Accepting request 610257 from home:pmonrealgonzalez:branches:Java:packages

- Security fix: [bsc#1085970, CVE-2018-8088] * Disallow EventData deserialization by default * Added slf4j-Disallow-EventData-deserialization-by-default.patch refreshed from Fedora [ https://src.fedoraproject.org/rpms/slf4j/ blob/d7cd96bc7a8e8d8d62c8bc62baa7df02cef56c63/f/ 0001-Disallow-EventData-deserialization-by-default.patch ] OBS-URL: https://build.opensuse.org/request/show/610257 OBS-URL: https://build.opensuse.org/package/show/Java:packages/slf4j?expand=0&rev=30
2018-05-18 09:30:58 +00:00 · 2018-05-18 09:30:58 +00:00 · 9c22eb96a3
commit 9c22eb96a3
parent c41b8e132d
3 changed files with 51 additions and 0 deletions
--- a/slf4j-Disallow-EventData-deserialization-by-default.patch
+++ b/slf4j-Disallow-EventData-deserialization-by-default.patch
@ -0,0 +1,39 @@
+Index: slf4j-1.7.12/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
+===================================================================
+--- slf4j-1.7.12.orig/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
+++ slf4j-1.7.12/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
+@@ -76,12 +76,21 @@ public class EventData implements Serial
+      */
+     @SuppressWarnings("unchecked")
+     public EventData(String xml) {
+-        ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
+-        try {
+-            XMLDecoder decoder = new XMLDecoder(bais);
+-            this.eventData = (Map<String, Object>) decoder.readObject();
+-        } catch (Exception e) {
+-            throw new EventException("Error decoding " + xml, e);
+	if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) {
+	    ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
+	    try {
+		XMLDecoder decoder = new XMLDecoder(bais);
+		this.eventData = (Map<String, Object>) decoder.readObject();
+	    } catch (Exception e) {
+		throw new EventException("Error decoding " + xml, e);
+	    }
+	} else {
+	    throw new UnsupportedOperationException(
+		    "Constructing EventData from XML is vulnerable to remote " +
+                    "excution and is not allowed by default. If you're " +
+                    "completely sure the source data is trusted, you can enable " +
+                    "it by setting org.slf4j.ext.allowInsecureDeserialization " +
+                    "JVM property to 1");
+         }
+     }
+ 
+@@ -302,4 +311,4 @@ public class EventData implements Serial
+     public int hashCode() {
+         return this.eventData.hashCode();
+     }
+-}
+\ No newline at end of file
+}
--- a/slf4j.changes
+++ b/slf4j.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Fri May 18 09:17:44 UTC 2018 - pmonrealgonzalez@suse.com
+
+- Security fix:  [bsc#1085970, CVE-2018-8088]
+  * Disallow EventData deserialization by default
+  * Added slf4j-Disallow-EventData-deserialization-by-default.patch
+    refreshed from Fedora [ https://src.fedoraproject.org/rpms/slf4j/
+    blob/d7cd96bc7a8e8d8d62c8bc62baa7df02cef56c63/f/
+    0001-Disallow-EventData-deserialization-by-default.patch ]
+
 -------------------------------------------------------------------
 Wed Oct 11 09:08:10 UTC 2017 - fstrba@suse.com

--- a/slf4j.spec
+++ b/slf4j.spec
@ -28,6 +28,7 @@ Source0:        http://www.slf4j.org/dist/%{name}-%{version}.tar.gz
 Source1:        build.xml.tar.bz2
 Patch1:         build-remove-slf4j_api-binder.patch
 Patch2:         slf4j-commons-lang3.patch
+Patch3:         slf4j-Disallow-EventData-deserialization-by-default.patch
 BuildRequires:  ant >= 1.6.5
 BuildRequires:  ant-junit >= 1.6.5
 BuildRequires:  apache-commons-lang3
@ -77,6 +78,7 @@ Manual for %{name}.
 tar xjf %{SOURCE1}
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 find . -name "*.jar" | xargs rm

 sed -i -e "s|ant<|org.apache.ant<|g" integration/pom.xml