pool/snakeyaml
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1001658 from Java:packages

Browse Source 
1.31 = misc. security fixes + changes stuffed up

OBS-URL: https://build.opensuse.org/request/show/1001658
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/snakeyaml?expand=0&rev=5
This commit is contained in:
Dominique Leuenberger 2022-09-07 09:06:33 +00:00 committed by Git OBS Bridge
commit ac6ecc4f9e
7 changed files with 202 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
0001-replace-bundled-base64coder-with-java.util.Base64.patch
View File

@ -1,39 +1,41 @@
From 82e728f896dffcd88c7cb86e8d9cbebd1a04d29e Mon Sep 17 00:00:00 2001
From c7ea35842ddebe7069024f284b543f1c10d00631 Mon Sep 17 00:00:00 2001
From: Fabio Valentini <decathorpe@gmail.com>
Date: Tue, 10 Sep 2019 13:38:15 +0200
Subject: [PATCH] replace bundled base64coder with java.util.Base64
Subject: [PATCH 1/2] replace bundled base64coder with java.util.Base64
---
pom.xml | 4 +-
pom.xml | 6 +-
.../constructor/SafeConstructor.java | 4 +-
.../external/biz/base64Coder/Base64Coder.java | 305 ------------------
.../representer/SafeRepresenter.java | 6 +-
.../base64Coder/Base64CoderTest.java | 73 -----
.../issues/issue99/YamlBase64Test.java | 6 +-
6 files changed, 10 insertions(+), 388 deletions(-)
6 files changed, 10 insertions(+), 390 deletions(-)
delete mode 100644 src/main/java/org/yaml/snakeyaml/external/biz/base64Coder/Base64Coder.java
delete mode 100644 src/test/java/biz/source_code/base64Coder/Base64CoderTest.java
diff --git a/pom.xml b/pom.xml
index 8112370..ae308c7 100644
index cff065a7..102381e7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -10,8 +10,8 @@
@@ -10,10 +10,8 @@
<project.scm.id>bitbucket</project.scm.id>
<release.repo.url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</release.repo.url>
<snapshot.repo.url>https://oss.sonatype.org/content/repositories/snapshots/</snapshot.repo.url>
- <maven.compiler.source>7</maven.compiler.source>
- <maven.compiler.target>7</maven.compiler.target>
- <maven.compiler.testSource>8</maven.compiler.testSource>
- <maven.compiler.testTarget>8</maven.compiler.testTarget>
+ <maven.compiler.source>8</maven.compiler.source>
+ <maven.compiler.target>8</maven.compiler.target>
<maven.javadoc.failOnError>false</maven.javadoc.failOnError>
<maven-bundle-plugin.version>3.5.0</maven-bundle-plugin.version>
<maven-resources-plugin.version>3.0.2</maven-resources-plugin.version><!-- for Github CI -->
diff --git a/src/main/java/org/yaml/snakeyaml/constructor/SafeConstructor.java b/src/main/java/org/yaml/snakeyaml/constructor/SafeConstructor.java
index bd022cc..217835d 100644
index f38c4e9a..cb29cf39 100644
--- a/src/main/java/org/yaml/snakeyaml/constructor/SafeConstructor.java
+++ b/src/main/java/org/yaml/snakeyaml/constructor/SafeConstructor.java
@@ -17,6 +17,7 @@
@@ -17,6 +17,7 @@ package org.yaml.snakeyaml.constructor;
import java.math.BigInteger;
import java.util.ArrayList;
@ -41,7 +43,7 @@ index bd022cc..217835d 100644
import java.util.Calendar;
import java.util.HashMap;
import java.util.Iterator;
@@ -31,7 +32,6 @@
@@ -31,7 +32,6 @@ import java.util.regex.Pattern;
import org.yaml.snakeyaml.LoaderOptions;
import org.yaml.snakeyaml.error.YAMLException;
@ -49,7 +51,7 @@ index bd022cc..217835d 100644
import org.yaml.snakeyaml.nodes.MappingNode;
import org.yaml.snakeyaml.nodes.Node;
import org.yaml.snakeyaml.nodes.NodeId;
@@ -348,7 +348,7 @@
@@ -383,7 +383,7 @@ public class SafeConstructor extends BaseConstructor {
// Ignore white spaces for base64 encoded scalar
String noWhiteSpaces = constructScalar((ScalarNode) node).toString().replaceAll("\\s",
"");
@ -60,7 +62,7 @@ index bd022cc..217835d 100644
}
diff --git a/src/main/java/org/yaml/snakeyaml/external/biz/base64Coder/Base64Coder.java b/src/main/java/org/yaml/snakeyaml/external/biz/base64Coder/Base64Coder.java
deleted file mode 100644
index 65923b6..0000000
index 65923b65..00000000
--- a/src/main/java/org/yaml/snakeyaml/external/biz/base64Coder/Base64Coder.java
+++ /dev/null
@@ -1,305 +0,0 @@
@ -370,10 +372,10 @@ index 65923b6..0000000
-
-} // end class Base64Coder
diff --git a/src/main/java/org/yaml/snakeyaml/representer/SafeRepresenter.java b/src/main/java/org/yaml/snakeyaml/representer/SafeRepresenter.java
index 2cc15d9..e5ac480 100644
index 810dbe97..cafc0be8 100644
--- a/src/main/java/org/yaml/snakeyaml/representer/SafeRepresenter.java
+++ b/src/main/java/org/yaml/snakeyaml/representer/SafeRepresenter.java
@@ -19,6 +19,7 @@
@@ -19,6 +19,7 @@ import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.util.ArrayList;
import java.util.Arrays;
@ -381,7 +383,7 @@ index 2cc15d9..e5ac480 100644
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
@@ -33,7 +34,6 @@
@@ -33,7 +34,6 @@ import java.util.regex.Pattern;
import org.yaml.snakeyaml.DumperOptions;
import org.yaml.snakeyaml.error.YAMLException;
@ -389,7 +391,7 @@ index 2cc15d9..e5ac480 100644
import org.yaml.snakeyaml.nodes.Node;
import org.yaml.snakeyaml.nodes.Tag;
import org.yaml.snakeyaml.reader.StreamReader;
@@ -131,7 +131,7 @@
@@ -131,7 +131,7 @@ class SafeRepresenter extends BaseRepresenter {
if (!checkValue.equals(value)) {
throw new YAMLException("invalid string value has occurred");
}
@ -398,7 +400,7 @@ index 2cc15d9..e5ac480 100644
} catch (UnsupportedEncodingException e) {
throw new YAMLException(e);
}
@@ -433,7 +433,7 @@
@@ -433,7 +433,7 @@ class SafeRepresenter extends BaseRepresenter {
protected class RepresentByteArray implements Represent {
public Node representData(Object data) {
@ -409,12 +411,12 @@ index 2cc15d9..e5ac480 100644
}
diff --git a/src/test/java/biz/source_code/base64Coder/Base64CoderTest.java b/src/test/java/biz/source_code/base64Coder/Base64CoderTest.java
deleted file mode 100644
index 60f6d84..0000000
index e8e32da1..00000000
--- a/src/test/java/biz/source_code/base64Coder/Base64CoderTest.java
+++ /dev/null
@@ -1,73 +0,0 @@
-/**
- * Copyright (c) 2008, http://www.snakeyaml.org
- * Copyright (c) 2008, SnakeYAML
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
@ -487,10 +489,10 @@ index 60f6d84..0000000
- }
-}
diff --git a/src/test/java/org/yaml/snakeyaml/issues/issue99/YamlBase64Test.java b/src/test/java/org/yaml/snakeyaml/issues/issue99/YamlBase64Test.java
index e425f25..a0c4f6a 100644
index bae02d29..5f3e62ed 100644
--- a/src/test/java/org/yaml/snakeyaml/issues/issue99/YamlBase64Test.java
+++ b/src/test/java/org/yaml/snakeyaml/issues/issue99/YamlBase64Test.java
@@ -18,6 +18,7 @@
@@ -18,6 +18,7 @@ package org.yaml.snakeyaml.issues.issue99;
import java.io.BufferedInputStream;
import java.io.IOException;
import java.io.InputStream;
@ -498,7 +500,7 @@ index e425f25..a0c4f6a 100644
import java.util.Map;
import junit.framework.TestCase;
@@ -27,7 +28,6 @@
@@ -27,7 +28,6 @@ import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.YamlDocument;
import org.yaml.snakeyaml.constructor.AbstractConstruct;
import org.yaml.snakeyaml.constructor.Constructor;
@ -506,7 +508,7 @@ index e425f25..a0c4f6a 100644
import org.yaml.snakeyaml.nodes.Node;
import org.yaml.snakeyaml.nodes.ScalarNode;
import org.yaml.snakeyaml.nodes.Tag;
@@ -50,7 +50,7 @@
@@ -50,7 +50,7 @@ public class YamlBase64Test extends TestCase {
all = all + lines[i].trim();
}
// System.out.println(all);
@ -515,7 +517,7 @@ index e425f25..a0c4f6a 100644
assertEquals(3737, decoded.length);
checkBytes(decoded);
}
@@ -122,7 +122,7 @@
@@ -122,7 +122,7 @@ public class YamlBase64Test extends TestCase {
public Object construct(Node node) {
String contentWithNewLines = constructScalar((ScalarNode) node).toString();
String noNewLines = contentWithNewLines.replaceAll("\\s", "");
@ -525,5 +527,5 @@ index e425f25..a0c4f6a 100644
}
}
--
2.21.0
2.37.3

12
0002-Replace-bundled-gdata-java-client-classes-with-commo.patch
View File

@ -1,4 +1,4 @@
From f06ff492f18d7c9cdf861a79293279e5ed55823f Mon Sep 17 00:00:00 2001
From 4e09236b88488cfc222d8e3419e344092548117b Mon Sep 17 00:00:00 2001
From: Michal Srb <msrb@redhat.com>
Date: Fri, 26 Apr 2013 07:32:04 +0200
Subject: [PATCH 2/2] Replace bundled gdata-java-client classes with
@ -16,7 +16,7 @@ Subject: [PATCH 2/2] Replace bundled gdata-java-client classes with
diff --git a/src/main/java/org/yaml/snakeyaml/external/com/google/gdata/util/common/base/Escaper.java b/src/main/java/org/yaml/snakeyaml/external/com/google/gdata/util/common/base/Escaper.java
deleted file mode 100644
index c26e3cb..0000000
index c26e3cb6..00000000
--- a/src/main/java/org/yaml/snakeyaml/external/com/google/gdata/util/common/base/Escaper.java
+++ /dev/null
@@ -1,97 +0,0 @@
@ -119,7 +119,7 @@ index c26e3cb..0000000
-}
diff --git a/src/main/java/org/yaml/snakeyaml/external/com/google/gdata/util/common/base/PercentEscaper.java b/src/main/java/org/yaml/snakeyaml/external/com/google/gdata/util/common/base/PercentEscaper.java
deleted file mode 100644
index 5e2f902..0000000
index 5e2f902d..00000000
--- a/src/main/java/org/yaml/snakeyaml/external/com/google/gdata/util/common/base/PercentEscaper.java
+++ /dev/null
@@ -1,281 +0,0 @@
@ -406,7 +406,7 @@ index 5e2f902..0000000
-}
diff --git a/src/main/java/org/yaml/snakeyaml/external/com/google/gdata/util/common/base/UnicodeEscaper.java b/src/main/java/org/yaml/snakeyaml/external/com/google/gdata/util/common/base/UnicodeEscaper.java
deleted file mode 100644
index 5403185..0000000
index 54031850..00000000
--- a/src/main/java/org/yaml/snakeyaml/external/com/google/gdata/util/common/base/UnicodeEscaper.java
+++ /dev/null
@@ -1,506 +0,0 @@
@ -917,7 +917,7 @@ index 5403185..0000000
- };
-}
diff --git a/src/main/java/org/yaml/snakeyaml/util/UriEncoder.java b/src/main/java/org/yaml/snakeyaml/util/UriEncoder.java
index 4cc18b4..b6a1992 100644
index de7849d4..d6140bb4 100644
--- a/src/main/java/org/yaml/snakeyaml/util/UriEncoder.java
+++ b/src/main/java/org/yaml/snakeyaml/util/UriEncoder.java
@@ -23,27 +23,46 @@ import java.nio.charset.CharacterCodingException;
@ -977,5 +977,5 @@ index 4cc18b4..b6a1992 100644
/**
--
2.20.1
2.37.3

3
snakeyaml-1.28.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6a8c452c7274223d284ec28d3a16715c4741a7efed2a888cce080ef9b7ee6df8
size 300779

3
snakeyaml-1.31.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:aba076a8e921b7406e15748bf7d60425ce6c40530335b91dfebb36e14e3aabd4
size 308276

4
snakeyaml-build.xml
View File

@ -12,10 +12,10 @@
<property name="project.description" value="YAML 1.1 parser and emitter for Java"/>
<property name="project.groupId" value="org.yaml"/>
<property name="project.artifactId" value="snakeyaml"/>
<property name="project.version" value="1.28"/>
<property name="project.version" value="1.31"/>
<property name="bundle.version" value="${project.version}.0"/>
<property name="compiler.source" value="1.7"/>
<property name="compiler.source" value="1.8"/>
<property name="compiler.target" value="${compiler.source}"/>
<property name="build.finalName" value="${project.artifactId}-${project.version}"/>

159
snakeyaml.changes
View File

@ -1,8 +1,68 @@
-------------------------------------------------------------------
Wed Sep 7 07:30:01 UTC 2022 - Fridrich Strba <fstrba@suse.com>
- Upgrade to upstream release 1.31
* Fixes
+ bsc#1202932 (CVE-2022-25857)
+ bsc#1203149 (CVE-2022-38749)
+ bsc#1203153 (CVE-2022-38751)
+ bsc#1203154 (CVE-2022-38752)
+ bsc#1203158 (CVE-2022-38750)
* Changes of 1.31
+ Fix #539: false positive CVE-2020-13936 (bsc#1183360)
+ Fix #537: Improved RE for integers
+ Improve restrictions against DoS attacks
+ Fix #525: Restrict nested depth for collections to avoid DoS
attacks
+ Fix #522: De-serializing key "on" fails with Exception
+ Example with Lombok and ENV variable substitution was added
+ reported issue with trailing TAB
+ fixes for reading and writing comments
* Changes of 1.30
+ Migrate to new home: snakeyaml/snakeyaml
+ fixes for reading and writing comments
+ Fix #506: Improve parsing a number starting with 0x
* Changes of 1.29
+ fixes for reading and writing comments
- Modified patches:
* 0001-replace-bundled-base64coder-with-java.util.Base64.patch
* 0002-Replace-bundled-gdata-java-client-classes-with-commo.patch
+ rebase
-------------------------------------------------------------------
Sat May 15 17:33:53 UTC 2021 - Fridrich Strba <fstrba@suse.com>
- Upgrade to upstream release 1.28
* Fixes bsc#1159488, bsc#1186088, CVE-2017-18640
* Changes of 1.28
+ Add possibility to construct enum with case sensitivity
+ Fix #493: substitution default can contain special characters
+ Add possibility to read and write comments
+ Fix #485: Alias names are too permissive compared to libyaml
and future spec
* Changes of 1.27
+ Update #307: add example
+ Add: build with CI on github
+ Fix #481: Serialize anchors that are not used by any alias
+ Fix #416: Improve dumping sequences
+ Fix #480: Anchor allows non ASCII characters while dumping
+ Fix #476: Make constructor of EnvScalarConstructor public
+ Fix #474: Parse the value of byte and short after a narrowing
primitive conversion
+ Fix yet another OWASP false positive. It complains that the
Spring controller makes SnakeYAML insecure even though
SnakeYAML does not use Spring controller and does not depend
on Spring (but the tests do). Bump spring.version from
3.2.17.RELEASE to 5.2.4.RELEASE
+ Migrated from hg to git
* Changes of 1.26
+ Fix #377: Allow configuration for preventing billion laughs
attack
+ Add: parse ENV variables similar to how it works for
docker-compose
+ Fix #468: Allow non ASCII characters in the anchor names
+ Add: expose Event.ID in Event via a getter
+ Fix #454: Add example for integer without time pattern
- Removed patch:
* 0003-fix-broken-test.patch
+ not needed since integrated upstream
@ -14,6 +74,105 @@ Sat May 15 17:33:53 UTC 2021 - Fridrich Strba <fstrba@suse.com>
Sun Nov 10 05:55:34 UTC 2019 - Fridrich Strba <fstrba@suse.com>
- Upgrade to upstream release 1.25
* Changes of 1.25
+ Fix #441: Restore the way to get anchor for a Node
+ Fix #437: Introduce setting to keep !!str tag for String even
when it contains non-printable chars
+ Update plugin versions
* Changes of 1.24
+ BaseConstructor: Factored out postponed mapping logic so
subclasses can effectively override constructMapping2ndStep()
and delegate to the postponed mapping logic
+ Fix #431: Customize simple key length when dumping
+ Fix #430: Wrap runtime exceptions into YAMLException.
+ Fix: Null tag constructor not called when parsing top-level
null value.
+ Fix #429: Provide "Automatic-Module-Name" entry in MANIFEST
+ Fix #426: Fix NPE when duplicate keys are not allowed and the
key is null
+ Apply pull request #41: Support java.sql classes without the
need to depend on java.sql module in java9+
+ Update: Java 7 is required.
+ Fix #423: Date Serialization Fails for TimeZones on Daylight
Savings Time
* Changes of 1.23
+ Update: run tests under Java 11. This is the last release to
support Java 6. As of the next release Java 7 will be required.
+ Fix #412: Restore the Boolean constructors for Events and
Nodes for binary compatibility of dependent projects
+ Fix #411: System Property "java.runtime.name" is not required
to be defined
+ Fix #409: Dumping Enum breaks when Enum value is Anonymous
inner class
* Changes of 1.21
+ Update: Scanner.peekToken() and Scanner.getToken() throw
exception instead of returning null
+ Update: Enhance output of token IDs
+ Update: Mark - expose buffer and pointer
+ Update: Improvements in the Bitbucket pipeline
+ Fix #397: Plain scalars with colons in flow sequences/mappings
are valid YAML. This change follows what happens with PyYAML
and libyaml (thanks to developers from the YAML community)
* Changes of 1.20
+ Fix #393: Improve reflective access operation to avoid warning
under Java 9
+ Hold #397: because of the inconsistent corner cases the ':' is
not yet allowed in a flow context
+ Refactor nodes and events - use enum FlowStyle instead of
Boolean (minor backwards-incompatible change)
+ Refactor ScalarToken, ScalarNode and ScalarEvent - use enum
ScalarStyle instead of Character (minor backwards-incompatible
change)
+ Refactor Mark - remove unused code (minor
backwards-incompatible change)
+ Fix #395 and #394: Introduce DuplicateKeyException and report
line number for duplicate keys when creating non-Javabeans
* Changes of 1.19
+ Apply pull request #22: Only use FIELD access for Android in
PropertyUtils
+ Apply pull request #27: Add getAnnotations() and
getAnnotation() methods to Property.
+ Apply pull request #26 and fix #383: Some configuration
properties of Representer were ignored.
+ Fix issue #386:Fix order of duplicate keys indices to prevent
wrong removals.
+ Update: major improvement when parsing JavaBeans.
+ Fix issue #382 and #322: MethodProperty should check for
generic type in getters and setters.
+ Fix issue #377: Add test for billion laughs attack.
+ Fix issue #368: Relax final restriction on TypeDescription.
+ Fix issue #375: Empty YAML file must return null instead of
throwing an exception when loading a JavaBean.
+ Fix issue #374: Localization settings (e.g. fr_CA) convert
Number type floats to ints.
+ Apply pull request #20: Provide access to node's anchor
+ Fix issue #370: Remove redundant
"Bundle-RequiredExecutionEnvironment: J2SE-1.5"
+ Fix issue #364: Serializing Calendar objects with certain
timezone offsets renders invalid YAML
* Changes of 1.18
+ Add: create Android artifact with android classifier
+ Fix issue #358: Validate DumperOptions to prevent invalid YAML
to be dumped.
+ Fix issue #355: Fix for emitter to split long plain string
scalars over multiple lines.
+ Apply pull request #13: Let Mark implement Serializable so
that ParserException can be serialized
+ Fix issue #337: Throw exception in case of duplicate keys when
LoaderOptions.allowDuplicateKeys is false.
+ Fix issue #351: Keep same nodes order on merge (preprocess
keys for MappingNode and remove duplicates keeping the last
one).
+ Fix issue #349: Ignore white spaces for base64 encoded scalar
+ Fix issue #348: Not removing parent object when composed
object is an anchor
+ Fix issue #323: Support "Miscellaneous Symbols and
Pictographs". This fix introduces minor backwards-incompatible
changes - some of the methods have been renamed. This fixes
also long standing issue with iOS emoji
+ Fix issue #341: Fix NPE in BaseRepresenter.multiRepresenters
if it contains 'null' as a key
+ Update plugin versions
- Removed patch:
* 0001-Replace-bundled-base64-implementation.patch
+ replaced by other implementation

12
snakeyaml.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package snakeyaml
#
# Copyright (c) 2021 SUSE LLC
# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -16,16 +16,16 @@
#
%global vertag b28f0b4d87c6
%global vertag 04401a88fa9b
%bcond_with tests
Name: snakeyaml
Version: 1.28
Version: 1.31
Release: 0
Summary: YAML parser and emitter for the Java programming language
License: Apache-2.0
Group: Development/Libraries/Java
URL: https://bitbucket.org/asomov/snakeyaml/
Source0: https://bitbucket.org/asomov/snakeyaml/get/%{name}-%{version}.tar.bz2
URL: https://bitbucket.org/%{name}/%{name}
Source0: https://bitbucket.org/%{name}/%{name}/get/%{name}-%{version}.tar.bz2
Source1: %{name}-build.xml
# Upstream has forked gdata-java and base64 and refuses [1] to
# consider replacing them by external dependencies. Bundled libraries
@ -76,7 +76,7 @@ Group: Documentation/HTML
This package contains %{summary}.
%prep
%setup -q -n asomov-%{name}-%{vertag}
%setup -q -n %{name}-%{name}-%{vertag}
cp %{SOURCE1} build.xml
%patch0 -p1
%patch1 -p1