diff --git a/mysql-connector-java-5.1.35-CVE-2017-3523.patch b/mysql-connector-java-5.1.35-CVE-2017-3523.patch new file mode 100644 index 0000000..a789763 --- /dev/null +++ b/mysql-connector-java-5.1.35-CVE-2017-3523.patch @@ -0,0 +1,49 @@ +--- mysql-connector-java-5.1.35.orig/src/com/mysql/jdbc/ResultSetImpl.java ++++ mysql-connector-java-5.1.35/src/com/mysql/jdbc/ResultSetImpl.java +@@ -3436,27 +3436,26 @@ public class ResultSetImpl implements Re + byte[] data = getBytes(columnIndex); + Object obj = data; + +- if ((data != null) && (data.length >= 2)) { +- if ((data[0] == -84) && (data[1] == -19)) { +- // Serialized object? +- try { +- ByteArrayInputStream bytesIn = new ByteArrayInputStream(data); +- ObjectInputStream objIn = new ObjectInputStream(bytesIn); +- obj = objIn.readObject(); +- objIn.close(); +- bytesIn.close(); +- } catch (ClassNotFoundException cnfe) { +- throw SQLError.createSQLException( +- Messages.getString("ResultSet.Class_not_found___91") + cnfe.toString() +- + Messages.getString("ResultSet._while_reading_serialized_object_92"), getExceptionInterceptor()); +- } catch (IOException ex) { +- obj = data; // not serialized? ++ if (this.connection.getAutoDeserialize()) { ++ if ((data != null) && (data.length >= 2)) { ++ if ((data[0] == -84) && (data[1] == -19)) { ++ // Serialized object? ++ try { ++ ByteArrayInputStream bytesIn = new ByteArrayInputStream(data); ++ ObjectInputStream objIn = new ObjectInputStream(bytesIn); ++ obj = objIn.readObject(); ++ objIn.close(); ++ bytesIn.close(); ++ } catch (ClassNotFoundException cnfe) { ++ throw SQLError.createSQLException(Messages.getString("ResultSet.Class_not_found___91") + cnfe.toString() ++ + Messages.getString("ResultSet._while_reading_serialized_object_92"), getExceptionInterceptor()); ++ } catch (IOException ex) { ++ obj = data; // not serialized? ++ } + } +- } +- +- return obj.toString(); +- } +- ++ return obj.toString(); ++ } ++ } + return extractStringFromNativeColumn(columnIndex, mysqlType); + } + diff --git a/mysql-connector-java.changes b/mysql-connector-java.changes index ed9b1ef..223191f 100644 --- a/mysql-connector-java.changes +++ b/mysql-connector-java.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Tue May 2 15:20:16 UTC 2017 - pmonrealgonzalez@suse.com + +- Fix for CVE-2017-3523 (bsc#1035697) + * Unexpected automatic deserialisation of Java objects + * Affected software: MySQL Connector/J + * Remote Code Execution Vulnerability +- Added patch: mysql-connector-java-5.1.35-CVE-2017-3523.patch + ------------------------------------------------------------------- Thu Jun 11 15:11:55 UTC 2015 - tchvatal@suse.com diff --git a/mysql-connector-java.spec b/mysql-connector-java.spec index 28f6a51..bb957ac 100644 --- a/mysql-connector-java.spec +++ b/mysql-connector-java.spec @@ -1,7 +1,7 @@ # # spec file for package mysql-connector-java # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -37,6 +37,9 @@ Patch2: no-jdk5-requirement.patch Patch3: mysql-connector-java-jdbc-4.1.patch # PATCH-FIX-UPSTREAM: do not lose classpath during tests build Patch4: use-classpath-in-tests.patch +# PATCH_FIX-UPSTREAM: CVE-2017-3523 Oracle MySQL <=5.1.40 Connector/J +# Remote Code Execution Vulnerability +Patch5: mysql-connector-java-5.1.35-CVE-2017-3523.patch BuildRequires: ant BuildRequires: ant-contrib BuildRequires: apache-commons-logging @@ -74,6 +77,7 @@ set that supports the capabilities of MySQL. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 # dup rm -f README