From 9c22eb96a35075ed7641b87fd6c9d732cc22d014c4b183df6a31451d4b058415 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Fri, 18 May 2018 09:30:58 +0000 Subject: [PATCH] Accepting request 610257 from home:pmonrealgonzalez:branches:Java:packages - Security fix: [bsc#1085970, CVE-2018-8088] * Disallow EventData deserialization by default * Added slf4j-Disallow-EventData-deserialization-by-default.patch refreshed from Fedora [ https://src.fedoraproject.org/rpms/slf4j/ blob/d7cd96bc7a8e8d8d62c8bc62baa7df02cef56c63/f/ 0001-Disallow-EventData-deserialization-by-default.patch ] OBS-URL: https://build.opensuse.org/request/show/610257 OBS-URL: https://build.opensuse.org/package/show/Java:packages/slf4j?expand=0&rev=30 --- ...EventData-deserialization-by-default.patch | 39 +++++++++++++++++++ slf4j.changes | 10 +++++ slf4j.spec | 2 + 3 files changed, 51 insertions(+) create mode 100644 slf4j-Disallow-EventData-deserialization-by-default.patch diff --git a/slf4j-Disallow-EventData-deserialization-by-default.patch b/slf4j-Disallow-EventData-deserialization-by-default.patch new file mode 100644 index 0000000..2a725cf --- /dev/null +++ b/slf4j-Disallow-EventData-deserialization-by-default.patch @@ -0,0 +1,39 @@ +Index: slf4j-1.7.12/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java +=================================================================== +--- slf4j-1.7.12.orig/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java ++++ slf4j-1.7.12/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java +@@ -76,12 +76,21 @@ public class EventData implements Serial + */ + @SuppressWarnings("unchecked") + public EventData(String xml) { +- ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); +- try { +- XMLDecoder decoder = new XMLDecoder(bais); +- this.eventData = (Map) decoder.readObject(); +- } catch (Exception e) { +- throw new EventException("Error decoding " + xml, e); ++ if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) { ++ ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes()); ++ try { ++ XMLDecoder decoder = new XMLDecoder(bais); ++ this.eventData = (Map) decoder.readObject(); ++ } catch (Exception e) { ++ throw new EventException("Error decoding " + xml, e); ++ } ++ } else { ++ throw new UnsupportedOperationException( ++ "Constructing EventData from XML is vulnerable to remote " + ++ "excution and is not allowed by default. If you're " + ++ "completely sure the source data is trusted, you can enable " + ++ "it by setting org.slf4j.ext.allowInsecureDeserialization " + ++ "JVM property to 1"); + } + } + +@@ -302,4 +311,4 @@ public class EventData implements Serial + public int hashCode() { + return this.eventData.hashCode(); + } +-} +\ No newline at end of file ++} diff --git a/slf4j.changes b/slf4j.changes index 67c0e53..8067828 100644 --- a/slf4j.changes +++ b/slf4j.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Fri May 18 09:17:44 UTC 2018 - pmonrealgonzalez@suse.com + +- Security fix: [bsc#1085970, CVE-2018-8088] + * Disallow EventData deserialization by default + * Added slf4j-Disallow-EventData-deserialization-by-default.patch + refreshed from Fedora [ https://src.fedoraproject.org/rpms/slf4j/ + blob/d7cd96bc7a8e8d8d62c8bc62baa7df02cef56c63/f/ + 0001-Disallow-EventData-deserialization-by-default.patch ] + ------------------------------------------------------------------- Wed Oct 11 09:08:10 UTC 2017 - fstrba@suse.com diff --git a/slf4j.spec b/slf4j.spec index afd5451..631d6a0 100644 --- a/slf4j.spec +++ b/slf4j.spec @@ -28,6 +28,7 @@ Source0: http://www.slf4j.org/dist/%{name}-%{version}.tar.gz Source1: build.xml.tar.bz2 Patch1: build-remove-slf4j_api-binder.patch Patch2: slf4j-commons-lang3.patch +Patch3: slf4j-Disallow-EventData-deserialization-by-default.patch BuildRequires: ant >= 1.6.5 BuildRequires: ant-junit >= 1.6.5 BuildRequires: apache-commons-lang3 @@ -77,6 +78,7 @@ Manual for %{name}. tar xjf %{SOURCE1} %patch1 -p1 %patch2 -p1 +%patch3 -p1 find . -name "*.jar" | xargs rm sed -i -e "s|ant<|org.apache.ant<|g" integration/pom.xml