Accepting request 878595 from Java:packages

bsc#1183360, CVE-2020-13936

OBS-URL: https://build.opensuse.org/request/show/878595
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/velocity?expand=0&rev=24

velocity-1.7-CVE-2020-13936.patch

@@ -0,0 +1,58 @@
+--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties
++++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+@@ -245,15 +245,15 @@
+ # accessed.
+ # ----------------------------------------------------------------------------
+ 
++# Prohibit reflection
+ introspector.restrict.packages = java.lang.reflect
+ 
+-# The two most dangerous classes
++# ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
+ 
+-introspector.restrict.classes = java.lang.Class
+-introspector.restrict.classes = java.lang.ClassLoader
+-                
+-# Restrict these for extra safety
++# Restrict these system classes.  Note that anything in this list is matched exactly.
++# (Subclasses must be explicitly named to be included).
+ 
++introspector.restrict.classes = java.lang.Class
+ introspector.restrict.classes = java.lang.Compiler
+ introspector.restrict.classes = java.lang.InheritableThreadLocal
+ introspector.restrict.classes = java.lang.Package
+@@ -262,8 +262,15 @@
+ introspector.restrict.classes = java.lang.RuntimePermission
+ introspector.restrict.classes = java.lang.SecurityManager
+ introspector.restrict.classes = java.lang.System
+-introspector.restrict.classes = java.lang.Thread
+ introspector.restrict.classes = java.lang.ThreadGroup
+ introspector.restrict.classes = java.lang.ThreadLocal
+ 
++# Restrict instance managers for common servlet containers  (Tomcat, JBoss, Jetty)
++
++introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager
++introspector.restrict.classes = org.apache.tomcat.SimpleInstanceManager
++introspector.restrict.classes = org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager
++introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory
++
++
+ 
+--- a/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
++++ b/src/java/org/apache/velocity/util/introspection/SecureIntrospectorImpl.java
+@@ -122,6 +122,15 @@
+         }
+ 
+         /**
++         * Always disallow ClassLoader, Thread and subclasses
++         */
++        if (ClassLoader.class.isAssignableFrom(clazz) ||
++            Thread.class.isAssignableFrom(clazz))
++        {
++           return false;
++        }
++
++        /**
+          * check the classname (minus any array info)
+          * whether it matches disallowed classes or packages
+          */

velocity.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Mar 12 08:18:50 UTC 2021 - Fridrich Strba <fstrba@suse.com>
+
+- Added patch:
+  * velocity-1.7-CVE-2020-13936.patch
+    + Backport fixes for bsc#1183360, CVE-2020-13936: arbitrary
+      code execution when attacker is able to modify templates
+
 -------------------------------------------------------------------
 Tue Oct  1 11:35:09 UTC 2019 - Fridrich Strba <fstrba@suse.com>
 

velocity.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package velocity
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2021 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,6 +26,7 @@ URL:            http://velocity.apache.org/
 Source0:        http://www.apache.org/dist/velocity/engine/%{version}/%{name}-%{version}.tar.gz
 Source1:        %{name}-%{version}.pom
 Patch0:         velocity-build_xml.patch
+Patch1:         velocity-1.7-CVE-2020-13936.patch
 BuildRequires:  ant >= 1.6.5
 BuildRequires:  ant-junit
 BuildRequires:  antlr
@@ -161,6 +162,7 @@ for j in $(find . -name "*.jar" | grep -v /test/); do
     mv $j $j.no
 done
 %patch0 -b .sav0
+%patch1 -p1
 
 cp %{SOURCE1} pom.xml