packages/derby
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!24 9.8分的CVE-2022-46337

Browse Source 
From: @dillon_chen 
Reviewed-by: @zhengzhenyu 
Signed-off-by: @zhengzhenyu
This commit is contained in:
openeuler-ci-bot 2023-12-13 03:37:59 +00:00 committed by Gitee
commit 66f5634d5b
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
4 changed files with 165 additions and 543 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

540
CVE-2018-1313.patch
View File

@ -1,540 +0,0 @@
From a2027c64e185a9ce46929f352e2db03371c1f95b Mon Sep 17 00:00:00 2001
From: Bryan Pendleton <bpendleton@apache.org>
Date: Sun, 11 Mar 2018 21:50:26 +0000
Subject: [PATCH] Remove support for COMMAND_TESTCONNECTION connectToDatabase
feature. It was never documented, and was never part of the regression tests.
A new regression test demonstrates that attempting to use this feature
now results in a "usage" response from the Network Server.
Also, change the Network Server's default security policy file, as well
as the template security policy file that we distribute with the
release and in the documentation. The new policy files do not use
the <<ALL FILES>> permission; instead they restrict the permission
to certain directories only.
Also, change the implementation of the Network Server's "sysinfo"
sub-command. Prior to this change, that feature would open each
jar file on the Network Server's class path, and would report on
whatever information it could find about that jar file. Now, the
only jar files that are opened and reported on are the known Derby
jar files; a table of those jar file names is compiled into the
sysinfo command. This causes sysinfo to return less information,
but it also means that it only needs the permission to access the
known Derby jar files on the classpath.
git-svn-id: https://svn.apache.org/repos/asf/db/derby/code/branches/10.14@1826467 13f79535-47bb-0310-9956-ffa450edef68
---
.../derby/drda/NetworkServerControl.java | 24 +++-
java/drda/org/apache/derby/drda/server.policy | 24 +---
.../org/apache/derby/drda/template.policy | 18 ++-
.../impl/drda/NetworkServerControlImpl.java | 48 +------
.../apache/derby/iapi/reference/Property.java | 1 +
.../derbynet/NetworkServerControlApiTest.java | 136 ++++++++++++++++++
.../NetworkServerControlApiTest.policy | 4 +
.../apache/derby/impl/tools/sysinfo/Main.java | 41 ++++++
8 files changed, 222 insertions(+), 74 deletions(-)
diff --git a/java/drda/org/apache/derby/drda/NetworkServerControl.java b/java/drda/org/apache/derby/drda/NetworkServerControl.java
index 73a925b1ef..103342ec87 100644
--- a/java/drda/org/apache/derby/drda/NetworkServerControl.java
+++ b/java/drda/org/apache/derby/drda/NetworkServerControl.java
@@ -21,6 +21,7 @@ Licensed to the Apache Software Foundation (ASF) under one or more
package org.apache.derby.drda;
+import java.io.File;
import java.io.PrintWriter;
import java.net.Inet6Address;
import java.net.InetAddress;
@@ -686,10 +687,14 @@ private static void installSecurityManager( NetworkServerControlImpl server )
// network codesources. Do not let the customer
// override this
//
- String derbyInstallURL = getCodeSourcePrefix( server );
+ URL derbyInstallURL = getCodeSourceURL( server );
+ String derbyInstallStr = getCodeSourcePrefix( server, derbyInstallURL );
+ String derbyInstallPth = new File(derbyInstallURL.getFile())
+ .getParentFile().getAbsolutePath();
+
+ System.setProperty( Property.DERBY_INSTALL_URL, derbyInstallStr );
+ System.setProperty( Property.DERBY_INSTALL_PATH, derbyInstallPth );
- System.setProperty( Property.DERBY_INSTALL_URL, derbyInstallURL );
-
//
// Now install a SecurityManager, using the Basic policy file.
//
@@ -790,7 +795,7 @@ private static boolean isIPV6Address( String hostname )
* same directory.
* </p>
*/
- private static String getCodeSourcePrefix( NetworkServerControlImpl server )
+ private static URL getCodeSourceURL( NetworkServerControlImpl server )
throws Exception
{
// Note: This method is expected to run only when no security manager
@@ -801,9 +806,14 @@ private static String getCodeSourcePrefix( NetworkServerControlImpl server )
return null;
}
URL url = cs.getLocation();
- if (url == null) {
- return null;
- }
+ return url;
+ }
+
+ private static String getCodeSourcePrefix(
+ NetworkServerControlImpl server,
+ URL url )
+ throws Exception
+ {
// Replace in "file://some", but not in "file:///some".
String extForm = url.toExternalForm().replaceFirst(
"^file://([^/].*)", "file:////$1");
diff --git a/java/drda/org/apache/derby/drda/server.policy b/java/drda/org/apache/derby/drda/server.policy
index 30c321cb59..a91c079624 100644
--- a/java/drda/org/apache/derby/drda/server.policy
+++ b/java/drda/org/apache/derby/drda/server.policy
@@ -32,17 +32,7 @@ grant codeBase "${derby.install.url}derby.jar"
permission java.io.FilePermission "${derby.system.home}${/}-",
"read,write,delete";
- // This permission lets you backup and restore databases to and from
- // arbitrary locations in your file system.
- //
- // This permission also lets you import/export data to and from arbitrary
- // locations in your file system.
- //
- // You may want to restrict this access to specific directories.
- //
- permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
-
- // Needed by sysinfo. The file permission is needed to check the existence of
+ // Needed by sysinfo. A file permission is needed to check the existence of
// jars on the classpath. You can limit this permission to just the locations
// which hold your jar files. This block is reproduced for all codebases
// which include the sysinfo classes--the policy file syntax does not let you
@@ -54,9 +44,9 @@ grant codeBase "${derby.install.url}derby.jar"
permission java.util.PropertyPermission "java.runtime.version", "read";
permission java.util.PropertyPermission "java.fullversion", "read";
permission java.lang.RuntimePermission "getProtectionDomain";
- permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "java.runtime.version", "read";
permission java.io.FilePermission "java.fullversion", "read";
+ permission java.io.FilePermission "${derby.install.path}${/}-", "read";
// Permissions needed for JMX based management and monitoring.
//
@@ -143,7 +133,7 @@ grant codeBase "${derby.install.url}derbynet.jar"
"control,monitor";
permission org.apache.derby.security.SystemPermission "engine", "usederbyinternals";
- // Needed by sysinfo. The file permission is needed to check the existence of
+ // Needed by sysinfo. A file permission is needed to check the existence of
// jars on the classpath. You can limit this permission to just the locations
// which hold your jar files. This block is reproduced for all codebases
// which include the sysinfo classes--the policy file syntax does not let you
@@ -155,15 +145,15 @@ grant codeBase "${derby.install.url}derbynet.jar"
permission java.util.PropertyPermission "java.runtime.version", "read";
permission java.util.PropertyPermission "java.fullversion", "read";
permission java.lang.RuntimePermission "getProtectionDomain";
- permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "java.runtime.version", "read";
permission java.io.FilePermission "java.fullversion", "read";
+ permission java.io.FilePermission "${derby.install.path}${/}-", "read";
};
grant codeBase "${derby.install.url}derbytools.jar"
{
- // Needed by sysinfo. The file permission is needed to check the existence of
+ // Needed by sysinfo. A file permission is needed to check the existence of
// jars on the classpath. You can limit this permission to just the locations
// which hold your jar files. This block is for all codebases which include
// the sysinfo classes--the policy file syntax does not let you grant
@@ -182,7 +172,7 @@ grant codeBase "${derby.install.url}derbytools.jar"
grant codeBase "${derby.install.url}derbyclient.jar"
{
- // Needed by sysinfo. The file permission is needed to check the existence of
+ // Needed by sysinfo. A file permission is needed to check the existence of
// jars on the classpath. You can limit this permission to just the locations
// which hold your jar files. This block is reproduced for all codebases
// which include the sysinfo classes--the policy file syntax does not let you
@@ -194,7 +184,7 @@ grant codeBase "${derby.install.url}derbyclient.jar"
permission java.util.PropertyPermission "java.runtime.version", "read";
permission java.util.PropertyPermission "java.fullversion", "read";
permission java.lang.RuntimePermission "getProtectionDomain";
- permission java.io.FilePermission "<<ALL FILES>>", "read";
+ permission java.io.FilePermission "${derby.install.path}${/}-", "read";
// The following permission must be granted for Connection.abort(Executor) to
// work. Note that this permission must also be granted to outer
diff --git a/java/drda/org/apache/derby/drda/template.policy b/java/drda/org/apache/derby/drda/template.policy
index 6331564216..60d811e730 100644
--- a/java/drda/org/apache/derby/drda/template.policy
+++ b/java/drda/org/apache/derby/drda/template.policy
@@ -52,9 +52,13 @@ grant codeBase "${derby.install.url}derby.jar"
// This permission also lets you import/export data to and from arbitrary
// locations in your file system.
//
- // You may want to restrict this access to specific directories.
+ // NOTE: this permission is commented out. You should NOT grant blanket
+ // permission to the entire filesystem! If you choose to use this
+ // permission to allow the server to access files outside of the
+ // server's home directory, you should name those specific directories
+ // in the permisson (that is, do NOT specify ALL FILES).
//
- permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
+ // permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
// Permissions needed for JMX based management and monitoring.
//
@@ -139,9 +143,11 @@ grant codeBase "${derby.install.url}derbynet.jar"
//
// permission java.net.SocketPermission "*", "connect,resolve";
- // Needed by sysinfo. The file permission is needed to check the existence of
- // jars on the classpath. You can limit this permission to just the locations
- // which hold your jar files.
+ // Needed by sysinfo. A file permission is needed to check the existence of
+ // jars on the classpath. Note that this permission is commented out!
+ // You should limit this permission to just the locations which hold
+ // your jar files; do NOT grant blanket permission to read the entire
+ // filesystem.
//
// In this template file, this block of permissions is granted to
// derbynet.jar under the assumption that derbynet.jar is the first jar file
@@ -155,12 +161,12 @@ grant codeBase "${derby.install.url}derbynet.jar"
// derbyclient.jar
// derbytools.jar
//
+ // permission java.io.FilePermission "${derby.install.directory}${/}-", "read";
permission java.util.PropertyPermission "user.*", "read";
permission java.util.PropertyPermission "java.home", "read";
permission java.util.PropertyPermission "java.class.path", "read";
permission java.util.PropertyPermission "java.runtime.version", "read";
permission java.util.PropertyPermission "java.fullversion", "read";
permission java.lang.RuntimePermission "getProtectionDomain";
- permission java.io.FilePermission "<<ALL FILES>>", "read";
};
diff --git a/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java b/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
index fc624276df..2f5e9ccde8 100644
--- a/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
+++ b/java/drda/org/apache/derby/impl/drda/NetworkServerControlImpl.java
@@ -1820,11 +1820,11 @@ protected synchronized void processCommands(DDMReader reader, DDMWriter writer,
consolePropertyMessage("DRDA_TraceDirectoryChange.I", traceDirectory);
break;
case COMMAND_TESTCONNECTION:
- databaseArg = reader.readCmdString();
- userArg = reader.readCmdString();
- passwordArg = reader.readCmdString();
+ databaseArg = reader.readCmdString(); // This is ...
+ userArg = reader.readCmdString(); // ... no longer ...
+ passwordArg = reader.readCmdString(); // ... supported.
if (databaseArg != null)
- connectToDatabase(writer, databaseArg, userArg, passwordArg);
+ sendMessage(writer, ERROR, "Usage: ping()");
else
sendOK(writer);
break;
@@ -3931,46 +3931,6 @@ private void setTraceDirectory(String value)
- /**
- * Connect to a database to test whether a connection can be made
- *
- * @param writer connection to send message to
- * @param database database directory to connect to
- * @param user user to use
- * @param password password to use
- */
- private void connectToDatabase(DDMWriter writer, String database, String user,
- String password) throws Exception
- {
- Properties p = new Properties();
- if (user != null)
- p.put("user", user);
- if (password != null)
- p.put("password", password);
- try {
- Class.forName(CLOUDSCAPE_DRIVER);
- }
- catch (Exception e) {
- sendMessage(writer, ERROR, e.getMessage());
- return;
- }
- try {
- //Note, we add database to the url so that we can allow additional
- //url attributes
- Connection conn = getDriver().connect(Attribute.PROTOCOL+database, p);
- // send warnings
- SQLWarning warn = conn.getWarnings();
- if (warn != null)
- sendSQLMessage(writer, warn, SQLWARNING);
- else
- sendOK(writer);
- conn.close();
- return;
- } catch (SQLException se) {
- sendSQLMessage(writer, se, SQLERROR);
- }
- }
-
/**
* Wrap SQL Error - display to console and raise exception
*
diff --git a/java/engine/org/apache/derby/iapi/reference/Property.java b/java/engine/org/apache/derby/iapi/reference/Property.java
index bda045629a..ecf9bd9a5b 100644
--- a/java/engine/org/apache/derby/iapi/reference/Property.java
+++ b/java/engine/org/apache/derby/iapi/reference/Property.java
@@ -416,6 +416,7 @@ Default value for wait timeouts (60 seconds)
* This property is the location of the derby jars.
**/
public static final String DERBY_INSTALL_URL = "derby.install.url";
+ public static final String DERBY_INSTALL_PATH = "derby.install.path";
/**
* This property is private to Derby.
diff --git a/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.java b/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.java
index a10c41b595..e50cd5e581 100644
--- a/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.java
+++ b/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.java
@@ -22,6 +22,10 @@ Licensed to the Apache Software Foundation (ASF) under one or more
package org.apache.derbyTesting.functionTests.tests.derbynet;
import java.io.File;
+import java.io.ByteArrayOutputStream;
+import java.io.DataOutputStream;
+import javax.net.SocketFactory;
+import java.net.Socket;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.AccessController;
@@ -205,6 +209,138 @@ public void test_03_Ping() throws Exception
// expected exception
}
}
+
+ /*
+ * CVE-2018-1313: Attempt to pass arguments to COMMAND_TESTCONNECTION
+ */
+ public void test_03_ping_args() throws Exception
+ {
+ String response = tryPingDbError("mydatabase", "myuser", "mypassword");
+ //System.out.println(response);
+ // This once said: XJ004:Database 'mydatabase' not found.
+ assertEquals("Usage", response.substring(0,5));
+
+ response = tryPingDbError("some/sorta/db","someone","somecredentials");
+ //System.out.println(response);
+ assertEquals("Usage", response.substring(0,5));
+
+ response = tryPingDbError("\\\\192.168.1.2\\guest\\db1","tata","tata");
+ //System.out.println(response);
+ assertEquals("Usage", response.substring(0,5));
+
+ response = tryPingDbError("my/nocred/db", "", "");
+ //System.out.println(response);
+ assertEquals("Usage", response.substring(0,5));
+
+ response = tryPingDbOK("", "scarface", "evildoer");
+ //System.out.println(response);
+ assertEquals("OK", response.substring(0,2));
+ }
+
+ private Socket privilegedClientSocket(final String host, int port)
+ throws Exception
+ {
+ try {
+ return AccessController.doPrivileged(
+ new PrivilegedExceptionAction<Socket>() {
+ public Socket run() throws Exception {
+ return SocketFactory.getDefault().createSocket(
+ InetAddress.getByName(host), port);
+ }
+ });
+ } catch (PrivilegedActionException pae) {
+ throw (Exception)pae.getCause();
+ }
+ }
+
+ private static String byteArrayToHex(byte[] ba, int l)
+ {
+ if (l < 0) return "STRING OF NEGATIVE LENGTH("+l+")";
+ StringBuilder sb = new StringBuilder(l * 2);
+ for (int i = 0; i < l; i++) sb.append(String.format("%02x", ba[i]));
+ return sb.toString();
+ }
+
+ private String tryPingDbError(String d, String u, String p)
+ throws Exception
+ {
+ return tryPingDbTest(2, d, u, p); // Result 2: ERROR
+ }
+
+ private String tryPingDbOK(String d, String u, String p)
+ throws Exception
+ {
+ return tryPingDbTest(0, d, u, p); // Result 0: OK
+ }
+
+ private String tryPingDbTest(int rc, String d, String u, String p)
+ throws Exception
+ {
+ //System.out.println("database: '"+d+"' (len: "+d.length()+")");
+ //System.out.println(" user: '"+u+"' (len: "+u.length()+")");
+ //System.out.println("password: '"+p+"' (len: "+p.length()+")");
+
+ Socket clientSocket = privilegedClientSocket(
+ TestConfiguration.getCurrent().getHostName(),
+ TestConfiguration.getCurrent().getPort());
+ ByteArrayOutputStream byteArrayOs = new ByteArrayOutputStream();
+ DataOutputStream commandOs = new DataOutputStream(byteArrayOs);
+
+ byte[] msgBytes = "CMD:".getBytes("UTF8");
+ commandOs.write(msgBytes,0,msgBytes.length);
+ commandOs.writeByte((byte) 0); // default version: 02
+ commandOs.writeByte((byte) 2); // default version: 02
+ commandOs.writeByte((byte) 0); // default locale: 0
+ commandOs.writeByte((byte) 0); // default codeset: 0
+ commandOs.writeByte((byte) 4); // COMMAND_TESTCONNECTION
+
+ msgBytes = d.getBytes("UTF8");
+ commandOs.writeByte((byte)(msgBytes.length >> 8 ));
+ commandOs.writeByte((byte) msgBytes.length);
+ commandOs.write(msgBytes,0,msgBytes.length);
+
+ msgBytes = u.getBytes("UTF8");
+ commandOs.writeByte((byte)(msgBytes.length >> 8 ));
+ commandOs.writeByte((byte) msgBytes.length);
+ commandOs.write(msgBytes,0,msgBytes.length);
+
+ msgBytes = p.getBytes("UTF8");
+ commandOs.writeByte((byte)(msgBytes.length >> 8 ));
+ commandOs.writeByte((byte) msgBytes.length);
+ commandOs.write(msgBytes,0,msgBytes.length);
+
+ byteArrayOs.writeTo(clientSocket.getOutputStream());
+ commandOs.flush();
+ byteArrayOs.reset();
+ clientSocket.shutdownOutput();
+
+ byte[]result = new byte[1024];
+ int resultLen = clientSocket.getInputStream().read(result);
+
+ clientSocket.close();
+
+ //System.out.println( "Result was " + resultLen + " bytes long");
+ //System.out.println( byteArrayToHex(result,resultLen) );
+
+ if (resultLen < 0)
+ return "DISCONNECT";
+
+ String r = "RPY:";
+ int rl = r.length();
+ assertTrue(resultLen > rl);
+ String header = new String(result, 0, rl, "UTF8");
+ assertEquals(r, header);
+ assertEquals(rc, result[rl++]); // 0: OK, 2: ERROR, 3: SQLERROR, etc.
+
+ if (rc == 0)
+ return "OK";
+
+ int l = ((result[rl++] & 0xff) << 8) + (result[rl++] & 0xff);
+ String response = new String(result, rl, l, "UTF8");
+
+ return response;
+ }
+
/**
* Wraps InitAddress.getByName in privilege block.
diff --git a/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.policy b/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.policy
index 792bcea43f..50f894a718 100644
--- a/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.policy
+++ b/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.policy
@@ -186,6 +186,10 @@ grant codeBase "${derbyTesting.testjar}derbyTesting.jar" {
// Needed by NetworkServerTestSetup when probing ports.
permission java.net.SocketPermission "localhost", "listen";
+ permission java.net.SocketPermission "127.0.0.1", "accept,connect,resolve";
+ permission java.net.SocketPermission "localhost", "accept,connect,listen";
+ permission java.net.SocketPermission "${derbyTesting.clienthost}", "accept,connect";
+ permission java.net.SocketPermission "${derbyTesting.serverhost}", "accept,connect";
};
//
diff --git a/java/tools/org/apache/derby/impl/tools/sysinfo/Main.java b/java/tools/org/apache/derby/impl/tools/sysinfo/Main.java
index e332ded977..6e88063202 100644
--- a/java/tools/org/apache/derby/impl/tools/sysinfo/Main.java
+++ b/java/tools/org/apache/derby/impl/tools/sysinfo/Main.java
@@ -23,6 +23,8 @@ Licensed to the Apache Software Foundation (ASF) under one or more
import java.security.AccessController;
import java.security.PrivilegedAction;
+import java.util.Arrays;
+import java.util.List;
import java.util.Locale;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
@@ -889,6 +891,31 @@ private static String argumentMatches(String[] args, String ss) {
".properties",
};
+ private static final String jarNames[] =
+ {
+ "derby.jar",
+ "derbyclient.jar",
+ "derbynet.jar",
+ "derbyoptionaltools.jar",
+ "derbyrun.jar",
+ "derbyshared.jar",
+ "derbyTesting.jar",
+ "derbytools.jar",
+ "derbyLocale_cs.jar",
+ "derbyLocale_de_DE.jar",
+ "derbyLocale_es.jar",
+ "derbyLocale_ja_JP.jar",
+ "derbyLocale_ko_KR.jar",
+ "derbyLocale_pl.jar",
+ "derbyLocale_pt_BR.jar",
+ "derbyLocale_ru.jar",
+ "derbyLocale_fr.jar",
+ "derbyLocale_zh_CN.jar",
+ "derbyLocale_hu.jar",
+ "derbyLocale_zh_TW.jar",
+ "derbyLocale_it.jar"
+ };
+
/**
* Get all the info we can obtain from the local execution context
* as to the availability of the Derby classes by attempting to load
@@ -920,9 +947,23 @@ private static String argumentMatches(String[] args, String ss) {
{
if (classpath != null) {
String cp [] = parseClasspath(classpath);
+ List<String> jarNamesList = Arrays.asList(jarNames);
Vector<ZipInfoProperties> v = new Vector<ZipInfoProperties>();
for (int i = 0; i < cp.length; i++)
{
+ boolean matches = false;
+ String candidate = cp[i];
+ for (String jarName : jarNames)
+ {
+ if (candidate.endsWith(jarName))
+ {
+ matches = true;
+ break;
+ }
+ }
+ if (!matches)
+ continue;
+
ZipInfoProperties zip = null;
try {
zip = checkForInfo(cp[i]);

159
CVE-2022-46337.patch Normal file
View File

@ -0,0 +1,159 @@
Origin: https://svn.apache.org/viewvc?view=revision&revision=1905586
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056755
Forwarded: not-needed
--
--- a/java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
+++ b/java/engine/org/apache/derby/impl/jdbc/authentication/LDAPAuthenticationSchemeImpl.java
@@ -191,6 +191,54 @@
/**
+ * Given an LDAP search string, returns the string with certain characters
+ * escaped according to RFC 2254 guidelines. Cribbed from org.apache.catalina.realm.JNDIRealm.
+ *
+ * The character mapping is as follows:
+ * char -&gt; Replacement
+ * ---------------------------
+ * * -&gt; \2a
+ * ( -&gt; \28
+ * ) -&gt; \29
+ * \ -&gt; \5c
+ * \0 -&gt; \00
+ *
+ * @param inString string to escape according to RFC 2254 guidelines
+ *
+ * @return String the escaped/encoded result
+ */
+ protected String doFilterEscaping(String inString) {
+ if (inString == null) {
+ return null;
+ }
+ StringBuilder buf = new StringBuilder(inString.length());
+ for (int i = 0; i < inString.length(); i++) {
+ char c = inString.charAt(i);
+ switch (c) {
+ case '\\':
+ buf.append("\\5c");
+ break;
+ case '*':
+ buf.append("\\2a");
+ break;
+ case '(':
+ buf.append("\\28");
+ break;
+ case ')':
+ buf.append("\\29");
+ break;
+ case '\0':
+ buf.append("\\00");
+ break;
+ default:
+ buf.append(c);
+ break;
+ }
+ }
+ return buf.toString();
+ }
+
+ /**
* Call new InitialDirContext in a privilege block
* @param env environment used to create the initial DirContext. Null indicates an empty environment.
* @return an initial DirContext using the supplied environment.
@@ -411,7 +459,10 @@
private String getDNFromUID(String uid)
throws javax.naming.NamingException
{
- //
+ // Escape the uid as a defense against LDAP injection. See DERBY-7147.
+ uid = doFilterEscaping(uid);
+
+ //
// We bind to the LDAP server here
// Note that this bind might be anonymous (if anonymous searches
// are allowed in the LDAP server, or authenticated if we were
--- /dev/null
+++ b/tools/release/notices/tomcat.txt
@@ -0,0 +1,72 @@
+Derby uses the org.apache.catalina.realm.JNDIRealm.doFilterEscaping()
+routine from the Apache Tomcat project. The following notice covers
+the Tomcat sources:
+
+Apache Tomcat
+Copyright 1999-2022 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (https://www.apache.org/).
+
+This software contains code derived from netty-native
+developed by the Netty project
+(https://netty.io, https://github.com/netty/netty-tcnative/)
+and from finagle-native developed at Twitter
+(https://github.com/twitter/finagle).
+
+This software contains code derived from jgroups-kubernetes
+developed by the JGroups project (http://www.jgroups.org/).
+
+The Windows Installer is built with the Nullsoft
+Scriptable Install System (NSIS), which is
+open source software. The original software and
+related information is available at
+http://nsis.sourceforge.net.
+
+Java compilation software for JSP pages is provided by the Eclipse
+JDT Core Batch Compiler component, which is open source software.
+The original software and related information is available at
+https://www.eclipse.org/jdt/core/.
+
+org.apache.tomcat.util.json.JSONParser.jj is a public domain javacc grammar
+for JSON written by Robert Fischer.
+https://github.com/RobertFischer/json-parser
+
+For portions of the Tomcat JNI OpenSSL API and the OpenSSL JSSE integration
+The org.apache.tomcat.jni and the org.apache.tomcat.net.openssl packages
+are derivative work originating from the Netty project and the finagle-native
+project developed at Twitter
+* Copyright 2014 The Netty Project
+* Copyright 2014 Twitter
+
+For portions of the Tomcat cloud support
+The org.apache.catalina.tribes.membership.cloud package contains derivative
+work originating from the jgroups project.
+https://github.com/jgroups-extras/jgroups-kubernetes
+Copyright 2002-2018 Red Hat Inc.
+
+The original XML Schemas for Java EE Deployment Descriptors:
+ - javaee_5.xsd
+ - javaee_web_services_1_2.xsd
+ - javaee_web_services_client_1_2.xsd
+ - javaee_6.xsd
+ - javaee_web_services_1_3.xsd
+ - javaee_web_services_client_1_3.xsd
+ - jsp_2_2.xsd
+ - web-app_3_0.xsd
+ - web-common_3_0.xsd
+ - web-fragment_3_0.xsd
+ - javaee_7.xsd
+ - javaee_web_services_1_4.xsd
+ - javaee_web_services_client_1_4.xsd
+ - jsp_2_3.xsd
+ - web-app_3_1.xsd
+ - web-common_3_1.xsd
+ - web-fragment_3_1.xsd
+ - javaee_8.xsd
+ - web-app_4_0.xsd
+ - web-common_4_0.xsd
+ - web-fragment_4_0.xsd
+
+may be obtained from:
+http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/index.html
--- a/build.xml
+++ b/build.xml
@@ -2022,6 +2022,7 @@
<antcall target="appendnotice"><param name="sourcefile" value="felix.txt"/></antcall>
<antcall target="appendnotice"><param name="sourcefile" value="lucene.txt"/></antcall>
<antcall target="appendnotice"><param name="sourcefile" value="simpleJson.txt"/></antcall>
+ <antcall target="appendnotice"><param name="sourcefile" value="tomcat.txt"/></antcall>
<antcall target="checkinfile">
<param name="checkinComment" value="Check in NOTICE as part of building a release."/>

BIN
db-derby-10.13.1.1-src.tar.gz → db-derby-10.14.2.0-src.tar.gz
View File

Binary file not shown.

9
derby.spec
View File

@ -1,6 +1,6 @@
Name: derby Name: derby
Version: 10.13.1.1 Version: 10.14.2.0
Release: 3 Release: 1
Summary: Relational database implemented entirely in Java Summary: Relational database implemented entirely in Java
License: ASL 2.0 License: ASL 2.0
URL: http://db.apache.org/derby/ URL: http://db.apache.org/derby/
@ -9,7 +9,7 @@ Source1: derby-script
Source2: derby.service Source2: derby.service
Patch1: derby-javacc.patch Patch1: derby-javacc.patch
Patch2: derby-lucene.patch Patch2: derby-lucene.patch
Patch3: CVE-2018-1313.patch Patch3: CVE-2022-46337.patch
BuildRequires: apache-parent javapackages-local glassfish-servlet-api jakarta-oro javacc BuildRequires: apache-parent javapackages-local glassfish-servlet-api jakarta-oro javacc
BuildRequires: json_simple lucene4 junit ant systemd BuildRequires: json_simple lucene4 junit ant systemd
@ -114,6 +114,9 @@ exit 0
%license db-derby-%{version}-src/NOTICE %license db-derby-%{version}-src/NOTICE
%changelog %changelog
* Fri Dec 1 2023 dillon chen <dillon.chen@gmail.com> - 10.14.2.0-1
- Update to 10.14.2.0 for fix CVE-2023-48284(patch from debian)
* Thu May 13 2021 lingsheng <lingsheng@huawei.com> - 10.13.1.1-3 * Thu May 13 2021 lingsheng <lingsheng@huawei.com> - 10.13.1.1-3
- Add requires javapackages-tools to fix derby service start - Add requires javapackages-tools to fix derby service start