties +@@ -245,15 +245,16 @@ runtime.introspector.uberspect = org.apache.velocity.util.introspection.Uberspec + # accessed. + # ---------------------------------------------------------------------------- + ++# Prohibit reflection + introspector.restrict.packages = java.lang.reflect + + # The two most dangerous classes ++# ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl + +-introspector.restrict.classes = java.lang.Class +-introspector.restrict.classes = java.lang.ClassLoader +- +-# Restrict these for extra safety ++# Restrict these system classes. Note that anything in this list is matched exactly. ++# (Subclasses must be explicitly named to be included). + ++introspector.restrict.classes = java.lang.Class + introspector.restrict.classes = java.lang.Compiler + introspector.restrict.classes = java.lang.InheritableThreadLocal + introspector.restrict.classes = java.lang.Package +@@ -262,8 +263,12 @@ introspector.restrict.classes = java.lang.Runtime + introspector.restrict.classes = java.lang.RuntimePermission + introspector.restrict.classes = java.lang.SecurityManager + introspector.restrict.classes = java.lang.System +-introspector.restrict.classes = java.lang.Thread + introspector.restrict.classes = java.lang.ThreadGroup + introspector.restrict.classes = java.lang.ThreadLocal + ++# Restrict instance managers for common servlet containers (Tomcat, JBoss, Jetty) + ++introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager ++introspector.restrict.classes = org.apache.tomcat.SimpleInstanceManager ++introspector.restrict.classes = org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager ++introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory +diff --git a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java +index f317b1c..25fc84d 100644 +--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java ++++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java +@@ -121,6 +121,15 @@ public class SecureIntrospectorImpl extends Introspector implements SecureIntros + return true; + } + ++ /** ++ * Always disallow ClassLoader, Thread and subclasses ++ */ ++ if (ClassLoader.class.isAssignableFrom(clazz) || ++ Thread.class.isAssignableFrom(clazz)) ++ { ++ return false; ++ } ++ + /** + * check the classname (minus any array info) + * whether it matches disallowed classes or packages +-- +2.29.2 + diff --git a/velocity.spec b/velocity.spec index 295888a..64d26bf 100644 --- a/velocity.spec +++ b/velocity.spec @@ -14,6 +14,7 @@ Source2: generate-tarball.sh Patch1: 0001-Port-to-apache-commons-lang3.patch Patch2: 0002-Force-use-of-JDK-log-chute.patch +Patch3: 0003-CVE-2020-13936.patch BuildRequires: maven-local BuildRequires: mvn(commons-collections:commons-collections) @@ -52,6 +53,7 @@ Javadoc for %{name}. cp %{SOURCE1} ./pom.xml %patch1 -p1 %patch2 -p1 +%patch3 -p1 find . -name '*.jar' ! -name 'test*.jar' -print -delete find . -name '*.class' ! -name 'Foo.class' -print -delete