OBS-URL: https://build.opensuse.org/package/show/Java:packages/testng?expand=0&rev=11

testng-CVE-2022-4065.patch

@@ -0,0 +1,14 @@
+diff --git a/src/main/java/org/testng/JarFileUtils.java b/src/main/java/org/testng/JarFileUtils.java
+index 683a8b5..2f2ed8f 100644
+--- a/src/main/java/org/testng/JarFileUtils.java
++++ b/src/main/java/org/testng/JarFileUtils.java
+@@ -77,6 +77,9 @@ class JarFileUtils {
+         if (Parser.canParse(jeName.toLowerCase())) {
+           InputStream inputStream = jf.getInputStream(je);
+           File copyFile = new File(file, jeName);
++          if (!copyFile.toPath().normalize().startsWith(file.toPath().normalize())) {
++            throw new IOException("Bad zip entry");
++          }
+           Files.copyFile(inputStream, copyFile);
+           if (matchesXmlPathInJar(je)) {
+             suitePath = copyFile.toString();

testng.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Nov 22 12:13:04 UTC 2022 - Fridrich Strba <fstrba@suse.com>
+
+- Added patch:
+  * testng-CVE-2022-4065.patch
+    + Issues in sanitization of zip files could lead to path
+      traversal and potentially code execution (bsc#1205628,
+      CVE-2022-4065)
+
 -------------------------------------------------------------------
 Wed Apr 27 13:42:54 UTC 2022 - Fridrich Strba <fstrba@suse.com>
 

testng.spec

@@ -28,6 +28,7 @@ Source1:        pom.xml
 Source2:        %{name}-build.xml
 Patch0:         0001-Avoid-accidental-javascript-in-javadoc.patch
 Patch1:         0002-Replace-bundled-jquery-with-CDN-link.patch
+Patch2:         testng-CVE-2022-4065.patch
 BuildRequires:  ant
 BuildRequires:  beust-jcommander
 BuildRequires:  bsh2
@@ -59,6 +60,7 @@ This package contains the API documentation for %{name}.
 
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 sed 's/@VERSION@/%{version}/' %{SOURCE1} > pom.xml
 cp %{SOURCE2} build.xml