Accepting request 492515 from home:pmonrealgonzalez:branches:Java:packages

- Fix for CVE-2017-3523 (bsc#1035697) * Unexpected automatic deserialisation of Java objects * Affected software: MySQL Connector/J * Remote Code Execution Vulnerability - Added patch: mysql-connector-java-5.1.35-CVE-2017-3523.patch OBS-URL: https://build.opensuse.org/request/show/492515 OBS-URL: https://build.opensuse.org/package/show/Java:packages/mysql-connector-java?expand=0&rev=29
2017-05-03 07:50:23 +00:00 · 2017-05-03 07:50:23 +00:00 · 918e798c4c
commit 918e798c4c
parent 3e31a322cf
3 changed files with 63 additions and 1 deletions
--- a/mysql-connector-java-5.1.35-CVE-2017-3523.patch
+++ b/mysql-connector-java-5.1.35-CVE-2017-3523.patch
@ -0,0 +1,49 @@
+--- mysql-connector-java-5.1.35.orig/src/com/mysql/jdbc/ResultSetImpl.java
+++ mysql-connector-java-5.1.35/src/com/mysql/jdbc/ResultSetImpl.java
+@@ -3436,27 +3436,26 @@ public class ResultSetImpl implements Re
+                         byte[] data = getBytes(columnIndex);
+                         Object obj = data;
+ 
+-                        if ((data != null) && (data.length >= 2)) {
+-                            if ((data[0] == -84) && (data[1] == -19)) {
+-                                // Serialized object?
+-                                try {
+-                                    ByteArrayInputStream bytesIn = new ByteArrayInputStream(data);
+-                                    ObjectInputStream objIn = new ObjectInputStream(bytesIn);
+-                                    obj = objIn.readObject();
+-                                    objIn.close();
+-                                    bytesIn.close();
+-                                } catch (ClassNotFoundException cnfe) {
+-                                    throw SQLError.createSQLException(
+-                                            Messages.getString("ResultSet.Class_not_found___91") + cnfe.toString()
+-                                                    + Messages.getString("ResultSet._while_reading_serialized_object_92"), getExceptionInterceptor());
+-                                } catch (IOException ex) {
+-                                    obj = data; // not serialized?
+                        if (this.connection.getAutoDeserialize()) {
+			    if ((data != null) && (data.length >= 2)) {
+                                if ((data[0] == -84) && (data[1] == -19)) {
+                                    // Serialized object?
+                                    try {
+                                        ByteArrayInputStream bytesIn = new ByteArrayInputStream(data);
+                                        ObjectInputStream objIn = new ObjectInputStream(bytesIn);
+                                        obj = objIn.readObject();
+                                        objIn.close();
+                                        bytesIn.close();
+                                    } catch (ClassNotFoundException cnfe) {
+                                        throw SQLError.createSQLException(Messages.getString("ResultSet.Class_not_found___91") + cnfe.toString()
+                                                + Messages.getString("ResultSet._while_reading_serialized_object_92"), getExceptionInterceptor());
+				    } catch (IOException ex) {
+                                        obj = data; // not serialized?
+                                    }
+                                 }
+-                            }
+-
+-                            return obj.toString();
+-                        }
+-
+				return obj.toString();
+			    }
+			}
+                         return extractStringFromNativeColumn(columnIndex, mysqlType);
+                     }
+ 
--- a/mysql-connector-java.changes
+++ b/mysql-connector-java.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue May  2 15:20:16 UTC 2017 - pmonrealgonzalez@suse.com
+
+- Fix for CVE-2017-3523 (bsc#1035697)
+  * Unexpected automatic deserialisation of Java objects
+  * Affected software: MySQL Connector/J
+  * Remote Code Execution Vulnerability
+- Added patch: mysql-connector-java-5.1.35-CVE-2017-3523.patch
+
 -------------------------------------------------------------------
 Thu Jun 11 15:11:55 UTC 2015 - tchvatal@suse.com

--- a/mysql-connector-java.spec
+++ b/mysql-connector-java.spec
@ -1,7 +1,7 @@
 #
 # spec file for package mysql-connector-java
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -37,6 +37,9 @@ Patch2:         no-jdk5-requirement.patch
 Patch3:         mysql-connector-java-jdbc-4.1.patch
 # PATCH-FIX-UPSTREAM: do not lose classpath during tests build
 Patch4:         use-classpath-in-tests.patch
+# PATCH_FIX-UPSTREAM: CVE-2017-3523 Oracle MySQL <=5.1.40 Connector/J 
+# Remote Code Execution Vulnerability
+Patch5:         mysql-connector-java-5.1.35-CVE-2017-3523.patch
 BuildRequires:  ant
 BuildRequires:  ant-contrib
 BuildRequires:  apache-commons-logging
@ -74,6 +77,7 @@ set that supports the capabilities of MySQL.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1

 # dup
 rm -f README