forked from pool/javamail
This commit is contained in:
Git OBS Bridge
29
javamail-CVE-2025-7962.patch
Normal file
29
javamail-CVE-2025-7962.patch
Normal file
@@ -0,0 +1,29 @@
|
|||||||
|
--- javamail-JAVAMAIL-1_6_2/mail/src/main/java/com/sun/mail/smtp/SMTPTransport.java 2025-07-23 08:57:23.698768098 +0200
|
||||||
|
+++ javamail-JAVAMAIL-1_6_2/mail/src/main/java/com/sun/mail/smtp/SMTPTransport.java 2025-07-23 08:57:44.109600841 +0200
|
||||||
|
@@ -2408,14 +2408,25 @@
|
||||||
|
//logger.fine("SENT: " + new String(cmdBytes, 0));
|
||||||
|
|
||||||
|
try {
|
||||||
|
+ validateCommand(cmdBytes);
|
||||||
|
serverOutput.write(cmdBytes);
|
||||||
|
serverOutput.write(CRLF);
|
||||||
|
serverOutput.flush();
|
||||||
|
- } catch (IOException ex) {
|
||||||
|
+ } catch (IOException | RuntimeException ex) {
|
||||||
|
throw new MessagingException("Can't send command to SMTP host", ex);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ private void validateCommand(byte[] cmdBytes) throws MessagingException {
|
||||||
|
+ final byte CR = '\r';
|
||||||
|
+ final byte LF = '\n';
|
||||||
|
+ for (byte b : cmdBytes) {
|
||||||
|
+ if (b == LF || b == CR) {
|
||||||
|
+ throw new IllegalArgumentException("Command contains illegal character: " + String.format("0x%02x",b));
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/**
|
||||||
|
* Reads server reponse returning the <code>returnCode</code>
|
||||||
|
* as the number. Returns -1 on failure. Sets
|
||||||
@@ -1,3 +1,12 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jul 23 07:01:17 UTC 2025 - Fridrich Strba <fstrba@suse.com>
|
||||||
|
|
||||||
|
- Added patch:
|
||||||
|
* javamail-CVE-2025-7962.patch
|
||||||
|
+ backport of upstream fix for bsc#1246873, CVE-2025-7962:
|
||||||
|
improper neutralization of \r and \n UTF-8 characters can
|
||||||
|
lead to SMTP injection
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Oct 2 15:48:59 UTC 2024 - Fridrich Strba <fstrba@suse.com>
|
Wed Oct 2 15:48:59 UTC 2024 - Fridrich Strba <fstrba@suse.com>
|
||||||
|
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package javamail
|
# spec file for package javamail
|
||||||
#
|
#
|
||||||
# Copyright (c) 2024 SUSE LLC
|
# Copyright (c) 2025 SUSE LLC
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@@ -26,6 +26,7 @@ Group: Development/Libraries/Java
|
|||||||
URL: https://www.oracle.com/technetwork/java/javamail
|
URL: https://www.oracle.com/technetwork/java/javamail
|
||||||
Source: https://github.com/javaee/javamail/archive/%{git_tag}.tar.gz
|
Source: https://github.com/javaee/javamail/archive/%{git_tag}.tar.gz
|
||||||
Patch0: %{name}-javadoc.patch
|
Patch0: %{name}-javadoc.patch
|
||||||
|
Patch1: %{name}-CVE-2025-7962.patch
|
||||||
BuildRequires: ant
|
BuildRequires: ant
|
||||||
BuildRequires: fdupes
|
BuildRequires: fdupes
|
||||||
BuildRequires: glassfish-activation-api
|
BuildRequires: glassfish-activation-api
|
||||||
@@ -51,6 +52,7 @@ Group: Documentation/HTML
|
|||||||
%prep
|
%prep
|
||||||
%setup -q -n %{name}-%{git_tag}
|
%setup -q -n %{name}-%{git_tag}
|
||||||
%patch -P 0 -p1
|
%patch -P 0 -p1
|
||||||
|
%patch -P 1 -p1
|
||||||
|
|
||||||
add_dep() {
|
add_dep() {
|
||||||
%pom_xpath_inject pom:project "<dependencies/>" ${2}
|
%pom_xpath_inject pom:project "<dependencies/>" ${2}
|
||||||
|
|||||||
Reference in New Issue
Block a user