OBS-URL: https://build.opensuse.org/package/show/Java:packages/slf4j?expand=0&rev=54

2020-02-26 12:42:31 +00:00 · 2020-02-26 12:42:31 +00:00 · d8f011c53c
commit d8f011c53c
parent 5d319e08c6
8 changed files with 25 additions and 52 deletions
--- a/build.xml.tar.bz2
+++ b/build.xml.tar.bz2
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:47fcab9d522d847ae071f634544b08f3067c577873d20968443e9058878100ce
+oid sha256:ddae17d67e1bbaf7f22546acc6e1005694ab067a36f5d8f26a67953d10c85e95
-size 9111
+size 9162
--- a/slf4j-Disallow-EventData-deserialization-by-default.patch
+++ b/slf4j-Disallow-EventData-deserialization-by-default.patch
@ -1,39 +0,0 @@
 Index: slf4j-1.7.12/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
 ===================================================================
 --- slf4j-1.7.12.orig/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
 +++ slf4j-1.7.12/slf4j-ext/src/main/java/org/slf4j/ext/EventData.java
@@ -76,12 +76,21 @@ public class EventData implements Serial
      */
     @SuppressWarnings("unchecked")
     public EventData(String xml) {
 -        ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
 -        try {
 -            XMLDecoder decoder = new XMLDecoder(bais);
 -            this.eventData = (Map<String, Object>) decoder.readObject();
 -        } catch (Exception e) {
 -            throw new EventException("Error decoding " + xml, e);
 +	if ("1".equals(System.getProperty("org.slf4j.ext.allowInsecureDeserialization"))) {
 +	    ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
 +	    try {
 +		XMLDecoder decoder = new XMLDecoder(bais);
 +		this.eventData = (Map<String, Object>) decoder.readObject();
 +	    } catch (Exception e) {
 +		throw new EventException("Error decoding " + xml, e);
 +	    }
 +	} else {
 +	    throw new UnsupportedOperationException(
 +		    "Constructing EventData from XML is vulnerable to remote " +
 +                    "excution and is not allowed by default. If you're " +
 +                    "completely sure the source data is trusted, you can enable " +
 +                    "it by setting org.slf4j.ext.allowInsecureDeserialization " +
 +                    "JVM property to 1");
         }
     }
@@ -302,4 +311,4 @@ public class EventData implements Serial
     public int hashCode() {
         return this.eventData.hashCode();
     }
 -}
 \ No newline at end of file
 +}
--- a/slf4j-sources.changes
+++ b/slf4j-sources.changes
@ -1,3 +1,11 @@
 -------------------------------------------------------------------
 Wed Feb 26 12:40:57 UTC 2020 - Fridrich Strba <fstrba@suse.com>
 - Upgrade to upstream version 1.7.30
 - Removed patch:
  * slf4j-Disallow-EventData-deserialization-by-default.patch
    + not needed any more
 -------------------------------------------------------------------
 Wed Dec 18 09:09:30 UTC 2019 - Fridrich Strba <fstrba@suse.com>
--- a/slf4j-sources.spec
+++ b/slf4j-sources.spec
@ -1,7 +1,7 @@
 #
 # spec file for package slf4j-sources
 #
-# Copyright (c) 2019 SUSE LLC
+# Copyright (c) 2020 SUSE LLC
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@ -19,7 +19,7 @@
 %global base_name slf4j
 Name:           %{base_name}-sources
-Version:        1.7.25
+Version:        1.7.30
 Release:        0
 Summary:        SLF4J Source JARs
 # the log4j-over-slf4j and jcl-over-slf4j submodules are ASL 2.0, rest is MIT
@ -29,7 +29,6 @@ URL:            http://www.slf4j.org/
 Source0:        https://github.com/qos-ch/%{base_name}/archive/v_%{version}.tar.gz
 Source1:        http://www.apache.org/licenses/LICENSE-2.0.txt
 Patch2:         slf4j-commons-lang3.patch
 Patch3:         slf4j-Disallow-EventData-deserialization-by-default.patch
 BuildRequires:  javapackages-local
 BuildRequires:  xmvn-install
 BuildRequires:  xmvn-resolve
@ -44,7 +43,6 @@ SLF4J Source JARs.
 %prep
 %setup -q -n %{base_name}-v_%{version}
 %patch2 -p1
 %patch3 -p1
 find . -name "*.jar" | xargs rm
 cp -p %{SOURCE1} APACHE-LICENSE
--- a/slf4j.changes
+++ b/slf4j.changes
@ -1,3 +1,11 @@
 -------------------------------------------------------------------
 Wed Feb 26 12:40:57 UTC 2020 - Fridrich Strba <fstrba@suse.com>
 - Upgrade to upstream version 1.7.30
 - Removed patch:
  * slf4j-Disallow-EventData-deserialization-by-default.patch
    + not needed any more
 -------------------------------------------------------------------
 Wed Dec 18 09:09:30 UTC 2019 - Fridrich Strba <fstrba@suse.com>
--- a/slf4j.spec
+++ b/slf4j.spec
@ -1,7 +1,7 @@
 #
 # spec file for package slf4j
 #
-# Copyright (c) 2019 SUSE LLC
+# Copyright (c) 2020 SUSE LLC
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@ -18,7 +18,7 @@
 Name:           slf4j
-Version:        1.7.25
+Version:        1.7.30
 Release:        0
 Summary:        Simple Logging Facade for Java
 # the log4j-over-slf4j and jcl-over-slf4j submodules are ASL 2.0, rest is MIT
@ -30,7 +30,6 @@ Source1:        http://www.apache.org/licenses/LICENSE-2.0.txt
 Source2:        build.xml.tar.bz2
 Patch1:         build-remove-slf4j_api-binder.patch
 Patch2:         slf4j-commons-lang3.patch
 Patch3:         slf4j-Disallow-EventData-deserialization-by-default.patch
 BuildRequires:  ant >= 1.6.5
 BuildRequires:  ant-junit >= 1.6.5
 BuildRequires:  apache-commons-lang3
@ -136,7 +135,6 @@ JUL to SLF4J bridge.
 %setup -q -n %{name}-v_%{version} -a2
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 find . -name "*.jar" | xargs rm
 cp -p %{SOURCE1} APACHE-LICENSE
--- a/v_1.7.25.tar.gz
+++ b/v_1.7.25.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:2a55d290775d6621fdac0e3b21e257707f8870dbc78c6ea3712ed6e68536ea51
 size 2273375
--- a/v_1.7.30.tar.gz
+++ b/v_1.7.30.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:217519588d0dd1f85cee2357ca31afdd7c0a1a8a6963953b3bf455cf5174633e
 size 2272772