From 290c6c116845509d72f719ae85f33eadfde238994c5bf30d750de6ac568ee341 Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Tue, 22 Nov 2022 12:15:06 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/Java:packages/testng?expand=0&rev=11

---
 testng-CVE-2022-4065.patch | 14 ++++++++++++++
 testng.changes             |  9 +++++++++
 testng.spec                |  2 ++
 3 files changed, 25 insertions(+)
 create mode 100644 testng-CVE-2022-4065.patch

diff --git a/testng-CVE-2022-4065.patch b/testng-CVE-2022-4065.patch
new file mode 100644
index 0000000..b476356
--- /dev/null
+++ b/testng-CVE-2022-4065.patch
@@ -0,0 +1,14 @@
+diff --git a/src/main/java/org/testng/JarFileUtils.java b/src/main/java/org/testng/JarFileUtils.java
+index 683a8b5..2f2ed8f 100644
+--- a/src/main/java/org/testng/JarFileUtils.java
++++ b/src/main/java/org/testng/JarFileUtils.java
+@@ -77,6 +77,9 @@ class JarFileUtils {
+         if (Parser.canParse(jeName.toLowerCase())) {
+           InputStream inputStream = jf.getInputStream(je);
+           File copyFile = new File(file, jeName);
++          if (!copyFile.toPath().normalize().startsWith(file.toPath().normalize())) {
++            throw new IOException("Bad zip entry");
++          }
+           Files.copyFile(inputStream, copyFile);
+           if (matchesXmlPathInJar(je)) {
+             suitePath = copyFile.toString();
diff --git a/testng.changes b/testng.changes
index b63c201..37b367c 100644
--- a/testng.changes
+++ b/testng.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Nov 22 12:13:04 UTC 2022 - Fridrich Strba <fstrba@suse.com>
+
+- Added patch:
+  * testng-CVE-2022-4065.patch
+    + Issues in sanitization of zip files could lead to path
+      traversal and potentially code execution (bsc#1205628,
+      CVE-2022-4065)
+
 -------------------------------------------------------------------
 Wed Apr 27 13:42:54 UTC 2022 - Fridrich Strba <fstrba@suse.com>
 
diff --git a/testng.spec b/testng.spec
index dc833c4..6b91844 100644
--- a/testng.spec
+++ b/testng.spec
@@ -28,6 +28,7 @@ Source1:        pom.xml
 Source2:        %{name}-build.xml
 Patch0:         0001-Avoid-accidental-javascript-in-javadoc.patch
 Patch1:         0002-Replace-bundled-jquery-with-CDN-link.patch
+Patch2:         testng-CVE-2022-4065.patch
 BuildRequires:  ant
 BuildRequires:  beust-jcommander
 BuildRequires:  bsh2
@@ -59,6 +60,7 @@ This package contains the API documentation for %{name}.
 
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 sed 's/@VERSION@/%{version}/' %{SOURCE1} > pom.xml
 cp %{SOURCE2} build.xml