OBS-URL: https://build.opensuse.org/package/show/Java:packages/aws-sdk-java?expand=0&rev=25

CVE-2022-31159.patch

@@ -0,0 +1,21 @@
+--- a/aws-java-sdk-s3/src/main/java/com/amazonaws/services/s3/transfer/TransferManager.java
++++ b/aws-java-sdk-s3/src/main/java/com/amazonaws/services/s3/transfer/TransferManager.java
+@@ -82,6 +82,7 @@ import java.io.File;
+ import java.io.IOException;
+ import java.io.InputStream;
+ import java.net.URL;
++import java.nio.file.Path;
+ import java.util.ArrayList;
+ import java.util.Date;
+ import java.util.LinkedList;
+@@ -1512,7 +1513,9 @@ public class TransferManager {
+ 
+     private boolean leavesRoot(File localBaseDirectory, String key) {
+         try {
+-            return !new File(localBaseDirectory, key).getCanonicalPath().startsWith(localBaseDirectory.getCanonicalPath());
++            Path targetPath = new File(localBaseDirectory, key).getCanonicalFile().toPath();
++            Path rootPath = localBaseDirectory.getCanonicalFile().toPath();
++            return !targetPath.startsWith(rootPath);
+         } catch (IOException e) {
+             throw new RuntimeException("Unable to canonicalize paths",  e);
+         }

aws-sdk-java.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Aug 23 15:44:33 UTC 2022 - Fridrich Strba <fstrba@suse.com>
+
+- Added patch:
+  * CVE-2022-31159.patch
+    + fix bsc#1201580 (CVE-2022-31159) Partial Path Traversal in
+      com.amazonaws:aws-java-sdk-s3
+
 -------------------------------------------------------------------
 Thu May  5 10:23:20 UTC 2022 - Fridrich Strba <fstrba@suse.com>
 

aws-sdk-java.spec

@@ -26,6 +26,7 @@ Group:          Development/Libraries/Java
 URL:            https://aws.amazon.com/sdk-for-java/
 Source0:        https://github.com/aws/aws-sdk-java/archive/%{githash}/%{name}-%{githash}.tar.gz
 Patch0:         aws-sdk-java-ambiguous-Record.patch
+Patch1:         CVE-2022-31159.patch
 BuildRequires:  dos2unix
 BuildRequires:  fdupes
 BuildRequires:  java-devel >= 1.8
@@ -673,6 +674,7 @@ This package contains javadoc for %{name}.
 %prep
 %setup -q -n %{name}-%{githash}
 %patch0 -p1
+%patch1 -p1
 
 # Remove deprecated httpclient annotations
 sed -i '/NotThreadSafe/d' \