From d4bf61ee72ac778287b10b2752dc0518ae1172b125fc0d2369bebb211ad5eb91 Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Tue, 23 Aug 2022 18:42:52 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/Java:packages/aws-sdk-java?expand=0&rev=25

---
 CVE-2022-31159.patch | 21 +++++++++++++++++++++
 aws-sdk-java.changes |  8 ++++++++
 aws-sdk-java.spec    |  2 ++
 3 files changed, 31 insertions(+)
 create mode 100644 CVE-2022-31159.patch

diff --git a/CVE-2022-31159.patch b/CVE-2022-31159.patch
new file mode 100644
index 0000000..0932cc1
--- /dev/null
+++ b/CVE-2022-31159.patch
@@ -0,0 +1,21 @@
+--- a/aws-java-sdk-s3/src/main/java/com/amazonaws/services/s3/transfer/TransferManager.java
++++ b/aws-java-sdk-s3/src/main/java/com/amazonaws/services/s3/transfer/TransferManager.java
+@@ -82,6 +82,7 @@ import java.io.File;
+ import java.io.IOException;
+ import java.io.InputStream;
+ import java.net.URL;
++import java.nio.file.Path;
+ import java.util.ArrayList;
+ import java.util.Date;
+ import java.util.LinkedList;
+@@ -1512,7 +1513,9 @@ public class TransferManager {
+ 
+     private boolean leavesRoot(File localBaseDirectory, String key) {
+         try {
+-            return !new File(localBaseDirectory, key).getCanonicalPath().startsWith(localBaseDirectory.getCanonicalPath());
++            Path targetPath = new File(localBaseDirectory, key).getCanonicalFile().toPath();
++            Path rootPath = localBaseDirectory.getCanonicalFile().toPath();
++            return !targetPath.startsWith(rootPath);
+         } catch (IOException e) {
+             throw new RuntimeException("Unable to canonicalize paths",  e);
+         }
diff --git a/aws-sdk-java.changes b/aws-sdk-java.changes
index 9c6757f..e8c7122 100644
--- a/aws-sdk-java.changes
+++ b/aws-sdk-java.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Aug 23 15:44:33 UTC 2022 - Fridrich Strba <fstrba@suse.com>
+
+- Added patch:
+  * CVE-2022-31159.patch
+    + fix bsc#1201580 (CVE-2022-31159) Partial Path Traversal in
+      com.amazonaws:aws-java-sdk-s3
+
 -------------------------------------------------------------------
 Thu May  5 10:23:20 UTC 2022 - Fridrich Strba <fstrba@suse.com>
 
diff --git a/aws-sdk-java.spec b/aws-sdk-java.spec
index 7c3e698..3b503b9 100644
--- a/aws-sdk-java.spec
+++ b/aws-sdk-java.spec
@@ -26,6 +26,7 @@ Group:          Development/Libraries/Java
 URL:            https://aws.amazon.com/sdk-for-java/
 Source0:        https://github.com/aws/aws-sdk-java/archive/%{githash}/%{name}-%{githash}.tar.gz
 Patch0:         aws-sdk-java-ambiguous-Record.patch
+Patch1:         CVE-2022-31159.patch
 BuildRequires:  dos2unix
 BuildRequires:  fdupes
 BuildRequires:  java-devel >= 1.8
@@ -673,6 +674,7 @@ This package contains javadoc for %{name}.
 %prep
 %setup -q -n %{name}-%{githash}
 %patch0 -p1
+%patch1 -p1
 
 # Remove deprecated httpclient annotations
 sed -i '/NotThreadSafe/d' \